DonatShell
Server IP : 180.180.241.3  /  Your IP : 216.73.216.252
Web Server : Microsoft-IIS/7.5
System : Windows NT NETWORK-NHRC 6.1 build 7601 (Windows Server 2008 R2 Standard Edition Service Pack 1) i586
User : IUSR ( 0)
PHP Version : 5.3.28
Disable Function : NONE
MySQL : ON  |  cURL : ON  |  WGET : OFF  |  Perl : OFF  |  Python : OFF  |  Sudo : OFF  |  Pkexec : OFF
Directory :  /Windows/Help/Windows/en-US/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :

[ HOME SHELL ]     

Current File : /Windows/Help/Windows/en-US/ipsecpolicy.h1s
MZ@PEL!@0@.rsrc@@.its @@0	HX||4VS_VERSION_INFOStringFileInfo040904b0b!FileVersion1.00.00                         l"FileDescriptionCompiled Microsoft Help 2.0 TitleBFileStampA96C82EB01CA041F4JCompilerVersion2.5.71210.08579VCompileDate2009-07-14T01:08:56      >TopicCount17000000000000ALegalCopyright 2005 Microsoft Corporation. All rights reserved.CCCCCCCCCCCCCDVarFileInfo$Translation	tiląITOLITLS(X쌡^
V`   x 0CAOLPHHC ITSF #cn	-Y쌡^
VY쌡^
VIFCMAOLL0IFCM AOLLK//$FXFtiAttribute//$FXFtiAttribute/BTREEu/$FXFtiAttribute/DATA/$FXFtiAttribute/PROPERTY
N/$FXFtiMain//$FXFtiMain/BTREES/$FXFtiMain/DATAk</$FXFtiMain/PROPERTY'N/$Index/$ATTRNAMEK\/$Index/$PROPBAG_/$Index/$STRINGS'h/$Index/$SYSTEMX
/$Index/$TOC//$Index/$TOC/$ipsecpolicyH/$Index/$TOPICATTR[p/$Index/$TOPICSg /$Index/$URLSTRP/$Index/$URLTBL_/$Index/$VTAIDX'/$Index/AssetId//$Index/AssetId/$LEAVES'	/$OBJINSTH/assets/0/assets/1f44770d-8fd9-41bd-a835-faaf550ca32d.xmlts0/assets/61c29a2f-179c-4d5e-8177-713b85322e0c.xmlgh0/assets/813b928a-e67b-4e35-a5f8-d1e352a5609f.xmlO'0/assets/ad046fcc-8909-4b41-9f4f-6c399ebc13bf.xmlv0/assets/bbd8817c-a8ca-4f6a-9712-d7c190d211e3.xml=0/assets/ccdd1c18-471d-4226-9618-253042819909.xml>*0/assets/e2851bb4-63d0-4c18-b0cc-7b6f6458a6e4.xmlhY0/assets/f66ee267-2f51-46e8-a841-aa5220ca35ee.xmlA/ipsecpolicy.h1cY/ipsecpolicy.H1Fw
/ipsecpolicy.H1T
u/ipsecpolicy.H1V	/ipsecpolicy_AssetId.H1Kk/ipsecpolicy_BestBet.H1Kjk/ipsecpolicy_LinkTerm.H1KUl/ipsecpolicy_SubjectTerm.H1KAo::DataSpace/NameList<(::DataSpace/Storage/MSCompressed/Content0,::DataSpace/Storage/MSCompressed/ControlDataT )::DataSpace/Storage/MSCompressed/SpanInfoL/::DataSpace/Storage/MSCompressed/Transform/List<_::DataSpace/Storage/MSCompressed/Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/InstanceData/i::DataSpace/Storage/MSCompressed/Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/InstanceData/ResetTable>H3::Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/|]IUp0UncompressedMSCompressedFX쌡^
VaLZXCHH<maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>IPsec Tunnel Settings</maml:title><maml:introduction>
<maml:para>IPsec can perform Layer 3 tunneling for scenarios in which Layer Two Tunneling Protocol (L2TP) cannot be used. If you are using L2TP for remote communications, no tunnel configuration is required because the client and server virtual private networking (VPN) components of Windows create the rules to secure L2TP traffic automatically.</maml:para>
<maml:para>To create a Layer 3 tunnel using IPsec, use the IP Security Policies or Group Policy snap-ins to configure and enable the following two rules for the policy:</maml:para>

<maml:list class="ordered">
<maml:listItem><maml:para>A rule for the outbound traffic for the tunnel. The rule for the outbound traffic is configured with both a filter list that describes the traffic to be sent across the tunnel and a tunnel endpoint of an IP address configured on the IPsec tunnel peer (the computer or router on the other side of the tunnel).</maml:para></maml:listItem>
<maml:listItem><maml:para>A rule for the inbound traffic for the tunnel. The rule for the inbound traffic is configured with both a filter list that describes the traffic to be received across the tunnel and a tunnel endpoint of a local IP address (the computer or router on this side of the tunnel).</maml:para></maml:listItem>
</maml:list>

<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>You must create both an inbound and outbound for each tunnel connection. If a filter is created for only one direction, the rule will not be applied.</maml:para></maml:alertSet>

<maml:para>When creating a policy for a computer Windows Vista or a later version of Windows, you can specify either an IPv4 address or an IPv6 address. You must specify an endpoint for each side of the tunnel and the address protocol version must be the same for both sides. That is, if you specify an IPv6 address for the source side of the tunnel, then you must also use an IPv6 address for the remote side of the tunnel.</maml:para>

<maml:para>For each rule, you must also specify filter actions, authentication methods, and other settings.</maml:para>

</maml:introduction><maml:content><maml:sections></maml:sections></maml:content><maml:relatedLinks type="seeAlso"><maml:title>See Also</maml:title><maml:navigationLink><maml:linkText>IPsec Rules</maml:linkText><maml:uri href="mshelp://windows/?id=e2851bb4-63d0-4c18-b0cc-7b6f6458a6e4"></maml:uri></maml:navigationLink></maml:relatedLinks></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Creating and Using IPsec Policies</maml:title><maml:introduction>
<maml:para>IPsec is a framework of open standards for ensuring private, secure communications over IP networks through the use of cryptographic security services. The Microsoft Windows implementation of IPsec is based on standards developed by the Internet Engineering Task Force (IETF) IPsec working group.</maml:para>
<maml:para>IPsec establishes trust and security from a source IP address to a destination IP address. The only computers that must know about the traffic being secured are the sending and receiving computers. Each computer handles security at its respective end with the assumption that the medium over which the communication takes place is not secure. Computers that only route data from source to destination are not required to support IPsec unless firewall-type packet filtering or network address translation (NAT) is performed between the two computers.</maml:para>
<maml:para>You can use the IP Security Policy snap-in to create, edit, and assign IPsec policies on this computer and remote computers.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>This documentation is intended to provide enough information to understand and use the IP Security Policy snap-in. Information about designing and deploying policies is beyond the scope of this documentation.</maml:para></maml:alertSet>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title>About IPsec policies</maml:title><maml:introduction>
<maml:para>IPsec policies are used to configure IPsec security services. The policies provide varying levels of protection for most traffic types in most existing networks. You can configure IPsec policies to meet the security requirements of a computer, organizational unit (OU), domain, site, or global enterprise. You can use the IP Security Policies snap-in provided in this version of Windows to define IPsec policies for computers through Group Policy objects (for domain members) or on the local computer or for remote computers.</maml:para>

