IPsec Windows Vista ?????? ??? 1 ???, Windows Server 2008 ???, ?? Windows 7 ??? ????? ??? ?? ?? ??????????????? ?????????? ???? B ?? ??? ?????? ?? ?????

???? ?????? ???? ??????
???? ID: 949856 - ?? ???????? ?? ?????? ??? ?? ?? ???? ???? ???? ??.
??? ?? ??????? ???? | ??? ?? ??????? ????

?? ????? ??

?????

?? ???? Windows Vista 1 (SP1) ?? Windows Server 2008 ??? ????? ??? ?? ?? ??????????????? ?????????? ???? B ?? ??? ?????? ?? ????? ???? ??? B ???? ?? ?? ???? ?????? ??????? ????? ????????? ??????? Agency (NSA) ?? ???????? ??? ??????????????? ?????????? ?? ???

B ???? ????????? ???? ?? ??????? ?? ??? ????? interoperable ??????????????? ????? ?? ??? ??? ??? ????? ????????? ?? ??? ???? B ?????????? ?? ?????? ?? ????????? ???? ??? ??:
  • ????? ???
  • ?????? ???
  • ?????????? ??????
?? ???? ?? ??????? ????????? (IPsec) ??????? ???? ??????????? ???????? ???? B ?????????? ?? ????? ???? ?? ?? ????? ???

???? ???????

?????? ??????

??? B ?? ??? ?????? ?????? ??? ????? ????? ???:
  • ??????? ?? ???? B ?????????? ?? ????? ???? IPsec ???? ?? ???????? ??? ??????? ?? ???? Windows Vista 1 (SP1), Windows Server 2008 ???, ?? Windows ?? ??? ?? ????????? ????
  • ??? B ?????????? ??? ??????? ?? authoring "Windows ???????? ?? ????? ???????" Microsoft ??????? ????? (MMC) ?????-?? Windows 7 ?? ??? ?? Windows ?? ??? ?? ????????? ?? ??? ?????? ??????? ???
  • ??Netsh advfirewall ??????? ???? ???? B ?????????? ?? ??? ??????????? ?????? ????????? ???? ??? ?? ???? Windows Vista SP1 ?? ???? ???? ???

?????????

  • B ???

    B ???? ??? ?????? ????????? ??????? Agency (NSA) ??? ????????? ??? ?????? ?? ?? ??? ??? B ???? ???????? ?? ??????? ????? ?? ?????? ?????????? ?? ??????? ?????? ?? ??? ???? ????? ?? ??? ????? ???? ?? ???? ?? ??????????????? ?????????? ?? ?? ??????? ??? ?? ?????? ?? ?????? ????? ??? B ???? ?????????? ?? ????? ?????? ?? ???????? ??? ????? ???:
    • ?????? ??????
    • ???????????
    • ????? ??????
    • ?????? ?????????
  • Federal ??????? ?????? ???? (FIPS)

    FIPS, ????????????? ?? federal ?????????? ?????? govern ?????? ?? ?? ??? ??? ??? ???? B ?????????? FIPS ???????? ????

    ???? ??????? ?? ???, ????? ??? ???? ?? ????::
    HTTP://www.itl.nist.gov/fipspubs/geninfo.htm
  • NIST

    ?? ????????? ?????? ?? ???? ?? ???????????? ?? ??? ??? acronym ???
  • ???? ??????? ??????????

    ????????? ???? ?? ??????? ???? ???? ?? ??? ??? ?? ???? transit ??? ?? ???? ??????? ?????????? ????? hashes ?? ????? ?????
  • ???? ??????????? ??????????

    ???? ??????????? ?????????? ???????? ???? ?? ??? ?? ?? ??????? ?? ?????? ?? ??? ????? ???? ???? ??? ??????????? ?????????? ?? ???? ??? ??? ?????? ???? ?? ??? ?? ????? ??? ?? ??? ????? ???? ???? ???

    ?????? ?? ??? ??????????? ?????????? ciphertext ???? ?? ??? ???? ??? ?????? ?? ???? ???? ??? ???? ??? ?? ??? ciphertext ????? ?? ?? ???? ???? ???????? ?????????? ??????? ???? ???? ?? ??? ??? "?????" ?? ????? ???? ??? ????? ?? ?????? ?? ????? ?? ????? ?? ????? ???? ?? ??? ?? ?? ?????????? ???????
  • IPsec

    ?? ?? "??????? ????????? ???????." ?? ??? ??? abbreviation ??

