Each rule defines a list of authentication methods. Each authentication method defines the requirements for the way in which identities are verified in communications to which the associated rule applies. The methods are attempted by each peer in the order in which they are listed. The two peers must have at least one common authentication method or communication will fail. Creating multiple authentication methods increases the chance that a common method between two computers can be found.
The order of these methods is also important because only the first common method is attempted; if it fails to authenticate, no other methods in the list will be attempted, even if these methods would have succeeded.
Only one authentication method can be used between a pair of computers, regardless of how many are configured. If you have multiple rules that apply to the same pair of computers, you must configure the authentication methods list in those rules to enable the pair to use the same method. For example, if a rule between a pair of computers specifies only Kerberos for authentication and filters only TCP data and, in another rule, specifies only certificates for authentication and filters only UDP data, authentication will fail. Authentication methods are configured on the Authentication Methods tab of the Edit Rule Properties or Add Rule Properties property sheets.
- The Kerberos version 5
authentication protocol is the default authentication technology.
This method can be used for any computers running the
Kerberos V5 authentication protocol that are members of the
same or trusted domains. This method is useful for domain isolation
using Internet Protocol security (IPsec).
- A public key certificate should be used in
situations that include Internet access, remote access to corporate
resources, external business partner communications, or computers
that do not run the Kerberos V5 authentication protocol. This
requires that at least one trusted certification authority (CA) has
been configured. This version of Windows supports X.509 Version 3
certificates, including CA certificates generated by commercial
- A preshared key can be specified. This is a
shared, secret key that is previously agreed upon by two users. It
is simple to use and does not require the client to run the
Kerberos V5 authentication protocol or have a public key
certificate. Both parties must manually configure IPsec to use this
preshared key. This is a simple method for authenticating
standalone computers or any computers that are not using the
Kerberos V5 authentication protocol. A preshared key is for
authentication protection only; it is not used for data integrity
The preshared key is stored in plaintext and is not considered a secure method. Preshared keys should be used for testing purposes only.