<maml:alertSet class="important"><maml:title>Important </maml:title><maml:para>The IP Security Policy snap-in can be used to create IPsec policies that can be applied to computers running Windows Vista and later versions of Windows, but this snap-in does not use new security algorithms and other new features available in Windows Vista and later versions of Windows. To create IPsec polices for these computers, use the Windows Firewall with Advanced Security snap-in. The Windows Firewall with Advanced Security snap-in does not create policies that can be applied to earlier versions of Windows.</maml:para></maml:alertSet>

<maml:para>An IPsec policy consists of general IPsec policy settings and rules. General IPsec policy settings apply, regardless of which rules are configured. These settings determine the name of the policy, its description for administrative purposes, key exchange settings, and key exchange methods. One or more IPsec rules determine the types of traffic IPsec must examine, how traffic is treated, how to authenticate an IPsec peer, and other settings.</maml:para>

<maml:para>After the policies are created, they can be applied at the domain, site, OU, and local level. Only one policy can be active on a computer at one time. Policies distributed and applied using Group Policy objects override local policies.</maml:para>
</maml:introduction></maml:section><maml:section><maml:title>IPsec Policy snap-in tasks</maml:title><maml:introduction>
<maml:para>This section includes some of the most common tasks that you might perform using the IP Security Policies snap-in.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title>Creating a policy</maml:title><maml:introduction>
<maml:para>Unless you are creating policies on only one computer and its IPsec peer, you will probably have to create a set of IPsec policies to fit your IT environment. The process of designing, creating, and deploying policies can be complex, depending on the size of your domain, the homogeneity of the computers in the domain, and other factors.</maml:para>
<maml:para>Typically, the process is as follows:</maml:para>
<maml:list class="ordered">
<maml:listItem><maml:para>Create IP filter lists that match the computers, subnets, and conditions in your environment.</maml:para></maml:listItem>
<maml:listItem><maml:para>Create filter actions that correspond to how you want connections to be authenticated, data integrity to be applied, and data to be encrypted. The filter action can also be either <maml:ui>Block</maml:ui> or <maml:ui>Permit</maml:ui>, regardless of other criteria. The Block action takes priority over other actions.</maml:para></maml:listItem>
<maml:listItem><maml:para>Create a set of policies that match the filtering and filter action (security) requirements you need.</maml:para></maml:listItem>
<maml:listItem><maml:para>First, deploy policies that use <maml:ui>Permit</maml:ui> and <maml:ui>Block</maml:ui> filter actions and then monitor your IPsec environment for issues that might require the adjustment of these policies.</maml:para></maml:listItem>
<maml:listItem><maml:para>Deploy the policies using the <maml:ui>Negotiate Security</maml:ui> filter action with the option to fall back to clear text communications. This allows you to test the operation of IPsec in your environment without disrupting communications.</maml:para></maml:listItem>
<maml:listItem><maml:para>As soon as you have made any required refinements to the policies, remove the fall back to clear text communications action, where appropriate. This will cause the policies to require authentication and security before a connection can be created.</maml:para></maml:listItem>
<maml:listItem><maml:para>Monitor the environment for communications that are not taking place, which might be indicated by a sudden increase in the Main Mode Negotiation Failures statistic.</maml:para></maml:listItem>
</maml:list>

<maml:procedure><maml:title>To create a new IPsec policy</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Right-click the IP Security Policies node, and then click <maml:ui>Create IP Security Policy</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the IP Security Policy Wizard, click <maml:ui>Next</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Type a name and a description (optional) of the policy, and then click <maml:ui>Next</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Either select the <maml:ui>Activate the default response rule</maml:ui> check box or leave it unselected, and then click <maml:ui>Next</maml:ui>.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>The default response rule can be used only for policies that are applied to Windows XP and Windows Server 2003 and earlier. Later versions of Windows cannot use the default response rule.</maml:para></maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>If you are using the default response rule, select an authentication method, and then click <maml:ui>Next</maml:ui>.</maml:para>
<maml:para>For more information about the default response rule, see <maml:navigationLink><maml:linkText>IPsec Rules</maml:linkText><maml:uri href="mshelp://windows/?id=e2851bb4-63d0-4c18-b0cc-7b6f6458a6e4"></maml:uri></maml:navigationLink>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Leave the <maml:ui>Edit properties</maml:ui> check box selected, and then click <maml:ui>Next</maml:ui>. You can add rules to the policy as needed.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section>

<maml:section><maml:title>Add or change a rule to a policy</maml:title><maml:introduction>
<maml:procedure><maml:title>To add a policy rule</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Right-click the IPsec policy, and then click <maml:ui>Properties</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>If you want to create the rule in the property dialog box, clear the <maml:ui>Use Add Wizard </maml:ui>check box. To use the wizard, leave the check box selected. Click <maml:ui>Add</maml:ui>. The following instructions are for creating a rule using the dialog box.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the <maml:ui>New Rule Properties</maml:ui> dialog box, on the <maml:ui>IP Filter List</maml:ui> tab, select the appropriate filter list, or click <maml:ui>Add</maml:ui> to add a new filter list. If you have already created filter lists, they will appear in the IP Filter Lists list. For more information about creating and using filter lists, see <maml:navigationLink><maml:linkText>Filter Lists</maml:linkText><maml:uri href="mshelp://windows/?id=bbd8817c-a8ca-4f6a-9712-d7c190d211e3"></maml:uri></maml:navigationLink>.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>Only one filter list can be used per rule.</maml:para></maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Filter Action</maml:ui> tab, select the appropriate filter action, or click <maml:ui>Add</maml:ui> to add a new filter action. For more information about creating and using filter actions, see <maml:navigationLink><maml:linkText>Filter Actions</maml:linkText><maml:uri href="mshelp://windows/?id=813b928a-e67b-4e35-a5f8-d1e352a5609f"></maml:uri></maml:navigationLink>.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>Only one filter action can be used per rule.</maml:para></maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Authentication Methods</maml:ui> tab, select the appropriate method, or click <maml:ui>Add</maml:ui> to add a new method. For more information about creating and using authentication methods, see <maml:navigationLink><maml:linkText>IPsec Authentication</maml:linkText><maml:uri href="mshelp://windows/?id=f66ee267-2f51-46e8-a841-aa5220ca35ee"></maml:uri></maml:navigationLink>.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>You can use several methods per rule. The methods are attempted in the order in which they appear in the list. If you specify that certificates are used, put them together in the list in the order you want them to be used.</maml:para></maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Connection Type</maml:ui> tab, select the connection type to which the rule applies. For more information about connection types, see <maml:navigationLink><maml:linkText>IPsec Connection Type</maml:linkText><maml:uri href="mshelp://windows/?id=ccdd1c18-471d-4226-9618-253042819909"></maml:uri></maml:navigationLink></maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>If you are using a tunnel, specify the endpoints on the <maml:ui>Tunnel Settings</maml:ui> tab. By default, no tunnel is used. For more information about using tunnels, see <maml:navigationLink><maml:linkText>IPsec Tunnel Settings</maml:linkText><maml:uri href="mshelp://windows/?id=1f44770d-8fd9-41bd-a835-faaf550ca32d"></maml:uri></maml:navigationLink>. Tunnel rules cannot be mirrored.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>When all the settings are complete, click <maml:ui>OK</maml:ui>.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>

<maml:procedure><maml:title>To change a policy rule</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Right-click the IPsec policy, and then click <maml:ui>Properties</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the <maml:ui>Policy Properties</maml:ui> dialog box, select the rule, and then click <maml:ui>Edit</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the <maml:ui>Edit Rule Properties</maml:ui> dialog box, on the <maml:ui>IP Filter List</maml:ui> tab, select the appropriate filter list, or click <maml:ui>Add</maml:ui> to add a new filter list. For more information about creating and using filter lists, see <maml:navigationLink><maml:linkText>Filter Lists</maml:linkText><maml:uri href="mshelp://windows/?id=bbd8817c-a8ca-4f6a-9712-d7c190d211e3"></maml:uri></maml:navigationLink>.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>Only one filter list can be used per rule.</maml:para></maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Filter Action</maml:ui> tab, select the appropriate filter action, or click <maml:ui>Add</maml:ui> to add a new filter list. For more information about creating and using filter actions, see <maml:navigationLink><maml:linkText>Filter Actions</maml:linkText><maml:uri href="mshelp://windows/?id=813b928a-e67b-4e35-a5f8-d1e352a5609f"></maml:uri></maml:navigationLink>.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>Only one filter action can be used per rule.</maml:para></maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Authentication Methods</maml:ui> tab, select the appropriate method or click <maml:ui>Add</maml:ui> to add a new method. For more information about creating and using authentication methods, see <maml:navigationLink><maml:linkText>IPsec Authentication</maml:linkText><maml:uri href="mshelp://windows/?id=f66ee267-2f51-46e8-a841-aa5220ca35ee"></maml:uri></maml:navigationLink>.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>You can use several methods per rule. The methods are attempted in the order in which they appear in the list.</maml:para></maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Connection Type</maml:ui> tab, select the connection type to which the rule applies. For more information about connection types, see <maml:navigationLink><maml:linkText>IPsec Connection Type</maml:linkText><maml:uri href="mshelp://windows/?id=ccdd1c18-471d-4226-9618-253042819909"></maml:uri></maml:navigationLink>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>If you are using a tunnel, specify the endpoints on the <maml:ui>Tunnel Settings</maml:ui> tab. By default, no tunnel is used. For more information about using tunnels, see <maml:navigationLink><maml:linkText>IPsec Tunnel Settings</maml:linkText><maml:uri href="mshelp://windows/?id=1f44770d-8fd9-41bd-a835-faaf550ca32d"></maml:uri></maml:navigationLink>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>When all the settings are complete, click <maml:ui>OK</maml:ui>.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section>

<maml:section><maml:title>Assigning a policy</maml:title><maml:introduction>
<maml:procedure><maml:title>To assign a policy to this computer</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Right-click the policy, and then click <maml:ui>Assign</maml:ui>.</maml:para>
<maml:alertSet class="note"><maml:title>Notes </maml:title><maml:alert>Only one policy can be assigned to a computer at a time. Assigning another policy will automatically unassign the currently assigned policy. Group Policy on your domain might assign another policy to this computer and ignore the local policy.</maml:alert><maml:alert>For a computer-to-computer IPsec policy to be successful, you must create a mirrored policy on the other computer and assign that policy to that computer.</maml:alert><maml:alert>To assign this policy to many computers, use Group Policy.</maml:alert></maml:alertSet>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content><maml:relatedLinks type="seeAlso"><maml:title>See Also</maml:title><maml:navigationLink><maml:linkText>IPsec Authentication</maml:linkText><maml:uri href="mshelp://windows/?id=f66ee267-2f51-46e8-a841-aa5220ca35ee"></maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>IPsec Connection Type</maml:linkText><maml:uri href="mshelp://windows/?id=ccdd1c18-471d-4226-9618-253042819909"></maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>IPsec Tunnel Settings</maml:linkText><maml:uri href="mshelp://windows/?id=1f44770d-8fd9-41bd-a835-faaf550ca32d"></maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Filter Actions</maml:linkText><maml:uri href="mshelp://windows/?id=813b928a-e67b-4e35-a5f8-d1e352a5609f"></maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Filter Lists</maml:linkText><maml:uri href="mshelp://windows/?id=bbd8817c-a8ca-4f6a-9712-d7c190d211e3"></maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>IPsec Rules</maml:linkText><maml:uri href="mshelp://windows/?id=e2851bb4-63d0-4c18-b0cc-7b6f6458a6e4"></maml:uri></maml:navigationLink></maml:relatedLinks></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Filter Actions</maml:title><maml:introduction>
<maml:para>A filter action defines the security requirements for the data transmission. Filter actions can be defined when you create a policy or before you create a policy. Filter lists are available to any policy. To define a filter list, right-click the IP Security Policy node and select <maml:ui>Manage filter lists and filter actions</maml:ui>.</maml:para>
<maml:para>A filter action can be configured to:</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title>Permit traffic</maml:title><maml:introduction>
<maml:para>IPsec passes this traffic to and from the TCP/IP driver without modification or the requirement for security. This is appropriate for traffic from computers that are not IPsec-capable. Be sure to limit the IP filter list to a minimal scope when using this type of filter action, so that you do not permit traffic that should be secured.</maml:para>
<maml:para>Consider allowing ICMP traffic for troubleshooting purposes. You might also need to allow a computer that is not in your domain (for example, a consultant's computer) access to another computer in your domain. You can use the permit filter action to allow this access.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title><maml:para>The permit filter action allows access without authentication, data integrity, or encryption. Anyone using a computer with the IP address specified in the filter list is given the access. All traffic between the computers is done in plaintext; no integrity checks are performed.</maml:para></maml:alertSet>
</maml:introduction></maml:section><maml:section><maml:title>Block traffic</maml:title><maml:introduction>
<maml:para>IPsec silently discards blocked traffic. When using a blocking filter action, be sure to use an IP filter list that defines the correct scope of IP addresses. Using larger scopes increases the chance of blocking traffic between valid computers.</maml:para>
</maml:introduction></maml:section><maml:section><maml:title>Negotiate security</maml:title><maml:introduction>
<maml:para>If you enable the <maml:ui>Accept unsecured communication, but always respond using IPSec</maml:ui> option, IPsec attempts to negotiate security associations (SAs) and the sending or receiving of IPsec-protected traffic. However, if the peer cannot use IPsec, the communication will be allowed without IPsec protection. After you choose this filter action, you can also configure the following:</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>Security methods and their order. This list of methods defines in which order the methods will be attempted. The first successful method will be used and the remaining methods will not be attempted. Typically, the list should be ordered from highest security to lowest security, so that the most secure method is used.</maml:para></maml:listItem>
<maml:listItem><maml:para>Acceptance of initial incoming unsecured traffic (<maml:ui>Accept unsecured communication, but always respond using IPSec</maml:ui>). IPsec allows an incoming packet that matches the configured filter list to be unsecured (that is, not protected by IPsec). However, the outgoing response to the incoming packet must be protected. This setting is useful when you are using the default response rule for clients. When a group of servers are configured with a rule that secures communications with any IP address and accepts unsecured communication, responding with only secured communications, enabling the default response rule on client computers ensures that the clients will respond to the server request to negotiate security. To prevent denial-of-service attacks, this option should be disabled for secure computers connected to the Internet.</maml:para></maml:listItem>
<maml:listItem><maml:para>Enabling of communication with non-IPsec-enabled computers (<maml:ui>Allow unsecured communication if a secure connection cannot be established</maml:ui>). IPsec falls back to unsecured communication, if necessary. Again, you should limit the IP filter list to a minimal scope. Otherwise, if negotiation fails for any reason, any communications affected by the rule in which this filter action resides could result in data being sent without security. If you are concerned about unsecured communication, you might consider disabling these settings. However, communication with computers that cannot initiate IPsec, such as legacy systems, might be blocked. To prevent denial-of-service attacks, this option should be disabled for secure computers connected to the Internet.</maml:para></maml:listItem>
<maml:listItem><maml:para>Generation of quick mode session keys from new main mode keying material (<maml:ui>Session key perfect forward secrecy (PFS)</maml:ui>). Enabling session key PFS ensures that main mode master keying material cannot be used to derive more than one quick mode session key. When quick mode PFS is enabled, a new Diffie-Hellman key exchange is performed to generate new main mode master keying material before the new quick mode key is created. Session key (quick mode) PFS does not require main mode reauthentication and uses fewer resources than master key (main mode) PFS.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section><maml:section><maml:title>IPsec security methods</maml:title><maml:introduction>
<maml:para>Each security method defines the security requirements of any communications to which the associated rule applies. Creating multiple security methods increases the chance that a common method can be found between two computers. The Internet Key Exchange (IKE) component reads the list of security methods in descending order and sends a list of allowed security methods to the other peer. The first method in common is selected. Typically, the most secure methods appear at the top of the list; the least secure methods appear at the bottom of the list.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title>Predefined security methods</maml:title><maml:introduction>
<maml:para>The following security methods are predefined:</maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title>Encryption and Integrity</maml:title><maml:introduction>
<maml:para>Uses the ESP protocol to provide data confidentiality (encryption) with the triple Data Encryption Standard (3DES) algorithm, data integrity and authentication with the Secure Hash Algorithm 1 (SHA1) integrity algorithm, and default key lifetimes (100 megabytes (MB), 1 hour). If you require both data and addressing (IP header) protection, you can create a custom security method. If you do not require encryption, use Integrity only.</maml:para>
</maml:introduction></maml:section>