    IPsec ?? ???? ??? ???? ??????? ?? ??? ????? Microsoft ??? ???? ?? ????:
    HTTP://TechNet.Microsoft.com/en-us/Network/bb531150.aspx
  • ??????????? ???? Galois ????? ??????? ??? (AES-GMAC) ????? ????

    ?? ?????????? NIST ????? ??????? ??? ????? ???? ??? ?? 800-38 ??? ?? ???????? ?? ????? ?? ??? ????? ??? ???? ?? ????:
    HTTP://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.PDF
  • ????? ??????????? ???? ??? Galois/?????? ??? (AES-GCM)

    ?? ?????????? NIST ????? ??????? ??? ????? ???? ??? ?? 800-38 ??? ?? ???????? ?? ????? ?? ??? ????? ??? ???? ?? ????:
    HTTP://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.PDF
  • Elliptic ???? ?????? ????????? ?????????? (ECDSA)

    Elliptic ???? (EC) ?? ?? variant EC ?????? ?? operates ?????? ????????? ?????????? ?? ??? EC variant ???? ??????? ???? ?? ??? ???? ????? ???? ?? ?????? ????? ???

    ?? ?????????? FIPS ??????? 186 2 ??? ????? ???? ??? ??? ?? ??????? ?? ????? ?? ??? ????? ??? ???? ?? ????:
    HTTP://csrc.nist.gov/publications/fips/Archive/fips186-2/fips186-2.PDF
  • ?????????? ?????????? (CA)

    ??? ?????????? ??????????, ?? ?????? ?????? ???? issues ???? ???? ??? IPsec ???? ?????????? ???? ?? ??? ??? ?? ?????? ???? ????? ?? ???? ???
  • ??????? ????? ??? (AH)

    ??????? ????? ??? ??? ???? ????? ?? ??? ???????, ??????? ?? anti-replay ??????????? ?????? ????? ?? ?? IPsec ????????? ??? ????? ????? IP ????? ??? ?? ???? payload ???

    AH ???????? ?????? ???? ?????? ???? ???? ?? ?? ?? AH ???? ?? ?????????? ????? ???? ????? ????? ??, ????? ??? ???? ????? ???? ???
  • Encapsulating ??????? ??????? (ESP)

    ESP ?? ????????, ??????????, ??????? ?? anti-replay ??????????? ?????? ????? ?? ?? IPsec ????????? ??? ESP alone ????? ???? ?? ???? ??, ?? ??? AH ?? ??? ????? ???? ?? ???? ???

????? ??? ??????????

Windows Vista SP1 ?? Windows Server 2008 ???, ????? ??????? ?????????? Windows Vista ?? ?????? ??????? ??? ???? ?? ?? ??????? ??? ?? ?? ?????????? ?? ????? ??????? ???:
  • SHA-256
  • SHA 384
???:????? ?????? ?????????? ?? ??????????? ?????????? ????????? ???? ????

?????? ??? ??????????

Windows Vista SP1 ?? Windows Server 2008 ???, ????? ?????????? Windows Vista ?? ?????? ??????? ??? ???? ?? ?? ??????? ??? ?? ?? ?????????? ?? ????? ??????? ????

?????? ?????? (AH ?? ESP)

  • SHA-256
  • AES-GMAC-128
  • AES-GMAC-192
  • AES-GMAC-256

?????? ?????? ?? ??????????? (???? ESP)

  • AES-GCM-128
  • AES-GCM-192
  • AES-GCM-256
??????? ?? ??????? ???? ??? ?? AH ?? ESP ?????? ?? ???? ??? ???? ??????? ?? ??? ????? "?????? ??? ???????????????? ????????? ?????? ??????? ?? ??????? ???? ??? ??" ????

?????? ??? ?? ??? ????????

  • ?? ?? ??????? ?????????? ?? AH ?? ESP ?? ??? ????? ???? ???? ??????
  • AES GMAC ?????????? ?? ??????????? ?? ??????? ?????????? ?? ??? ?????? ???? ?????, ??? ??? ?? ?? ?????????? ESP ????? ?? ??? ????????? ???, ?? ??????????? ????????? ???? ????????? ?????
  • ??? ?? ???? AES GCM ?????????? ?? ????? ??? ?????????? ESP ??????? ?? ??????????? ?? ??? ????????? ???? ???? ??????

