IPsec is a framework to secure network data at the IP layer and is defined in many RFCs, most notably RFCs 4301 - 4309. IPsec uses policies to define the security protection that is to be applied at the MCP-to-network boundary. Traffic can be forbidden from being transmitted unencrypted (DISCARD), allowed to be transmitted unencrypted (BYPASS), or required to be encrypted prior to transmission (PROTECT). Refer to RFC 4302 (IP Authentication Header) and RFC 4303 (IP Encapsulating Security Payload) for more details on the protection services.

The MCP implementation supports point-to-point policies using manual keying. Wild cards are not allowed. The IPsec policies are created and managed through the Security Policy Management module of Security Center and are saved in the Security Center database. When IPsec is enabled, these policies are activated in the TCP/IP network provider. You can export and import IPsec policies between MCP systems. You can also test the IPsec policies before deployment. See the Security Center Help for more information on exporting, importing, and testing IPsec policies.

IPsec uses the Authentication Header (AH) protocol to authenticate and uses the Encapsulating Security Payload (ESP) protocol to encrypt and authenticate the data flowing over the connection. The MCP implementation supports AH (using HMAC-SHA1-96), ESP confidentiality (using 3DES-CBC and AES_CBC), and ESP integrity (using HMAC-SHA1-96).