<maml:section><maml:title>Integrity only</maml:title><maml:introduction>
<maml:para>Uses the ESP protocol to provide data integrity and authentication with the SHA1 integrity algorithm and default key lifetimes (100 MB, 1 hour). In this configuration, ESP does not provide data confidentiality (encryption).</maml:para>
</maml:introduction></maml:section>

<maml:section><maml:title>Custom security methods</maml:title><maml:introduction>
<maml:para>If the predefined Encryption and Integrity or Integrity only settings do not meet your security requirements, you can specify custom security methods. For example, you can use custom methods when encryption and address integrity, stronger algorithms, or key lifetimes must be specified. When configuring a custom security method, you can configure the following:</maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title>Security protocols</maml:title><maml:introduction>
<maml:para>Both AH (data and address integrity without encryption) and ESP (data integrity and encryption) can be enabled in a custom security method when you require IP header integrity and data encryption. If you chose to enable both, you do not need to specify an integrity algorithm for ESP.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>The AH protocol cannot be used over network address translation (NAT) devices because it uses a hash of the header. NAT devices alter the header, so the packet will not authenticate properly.</maml:para></maml:alertSet>
</maml:introduction></maml:section>

<maml:section><maml:title>Integrity algorithm</maml:title><maml:introduction>
<maml:para>Message Digest 5 (MD5), which uses a 128-bit key. This algorithm is no longer considered secure and should be used only when interoperability requires its use.</maml:para>
<maml:para>SHA1, which uses a 160-bit key. SHA1 is a stronger hash than MD5 and is compliant with the Federal Information Processing Standard (FIPS).</maml:para>
</maml:introduction></maml:section>

<maml:section><maml:title>Encryption algorithm</maml:title><maml:introduction>
<maml:para>3DES is the most secure of the DES combinations and somewhat slower in performance. 3DES processes each block three times, using three unique 56-bit keys.</maml:para>
<maml:para>DES uses a single 56-bit key and is used when the higher security and overhead of 3DES is not required. This algorithm is no longer considered secure and should only be used when interoperability requires it.</maml:para>
<maml:para>Session key (quick mode) settings determine when, not how, a new key is generated. You can specify a lifetime in kilobytes (KB), seconds, or both. For example, if the communication takes 10,000 seconds and you specify the key lifetime as 1000 seconds, 10 keys will be generated to complete the transfer. This ensures that, even if an attacker manages to determine one session key and decipher part of a communication, the attacker cannot decipher the entire communication. By default, new quick mode keys are generated for every 100 MB of data or every hour. Any time a key lifetime is reached, the SA, in addition to the key refresh or regeneration, is also renegotiated.</maml:para>

<maml:procedure><maml:title>To create a filter action using the New Rule Properties dialog box</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Rules</maml:ui> tab of the <maml:ui>IP Security Policy Properties</maml:ui> dialog, clear the <maml:ui>Use Add Wizard </maml:ui>check box if you want to create the filter action in the property dialog box. If you want to use the wizard, leave the check box selected. Click <maml:ui>Add</maml:ui>. The following instructions are for creating a filter list using the dialog box.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Filter Action</maml:ui> tab of the <maml:ui>Rule Properties</maml:ui> dialog box, clear the <maml:ui>Use Add Wizard</maml:ui> checkbox and click <maml:ui>Add</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Security Methods</maml:ui> tab, select the method (action) that the rule will use.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>(Optional) On the <maml:ui>Description</maml:ui> tab, type a description of the filter action. This description can help you sort through filter actions and allows you to quickly identify the filter action without having to open its properties.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>OK</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Repeat steps 4 through 8 to add additional filter actions to the list.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>Although the rule can list several filter actions, only one filter action can be used per rule.</maml:para></maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Filter Action</maml:ui> tab, select the appropriate filter action for the rule and click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>

