Setting up IPSEC encryption between selected hosts on two different IP networks may be required if the hosts need to exchange sensitive information across an untrusted link, for instance via Internet or a WAN. In this example we are using Pre-Shared Key based encryption, but certificate based encryption is quite similar.
In this example, I will use the following two hosts as an example:
CLIENT at HOME
10.0.0.100/255.255.255.0
SERVER at WORK
192.168.0.100/255.255.255.0
Starting with SERVER, Click "Start" | "Run" and type "secpol.msc"
Click "IP Security Policies"
Right-click in the right pane and select "Create new policy"
Next
Name the policy "HOME"
Next
Clear the checkbox for "activate default response"
Next
Finish
Now click "Add..."
Next
Select "Not a tunnel"
Next
Select "All network connections"
Next
Click "Add..."
Name the filter "HOME"
Click "Add..."
Next
Name the selection "HOME"
Check the "mirror" checkbox
Next
Select "My IP address"
Next
Select "IP Subnet"
Specify IP network "10.0.0.0" and subnet mask "255.255.255.0"
Next
Select "Any protocol"
Next
Click "Finish", then "OK"
Check the "HOME" entry
Next
Select "Pre-Shared Key" and type a random string. Make sure you keep a copy of this random string in a very safe place, because you will need to use the exact same key at the peers connecting to SERVER!
Next
Now, right-click on the newly created IP policy and select "Apply". From now on, SERVER will require all incoming traffic from HOME to be IPSEC encrypted, and it will attempt to establish an encrypted connection for any traffic from SERVER to HOME.
You can test this by attepmting to PING 10.0.0.100 from SERVER, you should get an error message saying IPSEC negotiation was attempted.
Now repeat the whole procedure on HOME, just replacing the name and IP network addresses. When done, go back to SERVER and PING 10.0.0.100. This time it should work, unless there's a firewall between the two networks blocking AH/IPSEC traffic.