Manual SA

The Manual Security Association (SA) IPsec policy scenario allows callers to bypass the built-in IPsec keying modules (IKE and AuthIP) by directly specifying IPsec SAs to secure any network traffic.

An example of a possible Manual SA scenario is "Add an IPsec SA pair to secure all unicast data traffic between IP addresses 1.1.1.1 & 2.2.2.2, except ICMP, using IPsec transport mode."

Note  The following steps must be executed on both machines with IP addresses appropriately set.
 

To implement this example programmatically, use the following WFP configuration.

Bb736265.wedge(en-us,VS.85).gifAt FWPM_LAYER_INBOUND_TRANSPORT_V{4|6} setup inbound per-packet filtering rules

  1. Add a filter with the following properties.
    Filter propertyValue
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering conditionNlatUnicast
    FWPM_CONDITION_IP_LOCAL_ADDRESSThe appropriate local address (1.1.1.1 or 2.2.2.2).
    FWPM_CONDITION_IP_REMOTE_ADDRESSThe appropriate remote address (1.1.1.1 or 2.2.2.2).
    action.typeFWP_ACTION_CALLOUT_TERMINATING
    action.calloutKeyFWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V{4|6}

     

  2. Exempt ICMP traffic from IPsec by adding a filter with the following properties.
    Filter propertyValue
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast
    FWPM_CONDITION_IP_PROTOCOL filtering conditionIPPROTO_ICMP{V6}

    These constants are defined in winsock2.h.

    action.typeFWP_ACTION_PERMIT
    weight FWPM_WEIGHT_RANGE_IKE_EXEMPTIONS

     

Bb736265.wedge(en-us,VS.85).gifAt FWPM_LAYER_OUTBOUND_TRANSPORT_V{4|6} setup outbound per-packet filtering rules

  1. Add a filter with the following properties.
    Filter propertyValue
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast
    FWPM_CONDITION_IP_LOCAL_ADDRESS filtering condition The appropriate local address (1.1.1.1 or 2.2.2.2).
    FWPM_CONDITION_IP_REMOTE_ADDRESS filtering condition The appropriate remote address (1.1.1.1 or 2.2.2.2).
    action.typeFWP_ACTION_CALLOUT_TERMINATING
    action.calloutKeyFWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V{4|6}

     

  2. Exempt ICMP traffic from IPsec by adding a filter with the following properties.
    Filter propertyValue
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast
    FWPM_CONDITION_IP_PROTOCOL filtering conditionIPPROTO_ICMP{V6}

    These constants are defined in winsock2.h.

    action.typeFWP_ACTION_PERMIT
    weightFWPM_WEIGHT_RANGE_IKE_EXEMPTIONS

     

Bb736265.wedge(en-us,VS.85).gifSetup inbound and outbound security associations

  1. Call IPsecSaContextCreate0, with the outboundTraffic parameter containing the IP addresses as 1.1.1.1 & 2.2.2.2, and ipsecFilterId as the LUID of the outbound transport layer IPsec callout filter added above.
  2. Call IPsecSaContextGetSpi0, with the id parameter containing the context ID returned from IPsecSaContextCreate0, and the getSpi parameter containing the IP addresses as 1.1.1.1 & 2.2.2.2, and ipsecFilterId as the LUID of the inbound transport layer IPsec callout filter added above. The returned SPI value is meant to be used as the inbound SA SPI by the local machine and as the outbound SA SPI by the corresponding remote machine. Both machines must use some out-of-band means to exchange the SPI values.
  3. Call IPsecSaContextAddInbound0, with the id parameter containing the context ID returned from IPsecSaContextCreate0, and the inboundBundle parameter describing the properties of the inbound SA bundle (such as the inbound SA SPI, transform type, algorithm types, keys, etc).
  4. Call IPsecSaContextAddOutbound0, with the id parameter containing the context ID returned from IPsecSaContextCreate0, and the outboundBundle parameter describing the properties of the outbound SA bundle (such as the outbound SA SPI, transform type, algorithm types, keys, etc).

Related topics

Sample code: Manual SA Keying
Built-in Callout Identifiers
Filtering Layer Identifiers
FWPM_ACTION0

 

 

Show: