Allowing Inbound IPSec (IPv6) Traffic to Private Hosts (Windows Embedded CE 6.0)
1/6/2010
By default, the firewall blocks IPSec traffic just like any other inbound traffic. You can configure the firewall to allow inbound IPSec traffic to specific private hosts or to all private hosts by allowing rules for IP_PROTOCOL_AH (51) and IP_PROTOCOL_ESP (50) protocols, and creating an ALLOW rule for the Internet Key Exchange (IKE) packets (UDP port 500).
The following table shows how the members in this structure can be used to allow all inbound IPv6 IPSec traffic, including IKE, to all private hosts.
dwFlags | PrivateHost.Family | Protocol | Port |
---|---|---|---|
FWF_ALLOW | FWF_INBOUND |
AF_INET6 |
IP_PROTOCOL_AH |
Not applicable |
FWF_ALLOW | FWF_INBOUND |
AF_INET6 |
IP_PROTOCOL_ESP |
Not applicable |
FWF_ALLOW | FWF_INBOUND |
AF_INET6 |
IP_PROTOCOL_UDP |
500 |
Registry entries for the rule
The following registry example shows the registry entries for this rule.
[HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\InboundAH]
"Mask"=dword:20 ; FWM_PROTOCOL
"Flags"=dword:A ; FWF_ALLOW | FWF_INBOUND
"PrivateHost"=hex:17,00 ; AF_INET6
"Protocol"=dword:33 ; IP_PROTOCOL_AH
[HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\InboundESP]
"Mask"=dword:20 ; FWM_PROTOCOL
"Flags"=dword:A ; FWF_ALLOW | FWF_INBOUND
"PrivateHost"=hex:17,00 ; AF_INET6
"Protocol"=dword:32 ; IP_PROTOCOL_ESP
[HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\InboundUDP]
"Mask"=dword:24 ; FWM_PROTOCOL | FWM_PORT
"Flags"=dword:A ; FWF_ALLOW | FWF_INBOUND
"PrivateHost"=hex:17,00 ; AF_INET6
"Protocol"=dword:11 ; IP_PROTOCOL_UDP
"Port"=dword:1F4 ; 500
Code example to create the rule
The following code example shows this rule.
FW_RULE InboundAH;
// The following fields must always be set.
InboundAH.dwSize = sizeof(FW_RULE);
InboundAH.dwFlags = FWF_ALLOW | FWF_INBOUND;
InboundAH.dwMask |= FWM_PROTOCOL;
InboundAH.PrivateHost.Family = AF_INET6;
InboundAH.wszDescription = L"Allows inbound AH packets";
// Protocol.
InboundAH.Protocol = IP_PROTOCOL_AH;
// Create a persistent rule.
FirewallCreateRule(&InboundAH, TRUE);
FW_RULE InboundESP;
// The following fields must always be set.
InboundESP.dwSize = sizeof(FW_RULE);
InboundESP.dwFlags = FWF_ALLOW | FWF_INBOUND;
InboundESP.dwMask = FWM_PROTOCOL;
InboundESP.PrivateHost.Family = AF_INET6;
InboundESP.wszDescription = L"Allows inbound ESP packets";
// Protocol.
InboundESP.Protocol = IP_PROTOCOL_ESP;
// Create a persistent rule.
FirewallCreateRule(&InboundESP, TRUE);
FW_RULE InboundUDP;
// The following fields must always be set.
InboundUDP.dwSize = sizeof(FW_RULE);
InboundUDP.dwFlags = FWF_ALLOW | FWF_INBOUND;
InboundUDP.dwMask = 0; //initialize to zero
InboundUDP.PrivateHost.Family = AF_INET6;
InboundUDP.wszDescription = L"Allows inbound Internet Key Exchange (UDP) packets";
// Protocol.
InboundUDP.dwMask |= FWM_PROTOCOL;
InboundUDP.Protocol = IP_PROTOCOL_UDP;
// Port.
InboundUDP.dwMask |= FWM_PORT;
InboundUDP.PortMin = 500;
InboundUDP.PortMax = 500;
// Create a persistent rule.
FirewallCreateRule(&InboundUDP, TRUE);