Create the Policy Shell

Create the Policy Shell
Choose Action, Create IP Security Policy to start the IP Security Policy Wizard. Click Next.
Enter a name for the policy and, optionally, a description. Click Next.
The default response filter rule enforces Kerberos authentication and a custom security scheme and is used when no other filter rule applies. If you want to include this default rule in your policy, leave Activate The Default Response Rule selected. Otherwise, clear the check box. Click Next.
If you chose to use the default rule, the wizard asks you for an authentication method to use for that rule. Make a selection and click Next.
Add Filter Rules to the Policy
At this point, you have created the shell of your policy. You now need to fill out the filter rules.

Make sure that Edit Properties is selected, and then click Finish. The properties dialog box for your new policy appears. If you selected the default response rule, it is selected in the IP Security Rules list. Now you can add the primary rule(s) for this policy.

Make sure that Use Add Wizard is selected, and click Add to start the Security Rule Wizard. (If you feel confident, clear Use Add Wizard. When you click Add, the New Rule Properties dialog box appears. Fill out each tab according to the steps that follow.) Click Next.
If this rule is to allow a VPN connection, select The Tunnel Endpoint Is Specified By This IP Address, and enter the IP address of the computer that will be requesting the connection. Otherwise, leave This Rule Does Not Specify A Tunnel selected. (In the properties dialog box, these options are on the Tunnel Setting tab.) Click Next.
NOTE
--------------------------------------------------------------------------------

You need to create a rule for each computer that might be requesting a VPN connection.
Select the network connections to which you want to apply this policy (Connection Type tab). Remote Access refers to dial-up connections. Click Next.
Select the authentication method for this rule (Authentication Methods tab). Click Next.
Add Filter Lists to the Filter Rule
Now you need to select or define the filter list you want to use for this rule. If you're using the Security Rule Wizard, the list of predefined filters is displayed, as shown here. You'll find comparable settings on the IP Filter List tab of the properties dialog box.


If the filter list you want to use is already defined, select it in the list and skip to the next section, "Finish Configuring the Rule." Otherwise, click Add to define a new filter list.
In the IP Filter List dialog box, which is a shell for new filter lists, enter a name and description for the new filter list.
With Use Add Wizard selected, click Add to add a filter to this list. (If you feel confident, clear Use Add Wizard. When you click Add, the Filter Properties dialog box appears. Fill out each tab according to the following steps.)
NOTE
--------------------------------------------------------------------------------

Filter lists are saved by name and can be used in multiple rules.
On the first page of the IP Filter Wizard, click Next.
In the drop-down list, select the source address of the packets. (In the Filter Properties dialog box, the list is on the Addressing tab.) If you are creating a filter for a VPN connection, select A Specific IP Address for the source and My IP Address for the destination. Enter the IP address of the computer requesting the VPN connection as the source IP address.Click Next.

In the drop-down list, select the destination address of the packets. (In the Filter Properties dialog box, use the Addressing tab.) The options are the same as for the source. Click Next.
Select the protocol. (In the Filter Properties dialog box, use the Protocol tab.) Common selections are Any, TCP, UDP, and ICMP. Click Next. Depending on your selection, you might need to select the port numbers to filter.
Click Finish to return to the IP Filter List dialog box. If you want to add another filter, click Add and repeat the preceding process.
NOTE
--------------------------------------------------------------------------------

Filters are not applied in the order in which they are listed; rather, they are generally applied from most specific to least specific. This ordering is not guaranteed during system startup, so some anomalous behavior can occur at that time.
When you finish adding filters to the filter list, click OK (or Close in Windows 2000) to return to the Security Rule Wizard. (If you've skipped the wizards, you return to the New Rule Properties dialog box.) Select the filter list you just created. Click Next.
Finish Configuring the Rule
Select an action to perform on packets matching the filter. (In the New Rule Properties dialog box, the list is on the Filter Action tab.) Pick one of the default actions or click Add to run the Filter Action Wizard and create a new action. (To see the properties dialog box for one of the default actions, select the action and then click Edit. The Require Security Properties dialog box is shown here.) Click Next and then click Finish.

On the wizard page, click Next and then click Finish.

NOTE
--------------------------------------------------------------------------------

Filter actions are saved by name and can be used in multiple rules.
Click OK. That rule is now defined. If you want to add another rule, click Add and repeat the process. As you add each rule, it appears in the IP Security Rules list in the properties dialog box for the policy. When you've added all the rules you want for your policy, click Close.