???????

Windows Vista SP1 ?? Windows Server 2008 ???, ????? ??????? ???? ??? Windows Vista ?? ?????? ??????? ???? ?? ?? ??????? ??? ?? ?? ??????? ??????? ?? ????? ??????? ????
  • ???????? ?? ??? ECDSA P256 ????????? ?????? ????
  • ???????? ?? ??? ECDSA P384 ????????? ?????? ????
???:Windows Vista ?? ??? ??????? ?????????? ???? ?? RSA SecurId ??????? ???

???????? ?? ??????

?? ??? ?? ????? ???? ?? ??? ???????? ?? ????? ???? ??Netsh advfirewall???? ????? ?? ??? ?? ??????? ??????? ?????? ?? ??????? ???? ?? ???? ?? ??? ?? ?????? ????? ?? ?? ??????Netsh advfirewall?????

??? ??????? ??????? ???? ??????

Netsh advfirewall
Usage: add rule name=<string>
      endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway|
         <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>
      endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway|
         <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>
      action=requireinrequestout|requestinrequestout|
         requireinrequireout|noauthentication
      [description=<string>]
      [mode=transport|tunnel (default=transport)]
      [enable=yes|no (default=yes)]
      [profile=public|private|domain|any[,...] (default=any)]
      [type=dynamic|static (default=static)]
      [localtunnelendpoint=<IPv4 address>|<IPv6 address>]
      [remotetunnelendpoint=<IPv4 address>|<IPv6 address>]
      [port1=0-65535|any (default=any)]
      [port2=0-65535|any (default=any)]
      [protocol=0-255|tcp|udp|icmpv4|icmpv6|any (default=any)]
      [interfacetype=wiresless|lan|ras|any (default=any)]
      [auth1=computerkerb|computercert|computercertecdsap256|computercertecdsap384|computerpsk|
         computerntlm|anonymous[,...]]
      [auth1psk=<string>]
      [auth1ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no] ..."]
      [auth1healthcert=yes|no (default=no)]
      [auth1ecdsap256ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no] ..."]
      [auth1ecdsap256healthcert=yes|no (default=no)]
      [auth1ecdsap384ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no] ..."]
      [auth1ecdsap384healthcert=yes|no (default=no)]
      [auth2=computercert| computercertecdsap256|computercertecdsap384|userkerb|usercert| usercertecdsap256|usercertecdsap384|userntlm|anonymous[,...]]
      [auth2ca="<CA Name> [certmapping:yes|no] ..."]
      [auth2ecdsap256ca="<CA Name> [certmapping:yes|no] ..."]
      [auth2ecdsap384ca="<CA Name> [certmapping:yes|no] ..."]
      [qmpfs=dhgroup1|dhgroup2|dhgroup14|ecdhp256|ecdhp384|mainmode|
         none (default=none)]
      [qmsecmethods=
         ah:<integrity>+esp:<integrity>-<encryption>+[valuemin]+[valuekb]
         |default]
        
Remarks:

      - The rule name should be unique, and it cannot be "all."
      - When mode=tunnel, both tunnel endpoints must be specified and must be
        the same IP version. Also, the action must be requireinrequireout.
      - At least one authentication must be specified.
      - Auth1 and auth2 can be comma-separated lists of options.
      - The "computerpsk" and "computerntlm" methods cannot be specified together
        for auth1.
      - Computercert cannot be specified with user credentials for auth2.
     - Certsigning options ecdsap256 and ecdsap384 are supported only on Windows Vista SP1 and on later versions of Windows Vista.
      - Qmsecmethods can be a list of proposals separated by a comma (,).
      - For qmsecmethods, integrity=md5|sha1|sha256| aesgmac128|aesgmac192|aesgmac256|aesgcm128|aesgcm192|aesgcm256 and
        encryption=3des|des|aes128|aes192|aes256|aesgcm128|aesgcm192|aesgcm256.
      - If aesgcm128, aesgcm192, or aesgcm256 is specified, it must be used for both ESP integrity and encryption.  
     -  sha-256, aesgmac128, aesgmac192, aesgmac256, aesgcm128, aesgcm192, aesgcm256 are supported only on Windows Vista SP1 and on later versions of Windows Vista. 
      - Qmpfs=mainmode uses the main mode key exchange setting for PFS.
      - We recommend that you do not use DES, MD5, or DHGroup1. These
        cryptographic algorithms are provided for backward compatibility
        only.
      - The default value for certmapping and for excludecaname is "no."
      - The quotation mark (") characters in the CA name must be replaced with a backslash character followed by a single quotation mark (\').
?????? 1
????? ?????? ?? ???? ??? ????? ??Netsh advfirewall????:
Netsh advfirewall consec ?????? ???? ?? ??? test1 endpoint1 = ??? ?? endpoint2 = ???? ?? ?????? = requestinrequestout ????? = ? ????? ECDSA256 ?????? ???? ?? AESGMAC256 ? = auth1 computercert, computercertecdsap256 auth1ca = = ? C = ????, O MSFT, CN = \ 'Microsoft ??????, South, East, ?? ?????? ?? ??? Authority\ ? = ? auth1healthcert auth1ecdsap256ca ???? = = ? C = ????, O MSFT, CN = \ 'Microsoft ??????, South, East, ?? ?????? ?? ??? Authority\ ? = ? auth1ecdsap256healthcert ??? qmsecmethods = = ah: aesgmac256 + esp:aesgmac256-??? ????
?? ???? ?? ????? ??????? ???? ??? ??????? ??? ?? ?? ??????? ??????? ???? ????? ??:
  • ???? ??????? ???? ?? ??? ?????????? RSA ?????????? ????????? ?? ????? ???? ?? ?? ???
  • ????? ?????????? ???? ?? ?????????? ??? ????????? ???? ?? ??? ECDSA256 ?? ????? ???? ?? ?? ????????? ?????????? ???
??????? ??????? ???? ?? ?? AES GMAC 256 ?????????? AH ?? ESP ?? ??????? ?? ????? ???? ??????? ????? ???? ??? ???? ??????????? ?? ????? ???? ???
?????? 2
????? ?????? ?? ???? ??? ????? ??Netsh advfirewall????:
Netsh advfirewall consec ?????? ???? ?? ??? 2 endpoint1 = ??? ?? endpoint2 = ??? ?????? = requestinrequestout ????? = ? ????? SHA 256 ?????? ?? ??? ? ?? ??????????? ?? ??? AES192 auth1 = computercert auth1ca = = ? C = ????, O MSFT, CN = \ 'Microsoft ??????, South, East, ?? ?????? ?? ??? Authority\ ? = ? auth1healthcert ???? qmsecmethods = = ah: sha256 + esp:sha256-aes192
?? ???? ?? ?? ??????? ?????? ??? ??????? ??? ?? ?? ??????? ??????? ???? ????? ??? ??????? ???? ?? ??? ?????????? RSA ?????????? ????????? ?? ????? ???? ???? ???

??????? ??????? ???? ????? ?? ??? SHA256 ?? ??????????? ?? ??? AES192 ?? ??? AH ?? ESP ?? ??????? ?? ????? ???? ??????? ????? ???? ???

??? ?????? ??????? ??????? ???? ??????? ????

Netsh advfirewall
Usage: set rule
      group=<string> | name=<string>
      [type=dynamic|static]
      [profile=public|private|domain|any[,...] (default=any)]
      [endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway|
         <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
      [endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway|
         <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
      [port1=0-65535|any]
      [port2=0-65535|any]
      [protocol=0-255|tcp|udp|icmpv4|icmpv6|any]
      new
      [name=<string>]
      [profile=public|private|domain|any[,...]]
      [description=<string>]
      [mode=transport|tunnel]
      [endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway|
         <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
      [endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway|
         <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
      [action=requireinrequestout|requestinrequestout|
         requireinrequireout|noauthentication]
      [enable=yes|no]
      [type=dynamic|static]
      [localtunnelendpoint=<IPv4 address>|<IPv6 address>]
      [remotetunnelendpoint=<IPv4 address>|<IPv6 address>]
      [port1=0-65535|any]
      [port2=0-65535|any]
      [protocol=0-255|tcp|udp|icmpv4|icmpv6|any]
      [interfacetype=wiresless|lan|ras|any]
     [auth1=computerkerb|computercert|computercertecdsap256|computercertecdsap384|computerpsk|
         computerntlm|anonymous[,...]]
      [auth1psk=<string>]
      [auth1ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no] ..."]
      [auth1healthcert=yes|no (default=no)]
      [auth1ecdsap256ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no] ..."]
      [auth1ecdsap256healthcert=yes|no (default=no)]
      [auth1ecdsap384ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no] ..."]
      [auth1ecdsap384healthcert=yes|no (default=no)]
      [auth2=computercert| computercertecdsap256|computercertecdsap384|userkerb|usercert| usercertecdsap256|usercertecdsap384|userntlm|anonymous[,...]]
      [auth2ca="<CA Name> [certmapping:yes|no] ..."]
      [auth2ecdsap256ca="<CA Name> [certmapping:yes|no] ..."]
      [auth2ecdsap384ca="<CA Name> [certmapping:yes|no] ..."]
      [qmsecmethods=
         ah:<integrity>+esp:<integrity>-<encryption>+[valuemin]+[valuekb]|
         default]