<maml:procedure><maml:title>To create a filter action using the Manage filter lists and filter actions dialog box</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Right-click the IP Security Policy node and select <maml:ui>Manage IP filter lists and filter actions</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Manage Filter Actions</maml:ui> tab, clear the <maml:ui>Use Add Wizard </maml:ui>check box if you want to create the filter action using the property dialog box. If you want to use the wizard, leave the check box selected. Click <maml:ui>Add</maml:ui>. The following instructions are for creating a filter list using the dialog box. The directions below do not use the wizard.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Security Methods</maml:ui> tab, select the method and click <maml:ui>OK</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>If you selected the Negotiate security option, you can add multiple methods and specify the order they will be attempted. To do this click <maml:ui>Add</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>(Optional) On the <maml:ui>Description</maml:ui> tab, type a description of the filter. This description can help you sort through filters and allows you to quickly identify the filter without having to open its properties.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>OK</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Repeat steps 4 through 8 to add filter actions to the list.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content><maml:relatedLinks type="seeAlso"><maml:title>See Also</maml:title><maml:navigationLink><maml:linkText>Filter Lists</maml:linkText><maml:uri href="mshelp://windows/?id=bbd8817c-a8ca-4f6a-9712-d7c190d211e3"></maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>IPsec Authentication</maml:linkText><maml:uri href="mshelp://windows/?id=f66ee267-2f51-46e8-a841-aa5220ca35ee"></maml:uri></maml:navigationLink></maml:relatedLinks></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>IPsec Key Exchange</maml:title><maml:introduction>
<maml:para>Before secured data can be exchanged, a contract must be established between the two computers. In this contract, called a security association (SA), both agree on how to exchange and protect information.</maml:para>
<maml:para>A key is a secret code or number that is required to read, modify, or verify secured data. Keys are used in conjunction with algorithms (a mathematical process) to secure data. In IPsec, there are two phases or modes that use keys. Main mode occurs first and generates a shared master key that the two parties can use to exchange keying information in a secure way. Quick mode uses the master key to secure the establishment of one or more session keys that are used for data integrity or encryption.</maml:para>

<maml:para>Windows handles key generation automatically and implements the following keying properties that maximize protection:</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title><maml:para>The IP Security Policy snap-in can be used to create IPsec policies that can be applied to computers running Windows Vista and later versions of Windows, but this snap-in does not use the new security algorithms and other new features available in computers running those later versions of Windows. To create IPsec polices for these computers, use the Windows Firewall with Advanced Security snap-in. The Windows Firewall with Advanced Security snap-in does not create policies that can be applied to earlier versions of Windows.</maml:para>
</maml:alertSet></maml:introduction><maml:content><maml:sections><maml:section><maml:title>Dynamic rekeying</maml:title><maml:introduction>
<maml:para>IPsec uses a method called dynamic rekeying to control how often a new key is generated during communication. The communication is sent in blocks; each block of data is secured with a different key. This prevents an attacker who has obtained part of a communication and the corresponding session keys from obtaining the remainder of the communication. This on-demand security negotiation and automatic key management service is provided using Internet Key Exchange (IKE), as defined in RFC 2409.</maml:para>
<maml:para>IPsec allows you to control how often a new key is generated. If no values are configured, keys are regenerated automatically at default intervals.</maml:para>
</maml:introduction></maml:section><maml:section><maml:title>Key lengths</maml:title><maml:introduction>
<maml:para>Every time the length of a key is increased by one bit, the number of possible keys doubles, making it exponentially more difficult to determine the key. IPsec provides multiple algorithms to allow for short or long key lengths.</maml:para>
</maml:introduction></maml:section><maml:section><maml:title>Key material generation: Diffie-Hellman algorithm</maml:title><maml:introduction>
<maml:para>To enable secure communication, two computers must be able to gain the same shared key (quick mode, or session key), without sending the key across a network and compromising the secret.</maml:para>
<maml:para>The Diffie-Hellman algorithm (DH) is one of the oldest and most secure algorithms used for key exchange. The two parties publicly exchange keying information, which Windows additionally protects with a hash function signature. Neither party ever exchanges the actual key; however, after their exchange of keying material, each is able to generate the identical shared key.</maml:para>
<maml:para>DH keying material exchanged by the two parties can be based on 768, 1024, or 2048 bits of keying material, known as DH groups. The strength of the DH group is proportional to the strength of the key computed from the DH exchange. Strong DH groups combined with longer key lengths increase the degree of computational difficulty involved in determining the key.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>On the <maml:ui>IKE Security Algorithms</maml:ui> dialog box, 768 bits corresponds to the <maml:ui>Low (1)</maml:ui> setting and 1024 bits to the <maml:ui>Medium (2)</maml:ui> setting.</maml:para></maml:alertSet>
<maml:para>IPsec uses the DH algorithm to provide the keying material for all other encryption keys. DH does not provide authentication. The Microsoft Windows implementation of IPsec authenticates identities after the DH exchange takes place, providing protection against man-in-the-middle attacks.</maml:para>
</maml:introduction></maml:section><maml:section><maml:title>Key protection</maml:title><maml:introduction>
<maml:para>The following features enhance the base prime numbers (keying material) and the strength of the keys for the master and session keys.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title>Key lifetimes</maml:title><maml:introduction>
<maml:para>Key lifetimes determine when, rather than how, a new key is generated. Also known as dynamic rekeying or key regeneration, a key lifetime allows you to force a key regeneration after a specified interval. For example, if a communication takes 10,000 seconds and you specify a key lifetime of 1,000 seconds, 10 keys are generated to complete the communication. This ensures that even if an attacker is able to decipher part of a communication, the remainder of the communication is protected. Key lifetimes can be specified for both the master and session keys. Whenever a key lifetime is reached, the SA is also renegotiated. In addition, the key is refreshed or regenerated. The amount of data processed by a single key should not exceed 100 megabytes (MB).</maml:para>
</maml:introduction></maml:section>

<maml:section><maml:title>Session key refresh limit</maml:title><maml:introduction>
<maml:para>A quick mode session key refresh limit is used because the repeated rekeying from a quick mode session key can compromise the Diffie-Hellman shared secret.</maml:para>
<maml:para>For example, Alice on Computer A sends a message to Bob on Computer B, and then sends another message to Bob a few minutes later. Because an SA was recently established, the same session key material might be reused. If you want to limit the number of times this occurs, set the session key refresh limit to a low number.</maml:para>
<maml:para>If you have enabled master key perfect forward secrecy (PFS), the quick mode session key refresh limit is not used. Setting a session key refresh limit to 1 is identical to enabling master key PFS. If both a main mode master key lifetime and a quick mode session key refresh limit are specified, the limit reached first causes the subsequent rekey. By default, IPsec policy does not specify a session key refresh limit.</maml:para>
</maml:introduction></maml:section>

<maml:section><maml:title>Diffie-Hellman groups</maml:title><maml:introduction>
<maml:para>Diffie-Hellman (DH) groups are used to determine the length of the base prime numbers (key material) for the DH exchange. The strength of any key derived from a DH exchange depends, in part, on the strength of the DH group on which the prime numbers are based.</maml:para>
<maml:para>Each DH group defines the length of the keying material to be used. Group 1 protects 768 bits of keying material; Group 2 protects 1024 bits; Group 3 protects 2048 bits. When a larger group is used, the resulting key that is determined from a DH exchange is larger and more difficult to determine by an attacker.</maml:para>
<maml:para>IKE negotiates which group to use, based on settings you configure on the <maml:ui>IKE Security Algorithms</maml:ui> dialog box, ensuring that there are not any negotiation failures that result from a mismatched DH group between the two peers.</maml:para>
<maml:para>If session key PFS is enabled, a new DH key is negotiated in the first Quick Mode SA negotiation. This new DH key removes the dependency of the session key on the DH exchange that is performed for the master key.</maml:para>
<maml:para>If the initiator is using session key PFS, the responder is not also required to use session key PFS. However, if the initiator is not using session key PFS and the responder is using session key PFS, negotiation fails.</maml:para>
<maml:para>The DH group is the same for both the main mode and quick mode SA negotiations. When session key PFS is enabled, even though the DH group is set as part of the main mode SA negotiation, it affects any rekeys during quick mode session key establishment.</maml:para>
</maml:introduction></maml:section>

