Help and Support
 

powered byLive Search

"Soft Associations" Between IPSec-Enabled and Non-IPSec-Enabled Computers

View products that this article applies to.
Article ID:234580
Last Review:February 23, 2007
Revision:3.2
This article was previously published under Q234580
On This Page

SUMMARY

This article describes how to allow or prevent communication between secure and unsecured computers.

The IP Security (IPSec) Policy's negotiation policy can either allow or disallow unsecured traffic. When two computers that support IPSec communicate with each other, they establish security associations that are determined through negotiation of the Internet Security Association and Key Management Protocol (ISAKMP) and IPSec Policy rules. If either of two computers does not support IPSec, they must communicate without security, which is called a "soft association". Downlevel clients do not support IPSec communication and cannot communicate unless soft associations are permitted.

Back to the top

MORE INFORMATION

IPSec-Aware Computers Trying to Communicate with Non-IPSec-Aware Computers

The initiating computer sends an ISAKMP request to the non-IPSec-aware computer and receives a "destination unreachable" response back from the responding computer. This is because the non-IPSec-aware computer cannot send or receive ISAKMP messages using UDP port 500. The ISAKMP message gets to the client, but the client does not "understand" the packet.
The initiating computer attempts this four times.
The IPSec policy can allow unsecured communications by making a soft association with the remote computer. A soft association tells the IPSec driver to use no security between the two addresses and sets the security operation for that security association to None, which allows unsecured packets to be transmitted across the wire.

Back to the top

Non-IPSec-Aware Computer Trying to Communicate with IPSec-Aware Computer

The non-IPSec computer initiates communication by sending an unsecured packet to the IPSec-aware computer. The IPSec-aware computer contains rules for responding as well as initiating as stated above. If the inbound packets match an IP filter, the associated filter actions are followed. The IPSec computer sends an ISAKMP request for security association negotiation to the non-IPSec-aware computer. The IPSec computer can raise the security level if possible, but the non-IPSec-aware computer cannot do so.
The responding IPSec-aware computer attempts to negotiate four times, but the initiator cannot reply to any of the attempts.
The IPSec-aware computer then checks its security policy to set up a soft association if allowed, or it ignores the incoming insecure packets. If the policy does not allow unsecured communication, the IPSec computer can only communicate with other IPSec computers. The more tightly secured the communications are, the more resource intensive the communication becomes. If the policy does allow unsecured communication, soft associations are allowable. This is less secure and less resource intensive.

Back to the top

APPLIES TO
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional Edition
Microsoft Windows 2000 Datacenter Server

Back to the top

Keywords: 
kbenv kbinfo KB234580

Back to the top

Article Translations

 

Related Support Centers

Other Support Options

  • Need More Help?
    Contact a Support professional by E-mail, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.