Remarks:

      - This sets a new parameter value on an identified rule. The command fails
        if the rule does not exist. To create a rule, use the "add" command.
      - Values after the new keyword are updated in the rule.  If there are
        no values, or if the "new" keyword is missing, no changes are made.
      - Only a group of rules can be enabled or disabled.
      - If multiple rules match the criteria, all matching rules are 
        updated.
      - The rule name should be unique, and it cannot be "all."
      - Auth1 and auth2 can be comma-separated lists of options.
      - The computerpsk and computerntlm methods cannot be specified together
        for auth1.
      - Computercert cannot be specified by using user credentials for auth2.
     - Certsigning options ecdsap256 and ecdsap384 are supported only on Windows Vista SP1 and on later versions of Windows Vista.  
      - Qmsecmethods can be a list of proposals that are separated by a comma (,).
      - For qmsecmethods, integrity=md5|sha1|sha256| aesgmac128|aesgmac192|aesgmac256|aesgcm128|aesgcm192|aesgcm256 and
        encryption=3des|des|aes128|aes192|aes256|aesgcm128| aesgcm192|aesgcm256
      - If aesgcm128 or aesgcm256 is specified, it must be used for both ESP integrity and for encryption.  
     -  Sha-256, aesgmac128, aesgmac192, aesgmac256, aesgcm128, aesgcm192, and aesgcm256 are supported only on Windows Vista SP1 and on later versions of Windows Vista.
      - If qmsemethods are set to "default," qmpfs will be set to "default" also.
      - Qmpfs=mainmode uses the main mode key exchange setting for PFS.
      - We recommend that you do not use DES, MD5, or DHGroup1. These
        cryptographic algorithms are provided for backward compatibility
        only.
      - The default value for "certmapping" and "excludecaname" is "no."
      - The quotation mark (") characters in the CA name must be replaced with a backslash character followed by a single quotation mark (\').
The following is an example of a command that updates the rule that was created in "Example 1" in the previous section:
Netsh advfirewall consec ??? ???? ??? ??????? ?? ?? qmsecmethods = = ah: aesgmac256 + esp:aesgcm256-aesgcm256
?? ???? ?? ESP ??????? ?? ??????????? ?? ??? AES GCM 256 ?? ????? ???? ?? ??? ?? AH ????? ?? ??? AES GMAC 256 ?? ????? ???? ?? ??? ???? ?????? ???? ???

??????? ?????-??? ?????? ??? ????

??? ??? ?? ??? ??Netsh advfirewall ??? ????????????
netsh advfirewall>set global

Usage: set global statefulftp|statefulpptp  enable|disable|notconfigured
      set global IPsec (parameter) (value)
      set global mainmode (parameter) (value) | notconfigured

IPsec Parameters:

      strongcrlcheck    - Configures how CRL checking is enforced.
                          0: Disable CRL checking
                          1: Fail if cert is revoked (default)
                          2: Fail on any error
                          notconfigured: Returns the value to its unconfigured state.
      saidletimemin     - Configures the security association idle time in
                          minutes.
                        - Usage: 5-60|notconfigured (default=5)
      defaultexemptions - Configures the default IPsec exemptions. The default is
                          to exempt IPv6 neighbordiscovery protocol from
                          IPsec.
                        - Usage: none|neighbordiscovery|notconfigured

Main Mode Parameters:

      mmkeylifetime     - Sets the main mode key lifetime in minutes, in sessions, or in both.
                        - Usage: <num>min,<num>sess
      mmsecmethods      - Configures the main mode list of proposals
                        - Usage:
                          keyexch:enc-integrity,enc-integrity[,...]|default
                        - keyexch=dhgroup1|dhgroup2|dhgroup14|
                          ecdhp256|ecdhp384
                        - enc=3des|des|aes128|aes192|aes256
                        - integrity=md5|sha1|sha256|sha384

