Manual SA
The Manual Security Association (SA) IPsec policy scenario allows callers to bypass the built-in IPsec keying modules (IKE and AuthIP) by directly specifying IPsec SAs to secure any network traffic.
An example of a possible Manual SA scenario is "Add an IPsec SA pair to secure all unicast data traffic between IP addresses 1.1.1.1 & 2.2.2.2, except ICMP, using IPsec transport mode."
Note
The following steps must be executed on both machines with IP addresses appropriately set.
To implement this example programmatically, use the following WFP configuration.
Add a filter with the following properties.
Filter property Value FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast FWPM_CONDITION_IP_LOCAL_ADDRESS The appropriate local address (1.1.1.1 or 2.2.2.2). FWPM_CONDITION_IP_REMOTE_ADDRESS The appropriate remote address (1.1.1.1 or 2.2.2.2). action.type FWP_ACTION_CALLOUT_TERMINATING action.calloutKey FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V{4|6} Exempt ICMP traffic from IPsec by adding a filter with the following properties.
Filter property Value FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast FWPM_CONDITION_IP_PROTOCOL filtering condition **IPPROTO_ICMP{V6}**These constants are defined in winsock2.h. action.type FWP_ACTION_PERMIT weight FWPM_WEIGHT_RANGE_IKE_EXEMPTIONS Add a filter with the following properties.
Filter property Value FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast FWPM_CONDITION_IP_LOCAL_ADDRESS filtering condition The appropriate local address (1.1.1.1 or 2.2.2.2). FWPM_CONDITION_IP_REMOTE_ADDRESS filtering condition The appropriate remote address (1.1.1.1 or 2.2.2.2). action.type FWP_ACTION_CALLOUT_TERMINATING action.calloutKey FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V{4|6} Exempt ICMP traffic from IPsec by adding a filter with the following properties.
Filter property Value FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast FWPM_CONDITION_IP_PROTOCOL filtering condition **IPPROTO_ICMP{V6}**These constants are defined in winsock2.h. action.type FWP_ACTION_PERMIT weight FWPM_WEIGHT_RANGE_IKE_EXEMPTIONS - Call IPsecSaContextCreate0, with the outboundTraffic parameter containing the IP addresses as 1.1.1.1 & 2.2.2.2, and ipsecFilterId as the LUID of the outbound transport layer IPsec callout filter added above.
- Call IPsecSaContextGetSpi0, with the id parameter containing the context ID returned from IPsecSaContextCreate0, and the getSpi parameter containing the IP addresses as 1.1.1.1 & 2.2.2.2, and ipsecFilterId as the LUID of the inbound transport layer IPsec callout filter added above. The returned SPI value is meant to be used as the inbound SA SPI by the local machine and as the outbound SA SPI by the corresponding remote machine. Both machines must use some out-of-band means to exchange the SPI values.
- Call IPsecSaContextAddInbound0, with the id parameter containing the context ID returned from IPsecSaContextCreate0, and the inboundBundle parameter describing the properties of the inbound SA bundle (such as the inbound SA SPI, transform type, algorithm types, keys, etc).
- Call IPsecSaContextAddOutbound0, with the id parameter containing the context ID returned from IPsecSaContextCreate0, and the outboundBundle parameter describing the properties of the outbound SA bundle (such as the outbound SA SPI, transform type, algorithm types, keys, etc).
At FWPM_LAYER_INBOUND_TRANSPORT_V{4|6} setup inbound per-packet filtering rules
At FWPM_LAYER_OUTBOUND_TRANSPORT_V{4|6} setup outbound per-packet filtering rules
Setup inbound and outbound security associations
Related topics
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for