none
Manual SA in Tunnel Mode RRS feed

  • Question

  • Is is possible to do manually create Secruity Associations for Tunnel Mode in WFP?  Do you have any sample code for this? 

    Wednesday, July 18, 2012 10:21 PM

Answers

  • Creating manual SAs for Tunnel Mode are currently not supported, and there are no immediate plans to change this.

    Probably not the answer you wanted to hear, but hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Wednesday, July 18, 2012 10:53 PM
    Moderator

All replies

  • Creating manual SAs for Tunnel Mode are currently not supported, and there are no immediate plans to change this.

    Probably not the answer you wanted to hear, but hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Wednesday, July 18, 2012 10:53 PM
    Moderator
  • Thanks for the quick response.  The documentation and definition of the IPSEC_TRAFFIC(1) structure imply that it is supported by setting trafficType to IPSEC_TRAFFIC_TYPE_TUNNEL and allowing a tunnelPolicyId to be specified for this traffic type - but I could not successfully creat the SA, so I suspected it might not be supported. 

    Thursday, July 19, 2012 12:41 PM
  • Hi Dusty,

    I'm trying to evaluate WFP in terms of its IPSEC support for a project I'm working on and one of the requirements is to be able to setup Manual SAs in Tunnel mode. There seems to be conflicting information regarding this. Your answer above clearly says that it isn't supported. However this thread seems to suggest that it is possible to setup Manual SAs in tunnel mode:

    http://social.msdn.microsoft.com/Forums/en-US/wfp/thread/bcf5963a-d6bc-4eb4-af0a-493993673dfa/

    Would someone please clarify?

    Thank you!

    Thursday, October 11, 2012 12:33 AM
  • As I stated this is not supported.  That is not to say one couldn't get it to work, but the time and effort involved would be significant.  These are a souple of the hurdles you'd need to overcome:

    • There are currently no notifications provided to inform you when to bring the tunnel up and when to tear it down.
    • When using FwpmIPsecTunnelAdd, policy for both transport and control (IKE / AUTHIP) are added.  You are interested in only the transport policy as the control policy is dictated by your manual keys.  We do not offer a means to decouple this, so you would essentially need to reverse engineer all the policy this API call makes and duplicate the necessary items for your own means.

    If this is a must for you, you can always contact Microsoft's Product Support and make a feature request.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Thursday, October 11, 2012 6:48 PM
    Moderator
  • Does it supported in recent releases ?
    Friday, October 18, 2019 5:50 AM