Remarks:

      - This configures global settings, such as advanced IPsec options.
      - We recommend that you do not use DES, MD5, or DHGroup1. These
        cryptographic algorithms are provided for backward compatibility
        only.
      - The mmsecmethods keyword default sets the policy to the following:
        dhgroup2-aes128-sha1,dhgroup2-3des-sha1
      - Sha256 and sha384 are supported only on Windows Vista SP1 and on later versions of Windows Vista.
????? ??? ???????????????? ??? ??? ?? SHA ?????????? ?? ????? ???? ?? ?? ???? ???? ?? ?? ?????? ?????????? ??:
Netsh advfirewall ??? ??????? mainmode mmsecmethods dhgroup1:3des-sha256, 3des sha384

?????? ??????, ???????????, ?? ???? ?? ????

"Netsh advfirewall consec ?? ???? ???" ????

??Netsh advfirewall consec ?? ??? ???? ?????????? ??? ??????? ??????? ?????? ?? ??? ??????????? ?? ????????? ???? ???

?? ???? ?? ??? ?????? ?? ?? ????? ????? ???
Rule Name:				test
Enabled:					Yes
Profiles:					Domain,Private,Public
Type:					Static
Mode:					Transport
Endpoint1:				Any
Endpoint2:				Any
Protocol:					Any
Action:					RequestInRequestOut
Auth1:					ComputerPSK
Auth1PSK:				         12345
MainModeSecMethods			         ECDHP384-3DES-SHA256,ECDHP384-3DES-SHA384
QuickModeSecMethods			AH:AESGMAC256+ESP:AESGCM256-AESGCM256+60 min+100000kb

"Netsh advfirewall ?????? ?? mmsa" ????

??Netsh advfirewall ?????? ?? mmsa ?????????? ????? ??? ??????? ????? ?? ????????? ???? ???

?? ???? ?? ??? ?????? ?? ?? ????? ????? ???
Main Mode SA at 01/04/2008 13:10:09
Local IP Address:				157.59.24.101
Remote IP Address:			         157.59.24.119
My ID:
Peer ID:
First Auth:				ComputerPSK
Second Auth:				None
MM Offer:				         ECDHAP384-3DES-SHA256
Cookie Pair:				203d57505:5d088705
Health Pair:				No
Ok.

"Netsh advfirewall ?????? ?? qmsa" ????

??Netsh advfirewall ?????? ?? qmsa ?????????? ?????? ??? ??????? ?? ????? ?? ????????? ???? ???

?? ???? ?? ??? ?????? ?? ?? ????? ????? ???
Main Mode SA at 01/04/2008 13:10:09
Local IP Address:				157.59.24.101
Remote IP Address:			         157.59.24.119
Local Port:				Any
Remote Port:				Any
Protocol:					Any
Direction:				Both
QM Offer:				         AH:AESGMAC256+ESP:AESGCM256-AESGCM256+60min +100000kb	
Ok.

"Netsh advfirewall ?? ???????" ????

??Netsh advfirewall ?? ??????????? ??????? ???????? ?? ????????? ???? ???

?? ???? ?? ??? ?????? ?? ?? ????? ????? ???
Global Settings:
IPsec:					
StrongCRLCheck				0:Disabled
SAIdleTimeMin				5min
DefaultExemptions			         NeighborDiscovery
IPsecThroughNAT			         Server and client behind NAT

StatefulFTP				Enable
StatefulPPTP				Enable

Main Mode:
KeyLifetime				2min,0sess
SecMethods				DHGroup1-3DES-SHA256,DHGroup1-3DES-SHA384

??????????????

???????, ???????? ?? ???? B ?????????? ?? ????? ???? ?? ?? IPsec ???? ?? ??????? ?? ???????? ??? Windows Vista SP1 ?? Windows Server 2008 ???? ?? Windows Vista SP1 ?? ??? ?? Windows Server 2008 ?? ??? ???? ??? ?? ??????? ?? ????? ?? ???? ???? B ?????????? ?? ??? ??? ???? ???? ?? ?????? ?? ?????

????? ???????? ?? ???????? ?????? ??????????? ???? ????

1 ????????

