You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Document TunnelType parameter restrictions for New-NetIPsecRule (#4111)
* Update IKEv2 and TunnelType parameter documentation
Clarified IKEv2 support details and added conditions for TunnelType parameter.
* Update Default key module description in documentation
Clarified the behavior of the Default key module in relation to Windows 11 and Windows Server 2025.
* Update Default key module description in documentation
Clarified the Default key module behavior for Windows 11 and Windows Server 2025.
* Update Default KeyModule description for clarity
* Update Default key module description for clarity
* Update Default key module description for clarity
* Clarify key module preferences and IKEv2 requirements
Removed redundant information about the Default key module preference and clarified the requirement for the TunnelType parameter in IKEv2.
* Apply suggestions from code review
Co-authored-by: Robin Harwood <19212983+robinharwood@users.noreply.github.com>
---------
Co-authored-by: Robin Harwood <19212983+robinharwood@users.noreply.github.com>
Copy file name to clipboardExpand all lines: docset/winserver2025-ps/NetSecurity/New-NetIPsecRule.md
+3-2Lines changed: 3 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -425,10 +425,10 @@ Specifies that matching IPsec rules of the indicated key module are created.
425
425
This parameter specifies which keying modules to negotiate.
426
426
The acceptable values for this parameter are: Default, AuthIP, IKEv1, or IKEv2.
427
427
428
-
- Default: KeyModule is set based on the authentication method. As of Windows 11, version 24H2 and Windows Server 2025, the Default is equivalent to both IKEv1 and IKEv2, and only sets AuthIP if the authentication method(s) require it. In previous releases, Default is equivalent to both IKEv1 and AuthIP. Required in order for the rule to be applied to computers running Windows versions prior to Windows Server 2008.
428
+
- Default: KeyModule is set based on the authentication method. As of Windows 11, version 24H2 and Windows Server 2025, the Default prefers IKEv2, falls back to IKEv1, and only includes AuthIP if the configured authentication method(s) require it. In previous releases, Default prefers IKEv1 and falls back to AuthIP. This value is required in order for the rule to be applied to computers running Windows versions prior to Windows Server 2008.
429
429
- AuthIP: Supported with phase 2 authentication.
430
430
- IKEv1: Supported with pre-shared key (PSK), Certificates, and Kerberos. Supported with phase 1 authentication only.
431
-
- IKEv2: Not supported with Kerberos, PSK, or NTLM. Supported with phase 1 authentication only.
431
+
- IKEv2: Not supported with Kerberosor NTLM. Supported with phase 1 authentication only. When used with the **Mode** parameter set to Tunnel, the **TunnelType** parameter must be specified.
432
432
433
433
The default value is Default. There are authentication and cryptographic methods that are only compatible with certain keying modules. This is a very advanced setting intended only for specific interoperability scenarios. Overriding this parameter value may result in traffic being sent in plain-text if the authorization and cryptographic settings are not supported by the keying modules. Windows versions prior to Windows Server 2012 only support the Default configuration.
Specifies that matching IPsec rules of the indicated tunnel type are created.
890
890
This parameter specifies which tunnel type to negotiate.
891
+
This parameter is only valid when the **Mode** parameter is set to Tunnel and the **KeyModule** parameter is set to IKEv2.
891
892
The acceptable value for this parameter is: PointToSite.
892
893
- PointToSite: Indicates that the IPsec rule applies only to point-to-site tunnels, typically used for connecting an individual client to a network.
893
894
The default value is PointToSite. This setting is very advanced and should only be modified for specific interoperability or security scenarios. Overriding this parameter incorrectly may result in rules not applying as intended, potentially leaving traffic unprotected. Windows versions prior to Windows Server 2025 do not support explicit tunnel type configuration.
0 commit comments