<maml:section><maml:title>Perfect forward secrecy</maml:title><maml:introduction>
<maml:para>Unlike key lifetimes, PFS determines how, rather than when, a new key is generated. Specifically, PFS ensures that the compromise of a single key permits access only to data that is protected by it, not necessarily to the entire communication. To achieve this, PFS ensures that a key used to protect a transmission, in either mode, cannot be used to generate additional keys. In addition, if the key used was derived from specific keying material, that material cannot be used to generate other keys.</maml:para>
<maml:para>Main mode master key PFS requires a reauthentication and is resource-intensive. When it is enabled, IKE must reauthenticate identities, increasing overhead for domain controllers when the Kerberos V5 authentication protocol is used for authentication. It requires a new main mode negotiation for every quick mode negotiation that occurs.</maml:para>
<maml:para>Quick mode session key PFS can be used without a reauthentication and is less resource-intensive. Session key PFS results in a DH exchange to generate new keying material. It requires only four messages and no authentication.</maml:para>
<maml:para>PFS does not have to be enabled on both peers because it is not part of the SA negotiation. If the responder requires PFS and the sender's quick mode SA expires, it simply rejects the sender's message and requires a new negotiation. The sender causes the main mode SA to expire and then renegotiates. PFS can be individually set for both the master (main mode) and session (quick mode) keys.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section><maml:title>Key exchange</maml:title><maml:introduction>
<maml:para>Before secured data can be exchanged, a contract between the two computers must be established. In this contract (SA), both agree on how to exchange and protect information.</maml:para>
<maml:para>To build this contract between the two computers, the Internet Engineering task Force (IETF) has established the IKE method of security association and key exchange resolution, which:</maml:para>

<maml:list class="unordered">
<maml:listItem><maml:para>Centralizes security association management, reducing connection time.</maml:para></maml:listItem>
<maml:listItem><maml:para>Generates and manages shared, secret keys that are used to secure the information.</maml:para></maml:listItem>
</maml:list>

<maml:para>This process not only protects communication between computers, it also protects remote computers that request secure access to a corporate network. In addition, this process works whenever the negotiation for the final destination computer is performed by a security gateway.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title>Security association defined</maml:title><maml:introduction>
<maml:para>An SA is the combination of a negotiated key, security protocol, and security parameters index (SPI), which together define the security used to protect the communication from sender to receiver. The SPI is a unique, identifying value in the SA that is used to distinguish among multiple security associations that exist at the receiving computer. For example, multiple associations might exist if a computer is securely communicating with multiple computers at the same time. This is a common occurrence when the computer is a file server or a remote access server that serves multiple clients. In these situations, the receiving computer uses the SPI to determine which SA is used to process the incoming packets.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title>Main mode SA</maml:title><maml:introduction>
<maml:para>To ensure successful and secure communication, IKE performs a two-phase operation. Confidentiality and authentication are ensured during each phase by the use of encryption and authentication algorithms that are agreed upon by the two computers during security negotiations. With the duties split between two phases, key creation can be rapidly accomplished.</maml:para>
<maml:para>During the first phase, the two computers establish a secure, authenticated channel. This is called the main mode SA. IKE automatically provides required identity protection during this exchange.</maml:para>
<maml:para>The following steps describe a main mode negotiation.</maml:para>

<maml:list class="ordered">
<maml:listItem><maml:para>Policy negotiation. The following four mandatory parameters are negotiated as part of the Main Mode SA:</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>The encryption algorithm (DES or 3DES).</maml:para></maml:listItem>
<maml:listItem><maml:para>The hash algorithm (MD5 or SHA1).</maml:para></maml:listItem>
<maml:listItem><maml:para>The authentication method (the Kerberos V5 authentication protocol, certificate, or preshared key authentication).</maml:para></maml:listItem>
<maml:listItem><maml:para>The Diffie-Hellman (DH) group to be used for the base keying material (768 bits Low (Group 1), 1024 bits Medium (Group 2), or 2048 bits High (Group 3)).</maml:para></maml:listItem>
<maml:listItem><maml:para>If certificates or preshared keys are used for authentication, the computer identity is protected. However, if the Kerberos V5 authentication protocol is used, the computer identity is unencrypted until encryption of the entire identity payload takes place during authentication.</maml:para></maml:listItem>
</maml:list>
</maml:listItem>
<maml:listItem><maml:para>DH exchange (of public values). At no time are actual keys exchanged. Only the information required by the DH key determination algorithm to generate the shared, secret key is exchanged. After this exchange, the IKE service on each computer generates the master key that is used to protect authentication.</maml:para></maml:listItem>
<maml:listItem><maml:para>Authentication. The computers attempt to authenticate the DH key exchange. Without authenticating the DH key exchange, the communication is vulnerable to a man-in-the-middle attack. Without successful authentication, communication cannot proceed. The master key is used, in conjunction with the negotiation algorithms and methods, to authenticate identities. The entire identity payload (including the identity type, port, and protocol) is hashed and encrypted using the keys generated from the DH exchange in the second step. The identity payload, regardless of which authentication method is used, is protected from both modification and interpretation.</maml:para>
<maml:para>The sender presents an offer for a potential security association to the receiver. The responder cannot modify the offer. Should the offer be modified, the initiator rejects the responder's message. The responder sends either a reply accepting the offer or a reply with alternatives.</maml:para>
<maml:para>Messages sent during this phase have an automatic retry cycle that is repeated five times. If a response is received before the retry cycle ends, standard SA negotiation begins. If allowed by IPsec policy, unsecured communications will begin after a brief interval. This behavior is known as fall back to clear. Even if the communication falls back to clear, secure communication negotiation is attempted at five-minute intervals.</maml:para>
<maml:para>There is no limit to the number of exchanges that can take place. The number of SAs established is limited only by system resources.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section><maml:title>Quick mode SA</maml:title><maml:introduction>
<maml:para>In this phase, SAs are negotiated on behalf of the IP Security driver.</maml:para>
<maml:para>The following steps describe a quick mode negotiation.</maml:para>
<maml:list class="ordered">
<maml:listItem><maml:para>Policy negotiation occurs. The IPsec computers exchange the following requirements for securing the data transfer:</maml:para>