?? ??? ??? ???????? Windows Server 2008 ?? Windows Vista SP1 ?? Windows Vista ?? ?????? ??????? ??? ??? ???????? ?? ???? ?? ??? ???? ???? ???? ?? ??? ?? ??? ??????????????? ?????????? ?? ????? ?????
???????? ??????
??? ???? ???? ??? ??????????????? ???? ?? ??????????????? ?????????? ?? ????? ???? ???? ???, ?? ??????????????? ?????? ????? ?? ?? ??? ?? ???????????????? ??? ??? ???? ??????????????? ?????? ???? ????? ?? ????? ???? ???? ???

??? ??? ???????????????? ?????? ???? ??? ?????? ?? ???, ?? ???? ???? ?? ????? ???? ????? ??? ??? ????? ??? ???? ?? ?? ????? ???? ?? ?? ???? ??????? ???? ???? ?? ????? ?????, ??? ??? ??????????????? ?????? ????? ?????? ???????????????? ??? ??? ????? ?? ?? ???, ?? ??????? ??????? ?????? ?? ???? ??? ?? ??? ?? ??? ???? ??? ???????, ??? ??????? ???? ??? ??? ?? ???? ???

??????? ??? ????????? ???????????????? ??? ????????? ?? ???? ???? ??? ??? ??? ???? ??? ?? ?? ?? ?????????? ???? (ECDSA P256 ?? ECDSA P384) ???? ?? ??? Windows Vista ?? ?????? ??????? ??? ??? ???????? ?? ???? ???? ??, ??????? ???? ????? ?? ?? ????

??? ?? ???? ?? ??? ??? ??????? ???? ???? ?????????? ??? ??? ????? ?? ?? ???, ?? ???? ???? ??????? ???? ??? ??? ??? ??????? ???? ????? ?????????? ??? ??? ????? ?? ?? ???, ???? ???? ??????? ?? ????? ???? ??? ???? ??????? ?? ??? ?????

???????? 2

On a computer that is running the release version of Windows Vista, you use the new cryptographic algorithms to view a policy that was created on a computer that is running Windows Server 2008 or Windows Vista SP1.
???????? ??????
The new algorithms are displayed as ?unknown? in both the monitoring and authoring parts of the Windows Firewall Advanced Security MMC snap-in. TheNetsh advfirewallcommand also displays the algorithms as ?unknown? in Windows Vista.

Restrictions on interoperability

Restrictions on interoperability are as follows:
  • We do not support remote management of policies that use Suite B algorithms on computers that are running Windows Vista SP1 or Windows Server 2008 from a computer that is running the release version of Windows Vista.
  • When a policy that is created on a computer that is running Windows Vista SP1 or Windows Server 2008 is imported to a computer that is running the release version of Windows Vista, some parts of the policy are dropped. This occurs because the release version of Windows Vista cannot recognize the new algorithms.

Quick-mode cryptographic algorithm combinations that are supported and not supported

The following table shows supported Quick-mode cryptographic algorithm combinations.
?? ?????? ?? ??????? ?????? ?????? ?? ??????? ????
?????????AH IntegrityESP Integrity???????????
AHAES-GMAC 128??? ??????? ????
AHAES-GMAC 192??? ??????? ????
AHAES-GMAC 256??? ??????? ????
AHSHA256??? ??????? ????
AHSHA1??? ??????? ????
AHMD5??? ??????? ????
ESP??? ????AES-GMAC 128??? ????
ESP??? ????AES-GMAC 192??? ????
ESP??? ????AES-GMAC 256??? ????
ESP??? ????SHA256??? ????
ESP??? ????SHA1??? ????
ESP??? ????MD5??? ????
ESP??? ????SHA256Any supported encryption algorithm except AES-GCM algorithms
ESP??? ????SHA1Any supported encryption algorithm except AES-GCM algorithms
ESP??? ????MD5Any supported encryption algorithm except AES-GCM algorithms
ESP??? ????AES-GCM 128AES-GCM 128
ESP??? ????AES-GCM 192AES-GCM 192
ESP??? ????AES-GCM 256AES-GCM 256
AH+ESPAES-GMAC 128AES-GMAC 128??? ????
AH+ESPAES-GMAC 128AES-GMAC 128??? ????
AH+ESPAES-GMAC 128AES-GMAC 128??? ????
AH+ESPSHA-256SHA-256??? ????
AH+ESPSHA1SHA1??? ????
AH+ESPMD5MD5??? ????
AH+ESPSHA256SHA256Any supported encryption algorithm except AES-GCM algorithms
AH+ESPSHA1SHA1Any supported encryption algorithm except AES-GCM algorithms
AH+ESPMD5MD5Any supported encryption algorithm except AES-GCM algorithms
AH+ESPAES-GMAC 128AES-GCM 128AES-GCM 128
AH+ESPAES-GMAC 192AES-GCM 192AES-GCM 192
AH+ESPAES-GMAC 256AES-GCM 256AES-GCM 256
???:AES-GMAC is the same as AES-GCM with null encryption. For example, you can specify AH integrity to use AES-GMAC 128, and you can specify ESP Integrity to use AES-GCM 128. This is the only exception to the rule that AH and ESP integrity algorithms must be identical.

