Need help with Manual IPSec SA usage RRS feed

  • Question

  • Hi,

    I am currently trying to utilise Windows Filtering Platform (WFP) for the purposes of setting up some manual SAs.

    I guess, first off would be to get confirmation that WPF is the right approach for me...

    A summary of what I am trying to do is the following:


    Two peer nodes are required to communicate using IPSec. Each peer must establish to IPsec-secured ports (i.e.
    each peer will maintain two IPSec security associations (SA).

    The signalling to exchange authentication credentials and integrity and ciphering keys must all be done out-of-band (OOB) of
    IPSec (i.e. must not use IKE). Each peer (having received the parameters OOB) should locally create the two IPSec SAs.

    My Thoughts

    Given that IKE must not be used for parameter exchange etc.. and various parameters (keys, SPI etc..) are transferred OOB this
    seems like a prime candidate for manual SA establishment, and thus WFP. Can you confirm I am correct in thinking this.


    Assuming that WFP is the correct approach, I am struggling greatly in trying to set up a simple test environment for this.

    Firstly I played with the MMC IP Policy snap-ins for specifying policy,filter lists and actions etc.. and verified how to get a
    basic preshared-key setup working between two Windows 7 systems for ICMP traffic. This worked okay and I could see that IKE was being triggered to perform MainMode (MM) and Quick-Mode (QM) procedures.. (and ultimately could see both the IKE SA and IPSec SA establishment details in the MMC console).

    I then started with sample for Manual SA Keying found at: http://msdn.microsoft.com/en-us/library/bb451820(VS.85).aspx

    From this I wrote a basic driver program and extended some of the conditions on the filters etc.. to better resemble my requirements.

    I can see when running my driver program that the IPSec SA is added (and can be seen in MMC under the Quick-Mode Security Associations)

    However, it seems that this association is not used when IP traffic is transferred.

    Essentially I started without any explicit active policies set in MMC, so that in effect all of the IPSec entries were completely empty
    with the exception of the manual IPSec SA added by the sample code, however this results in the ICMP ping (test data) being sent "plain".

    I have since understood that there must essentially be entries in the SPD as well as the SAD (IPSec SA) entry, for the protocol stack to decide to provision security on the outbound traffic. However, when I add and activate a policy within MMC, and attempt to send the test packets, IKE is triggered and proceeds to establish both an IKE SA and an additional IPsec SA (in addition to the manual keyed one)..

    It seems like there is some sort of linkage between SPD and SAD that is missing and is required to avoid the IKE MM establishment taking place.

    It seems like the SABundle associated with the manually-keyed IPSec SA can have a main-mode SA associate mmSaId, however this presumes that a MM SA has already been established.. i.e. it does not link to a policy-definition, but to a previously established IKE SA... since I have no established IKE SA, I do not understand how to achieve the linkage between the SPD and SAD that is required for traffic to utilise my manual IPSec SA?

    Out of curiousity, I also tried using IKE to establish a MM/IKE SA, then used the enumeration function in WFP to retrieve the mmSaId of this association which I then populated the saBundle of my manual IPSec SA with, however, when sending test traffic the windows protocol still proceeded to perform Quick-Mode establishment of a seperate IPSec SA, and did not utilise my manually configured SA...

    Could you provide some guidance on the linkage which I am missing?

    Also, it seems as though filters which are added programmatically by WFP are not visible in the MMC, and furthermore that the IPSec SA that is manually established contains an empty string in the "Negotiation Policy" field in MMC, which I presume is where my linkage is missing..

    Can WFP add full policy definitions manually/programatically , or must these be added via MMC or netsh etc..?

    Any assistance you can provide on this would be greatly appreciated.


    Thursday, October 6, 2011 5:51 PM

All replies

  • Can anyone help me with this?... i'm still somewhat stuck and would very much appreciate feedback/suggestions.



    Tuesday, October 18, 2011 4:16 PM
  • Yes, WFP and using manual SA's is the way to go.  I have forwarded this on to our IPsec manual SA expert, and would expect to hear back shortly.

    You can currently use NetSh.exe and the AdvFirewall sanp-in to configure IPsec policy.  In Win8 this will be extended to WMI and PowerShell.