<maml:list class="unordered">
<maml:listItem><maml:para>The IPsec protocol (AH or ESP)</maml:para></maml:listItem>
<maml:listItem><maml:para>The hash algorithm for integrity and authentication (MD5 or SHA1)</maml:para></maml:listItem>
<maml:listItem><maml:para>The algorithm for encryption, if requested (DES or 3DES)</maml:para></maml:listItem>
</maml:list>
<maml:para>A common agreement is reached and two SAs are established. One SA is for inbound communication and the other is for outbound communication.</maml:para>
</maml:listItem>
<maml:listItem><maml:para>Session key material is refreshed or exchanged. IKE refreshes the keying material and new shared keys are generated for packet integrity, authentication, and encryption (if negotiated). If rekeying is required, either a second DH exchange (as described in main mode negotiation) occurs, or a refresh of the original DH key is used.</maml:para></maml:listItem>
<maml:listItem><maml:para>The SAs and keys, along with the SPI, are passed to the IP Security driver. The quick mode negotiation of security settings and keying material (for the purpose of securing data) is protected by the main mode SA. As the first phase provided identity protection, the second, quick mode phase provides protection by refreshing the keying material before sending data. IKE can accommodate a key exchange payload for an additional DH exchange if a rekey is required—that is, master key PFS is enabled. Otherwise, IKE refreshes the keying material from the DH exchange completed in main mode.</maml:para>
<maml:para>Quick mode results in a pair of security associations, each with its own SPI and key. One SA is used for inbound communication, and the other for outbound communication.</maml:para>
<maml:para>The retry algorithm for a message is similar to the process described in main mode negotiation. However, if this process times out for any reason during the second or higher negotiation off of the same main mode SA, a renegotiation of the main mode SA is attempted. If a message for this phase is received without an established main mode SA, it is rejected.</maml:para>
<maml:para>Using a single main mode SA for multiple quick mode SA negotiations increases the speed of the process. As long as the main mode SA does not expire, renegotiation and reauthentication are not required. The number of quick mode SA negotiations that can be performed is determined by IPsec policy settings.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>Excessive rekeying from the same main mode SA might make the shared, secret key vulnerable to a known plaintext attack. A known plaintext attack is a sniffer attack in which the attacker attempts to determine the encryption key from encrypted data based on known plaintext.</maml:para></maml:alertSet>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>

<maml:section><maml:title>SA lifetimes</maml:title><maml:introduction>
<maml:para>The main mode SA is cached to allow multiple quick mode SA negotiations (unless master key PFS is enabled). When a key lifetime is reached for the master or session key, the SA is renegotiated. In addition, the key is refreshed or regenerated.</maml:para>
<maml:para>When the default timeout period elapses for the main mode SA, or the master or session key lifetime is reached, a delete message is sent to the responder. The IKE delete message tells the responder to cause the main mode SA to expire. This prevents additional new quick mode SAs from being created from the expired main mode SA. IKE does not cause the quick mode SA to expire because only the IPsec driver contains the number of seconds or bytes that have passed to reach the key lifetime.</maml:para>

<maml:para>Use caution when setting very different key lifetimes for master and session keys. For example, setting a main mode master key lifetime of eight hours and a quick mode session key lifetime of two hours might leave a quick mode SA in place for almost two hours after the main mode SA has expired. This occurs when the quick mode SA is generated shortly before main mode SA expiration.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Filter Lists</maml:title><maml:introduction>
<maml:para>Except in the case of a block or allow rule, an IP filter list triggers security negotiations based on a match with the source, destination, and type of IP traffic. This type of IP packet filtering enables an administrator to precisely define which IP traffic is secured. Each IP filter list contains one or more filters, which define IP addresses and traffic types. One IP filter list can be used for multiple communication scenarios.</maml:para>

<maml:para>IPsec requires both an inbound filter and outbound filter between the computers specified in the filter list, except for Block or Permit rules. Inbound filters apply to incoming traffic and enable the receiving computer to respond to requests for secure communication or match traffic against the IP filter list. Outbound filters apply to traffic leaving a computer and conduct a security negotiation before traffic is sent.</maml:para>

<maml:para>By using the <maml:ui>Mirrored</maml:ui> check box, you automatically create two filters based on the filter settings: one for traffic to the destination and one for traffic from the destination. This allows two-way communications with other computers.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title>Filter list settings</maml:title><maml:introduction>
<maml:para>Filter lists (and filter actions) can be defined when you create a policy or before you create a policy. Filter lists are available to any policy. To define a filter list, right-click the IP Security Policy node and select <maml:ui>Manage IP filter lists and filter actions</maml:ui>.</maml:para>

<maml:para>Each filter defines a subset of inbound or outbound network traffic that the filter action acts on by either securing traffic (using authentication, data integrity, or data encryption), blocking entirely, or allowing (without using authentication, data integrity, or data encryption). You must have a filter to cover any traffic to which the associated rule applies. A filter contains the following settings:</maml:para>

<maml:list class="unordered">
<maml:listItem><maml:para><maml:phrase>The source and destination addresses of the IP packet</maml:phrase>. You can configure any IP address assigned to the IPsec peer, a single IP address, IP addresses by DNS name, or groups of addresses to specify IP subnets.</maml:para></maml:listItem>
<maml:listItem><maml:para><maml:phrase>The protocol used to transfer the packet</maml:phrase>. This automatically covers all protocols in the TCP/IP protocol suite. However, it can be configured for an individual protocol, including a custom protocol, to meet special requirements.</maml:para></maml:listItem>
<maml:listItem><maml:para><maml:phrase>The source and destination ports of the protocol for TCP and UDP</maml:phrase>. By default, all TCP and UDP ports are covered, but this can be configured to apply to a specific TCP or UDP port only.</maml:para></maml:listItem>
</maml:list>

<maml:alertSet class="important"><maml:title>Important </maml:title><maml:para>DNS name resolution occurs only when the filter list is created and is not updated afterwards. So, if the IP address changes, the policy will not be updated. To update the IP address, you must edit the policy.</maml:para></maml:alertSet>

<maml:procedure><maml:title>To create a filter list using the New Rule Properties dialog box</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the <maml:ui>IP Security Policy Properties</maml:ui> dialog, select the correct IP Security rule and click <maml:ui>Edit</maml:ui> or you can create a new rule by clicking <maml:ui>Add</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>IP Filter List</maml:ui> tab, clear the <maml:ui>Use Add Wizard </maml:ui>check box if you want to create the filter list in the property dialog box. If you want to use the wizard, leave the check box selected. Click <maml:ui>Add</maml:ui>. The following instructions are for creating a filter list using the dialog box.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Addresses</maml:ui> tab of the <maml:ui>IP Filter Properties</maml:ui> dialog box, select a source (local) IP address and a destination (that is, an IPsec peer) IP address.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Protocol</maml:ui> tab, select the protocol type that the filter will match.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>(Optional) On the <maml:ui>Description</maml:ui> tab, type a description of the filter. This description can help you sort through filters and allows you to quickly identify the filter without having to open its properties.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>OK</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Repeat steps 4 through 8 to add additional filters to the list.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the <maml:ui>IP Filter List</maml:ui> dialog box, type a descriptive name for the filter list. Click <maml:ui>OK</maml:ui> to add the filter list to the rule.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the <maml:ui>New Rule Properties</maml:ui> dialog box, select the filter list.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>