The combinations that are described in the following table are not supported.
?? ?????? ?? ??????? ?????? ?????? ?? ??????? ????
?????????AH IntegrityESP Integrity???????????
ESP??? ????AES-GMAC 128Any supported encryption algorithm
ESP??? ????AES-GMAC 192Any supported encryption algorithm
ESP??? ????AES-GMAC 256Any supported encryption algorithm
ESP??? ????AES-GCM 1281. None
2. Any encryption algorithm except AES-GCM 128
ESP??? ????AES-GCM 1921. None
2. Any encryption algorithm except AES-GCM 192
ESP??? ????AES-GCM 2561. None
2. Any encryption algorithm except AES-GCM 256
AH+ESPAES-GMAC 128AES-GMAC 128Any supported encryption algorithm
AH+ESPAES-GMAC 192AES-GMAC 192Any supported encryption algorithm
AH+ESPAES-GMAC 256AES-GMAC 256Any supported encryption algorithm
For more information about Suite B, visit the following Web site:
http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
For more information about IPsec and connection security rules, visit the following Microsoft Web site:
http://go.microsoft.com/fwlink/?linkid=96525
For more information about Cryptography Next Generation in Windows Server 2008, visit the following Microsoft Web site:
http://technet2.microsoft.com/windowsserver2008/en/library/532ac164-da33-4369-bef0-8f019d5a18b81033.mspx?mfr=true
???? ??????? ?? ???, Microsoft ?????? ??? ??? ???? ????? ?? ??? ????? ???? ?????? ????? ????::
949299???? ??? Windows Vista ?????? ??? 1 ??? Common IPsec ?? ??? Windows ???????? ???????? ???? ?? ??? ?????? ??? crypto ???????? ??????? ???? ?? ?????

???

???? ID: 949856 - ????? ???????: 11 ??????? 2011 - ??????: 3.0
???? ???? ???? ??:
  • Windows Vista Service Pack 1, ?? ???? ??? ?????? ???? ???:
    • Windows Vista Business
    • Windows Vista Business 64-bit edition
    • Windows Vista Enterprise
    • Windows Vista Enterprise 64-bit edition
    • Windows Vista Home Basic
    • Windows Vista Home Basic 64-bit edition
    • Windows Vista Home Premium
    • Windows Vista Home Premium 64-bit edition
    • Windows Vista Ultimate
    • Windows Vista Ultimate 64-bit edition
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
??????: 
kbexpertiseinter kbhowto kbinfo kbmt KB949856 KbMthi
???? ?????? ????????
??????????: ?? ???? ?? ???? ??????? ?? ????? ?? Microsoft ????-?????? ?????????? ?????? ?????? ???? ??? ??. Microsoft ???? ??? ????-???????? ?? ????-???????? ????? ?????? ?? ???? ???????? ???? ?? ???? ????? ????? ??? ?? ??? ?????? ?? ???? ???? ???? ??? ????? ??. ???????, ????-???????? ???? ????? ???? ???? ???? ???. ?????, ????????, ?????-???? ?? ??????? ?? ???????? ?? ???? ???, ???? ?? ??? ?????? ???? ???? ??? ????? ??? ?? ???? ??. Microsoft ??????? ??? ???? ?? ?????? ?? ??????????, ????????? ?? ??? ?????? ?? ???? ????? ?? ???? ???????? ?? ??? ???? ????? ?? ??? ????????? ???? ??. Microsoft ????-?????? ?????????? ?? ????? ?????? ?? ?? ??? ??.
?????????? ?? ??????? ????????? ??????? ??:949856

??????????? ???

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com