    WF only shows filters and objects created from WF.  In order to see other objects, you would need to either write your own utility, or use "NetSh.exe WFP Show State".  The NetSH command will provide you with an xml file containing all WFP objects currently residing on the machine.




    Dusty Harper [MSFT]
    Microsoft Corporation
    This posting is provided "AS IS", with NO warranties and confers NO rights

    Tuesday, October 18, 2011 7:15 PM
  • Thanks Dusty - it's good to get confirmation that i'm on the right track. I look forward to hearing from your manual SA expert.

    Regarding the object display in WF and/or MMC... I guess I just figured that since I can observe my manual SA's created via WFP from within MMC under the quick-mode associations, my natural assumption was that I would see also the filters etc... that were also added via WFP... seems (as usual) assumptions are a dangerous beast... again many thanks, and I look forward to further update(s).

    Tuesday, October 18, 2011 7:46 PM
  • Hi Dusty,

    Does the manual SA expert have any updates to share on my problems?





    Monday, November 7, 2011 7:57 AM
  • I received the following response:

    "should just be using the sample to add the filters, and not trying to mix netsh policies with manual SAs, IMO. If traffic is bypassing his filters, perhaps there are other filters on the box that are effecting things."

    Can you confirm no other filters are getting in your way?

    Hope this helps,

    Dusty Harper [MSFT]
    Microsoft Corporation
    This posting is provided "AS IS", with NO warranties and confers NO rights
    Monday, November 7, 2011 6:29 PM
  • Hi Dusty,

    I confirmed that I do not have any policies/rules or filterlists/filters defined via netsh or mmc when performing the test using the WFP code.

    After the WFP code adds the security associations, if I use netsh I can see that the manual association has been added. However if I try ping or FTP to the target address of the SA (from the source address as associated to the SA) the datagrams do not undergo IPSec protection and are sent plain...

    FYI, I realise the following is probably a naive question, however I should ask anyway in case i'm doing something silly/unsupported... If the manual SA is added via WFP as part of a running application X, does the manual SA apply outwith that application, i.e. whilst application X has added the security association, does the manual SA apply also to traffic transmitted from application Y? My assumption is that it does... can you confirm this is a correct understanding?.. I assume this because if the receive port associated with in inbound filter is wild-carded then potentially a receive port is in-use by a different application etc..?

    For reference here is the output from netsh after the associations have been added.

    C:\windows\system32>netsh ipsec dynamic show all

    No currently assigned Policy

    Mainmode Policies not available.

    Quickmode Policies not available.

    Generic Mainmode Filters not available.

    Specific Mainmode Filters not available.

    Generic Quickmode Filters not available.

    Specific Quickmode Filters not available.

    IPsec MainMode Security Associations not available.


    Quick Mode SAs


    Transport Filter

    Source Address         :

    Destination Address    :

    Protocol               : ANY

    Source Port            : 0

    Destination Port       : 0

    Direction              : Outbound

    Offer Used

      AH(b/r)   ESP Con(b/r) ESP Int  PFS DH Group

    ---------- ------------- -------  ------------

      None       3DES(24/0 )  SHA1    <Unassigned>


    IPsec Configuration Parameters


    StrongCRLCheck         : 1

    IPsecexempt            : 3


    IPsec Statistics


    Active Assoc                : 1

    Offload SAs                 : 0

    Pending Key                 : 0

    Key Adds                    : 1

    Key Deletes                 : 0

    ReKeys                      : 0

    Active Tunnels              : 0

    Bad SPI Pkts                : 0

    Pkts not Decrypted          : 0

    Pkts not Authenticated      : 0

    Pkts with Replay Detection  : 0

    Confidential Bytes Sent     : 0

    Confidential Bytes Received : 0

    Authenticated Bytes Sent    : 0

    Authenticated Bytes Received: 0

    Transport Bytes Sent        : 0

    Transport Bytes Received    : 0

    Bytes Sent In Tunnels       : 0

    Bytes Received In Tunnels   : 0

    Offloaded Bytes Sent        : 0

    Offloaded Bytes Received    : 0


    Tuesday, November 8, 2011 6:45 AM
  • Any takers?
    Monday, November 21, 2011 8:28 AM

  • Its been a while that this question was asked. Still the documentation around this topic is sparse. 

    Did you get it all working zoobloik2? I am trying to achieve something similar.

    Thursday, August 31, 2017 2:22 PM