<maml:procedure><maml:title>To create a filter list using the Manage filter lists and filter actions dialog box</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Right-click the IP Security Policy node and select <maml:ui>Manage IP filter lists and filter actions</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Manage IP Filter Lists</maml:ui> tab, click <maml:ui>Add</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the <maml:ui>IP Filter List</maml:ui> dialog box, clear the <maml:ui>Use Add Wizard </maml:ui>check box if you want to create the filter list in the property dialog box. If you want to use the wizard, leave the check box selected. Click <maml:ui>Add</maml:ui>. The following instructions are for creating a filter list using the dialog box.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Addresses</maml:ui> tab of the <maml:ui>IP Filter Properties</maml:ui> dialog box, select a source (local) IP address and a destination (that is, an IPsec peer) IP address.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Protocol</maml:ui> tab, select the protocol type that the filter will match.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>(Optional) On the <maml:ui>Description</maml:ui> tab, type a description of the filter. This description can help you sort through filters and allows you to quickly identify the filter without having to open its properties.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>OK</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Repeat steps 4 through 8 to add additional filters to the list.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the <maml:ui>IP Filter List</maml:ui> dialog box, type a descriptive name for the filter list. Click <maml:ui>OK</maml:ui> to add the filter list to the rule.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content><maml:relatedLinks type="seeAlso"><maml:title>See Also</maml:title><maml:navigationLink><maml:linkText>Filter Actions</maml:linkText><maml:uri href="mshelp://windows/?id=813b928a-e67b-4e35-a5f8-d1e352a5609f"></maml:uri></maml:navigationLink></maml:relatedLinks></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>IPsec Connection Type</maml:title><maml:introduction>
<maml:para>For each Internet Protocol security (IPsec) rule, you must define to which connection types the rule will be applied. For example, if you specify that a rule to be applied only to remote access connections, then only these connections will match the rule.</maml:para>
<maml:para>Each rule has one connection type setting:</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:phrase>All Network Connections.</maml:phrase> The rule applies to communications sent through any of the network connections that you have configured on the computer.</maml:para></maml:listItem>
<maml:listItem><maml:para><maml:phrase>Local Area Network (LAN).</maml:phrase> The rule only applies to communications sent through LAN connections that you have configured on the computer.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>Wireless connections are treated as local area network connections when polices are created using the IP Security Policy snap-in. If you want to specify that a rule is to be applied to a wireless connection only, you must create a policy using the new Windows Firewall with Advanced Security snap-in.</maml:para></maml:alertSet></maml:listItem>
<maml:listItem><maml:para><maml:phrase>Remote Access</maml:phrase>. The rule only applies to communications sent through any remote access, virtual private network (VPN) connection, or dial-up connections that you have configured on the computer.</maml:para></maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>IPsec Rules</maml:title><maml:introduction>
<maml:para>An Internet Protocol security (IPsec) policy consists of one or more rules that determine IPsec behavior. IPsec rules are configured on the <maml:ui>Rules</maml:ui> tab in the properties of an IPsec policy. Each IPsec rule contains the following configuration items:</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title>Filter list</maml:title><maml:introduction>
<maml:para>A single filter list that contains one or more predefined packet filters that describe the types of traffic to which the configured filter action for this rule is applied. The filter list is configured on the <maml:ui>IP Filter List</maml:ui> tab in the properties of an IPsec rule within an IPsec policy. For more information about filter lists, see <maml:navigationLink><maml:linkText>Filter Lists</maml:linkText><maml:uri href="mshelp://windows/?id=bbd8817c-a8ca-4f6a-9712-d7c190d211e3"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section><maml:section><maml:title>Filter action</maml:title><maml:introduction>
<maml:para>A single filter action that includes the type of action required (Permit, Block, or Negotiate Security) for packets that match the filter list. For the Negotiate Security filter action, the negotiation data contains one or more security methods that are used (in order of preference) during IKE negotiations and other IPsec settings. Each security method determines the security protocol (such as AH or ESP), the cryptographic algorithms, and session key regeneration settings used. The negotiation data is configured on the <maml:ui>Filter Action</maml:ui> tab in the properties of an IPsec rule within an IPsec policy. For more information see, <maml:navigationLink><maml:linkText>Filter Actions</maml:linkText><maml:uri href="mshelp://windows/?id=813b928a-e67b-4e35-a5f8-d1e352a5609f"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section><maml:section><maml:title>Authentication methods</maml:title><maml:introduction>
<maml:para>One or more authentication methods are configured (in order of preference) and used for authentication of IPsec peers during main mode negotiations. The available authentication methods are the Kerberos V5 authentication protocol, use of a certificate issued from a specified certification authority (CA), or a preshared key. The authentication data is configured on the <maml:ui>Authentication Methods</maml:ui> tab in the properties of an IPsec rule within an IPsec policy. For more information, see <maml:navigationLink><maml:linkText>IPsec Authentication</maml:linkText><maml:uri href="mshelp://windows/?id=f66ee267-2f51-46e8-a841-aa5220ca35ee"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section><maml:section><maml:title>Tunnel endpoint</maml:title><maml:introduction>
<maml:para>Specifies whether the traffic is tunneled and, if it is, the IP address of the tunnel endpoint. For outbound traffic, the tunnel endpoint is the IP address of the IPsec tunnel peer. For inbound traffic, the tunnel endpoint is a local IP address. The tunnel endpoint is configured on the <maml:ui>Tunnel Setting</maml:ui> tab in the properties of an IPsec rule within an IPsec policy. You must create two tunnel rules, one for each direction that traffic will travel. For more information, see <maml:navigationLink><maml:linkText>IPsec Tunnel Settings</maml:linkText><maml:uri href="mshelp://windows/?id=1f44770d-8fd9-41bd-a835-faaf550ca32d"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section><maml:section><maml:title>Connection type</maml:title><maml:introduction>
<maml:para>Specifies whether the rule applies to local area network (LAN) connections, remote connections, or both. The connection type is configured on the <maml:ui>Connection Type</maml:ui> tab in the properties of an IPsec rule within an IPsec policy. For more information, see <maml:navigationLink><maml:linkText>IPsec Connection Type</maml:linkText><maml:uri href="mshelp://windows/?id=ccdd1c18-471d-4226-9618-253042819909"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section><maml:section><maml:title>Default response rule</maml:title><maml:introduction>
<maml:para>The default response rule is used to ensure that the computer responds to requests for secure communication. If an active policy does not have a rule defined that is requesting secure communication, then the default response rule is applied and security is negotiated, if the default response rule is enabled. For example, the default response rule is used when Computer A communicates securely with Computer B, and Computer B does not have an inbound filter defined for Computer A.</maml:para>
<maml:para>The default response rule, which can be used for all policies, cannot be deleted, but it can be deactivated. You have the option of enabling it when you create new IPsec policies with the IP Security Policy Wizard.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>The default response rule will be ignored in a policy that will be assigned to a computer running Windows Vista® or a later version of Windows.</maml:para></maml:alertSet>
<maml:para>Authentication methods and the security methods can be configured for the default response rule. The filter list of &lt;Dynamic&gt; indicates that the filter list is not configured, but that filters are created automatically based on the receipt of IKE negotiation packets. The filter action of Default Response indicates that the action of the filter (Permit, Block, or Negotiate Security) cannot be configured.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>IPsec Authentication</maml:title><maml:introduction>
<maml:para>Each rule defines a list of authentication methods. Each authentication method defines the requirements for the way in which identities are verified in communications to which the associated rule applies. The methods are attempted by each peer in the order in which they are listed. The two peers must have at least one common authentication method or communication will fail. Creating multiple authentication methods increases the chance that a common method between two computers can be found.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>The order of these methods is also important because only the first common method is attempted; if it fails to authenticate, no other methods in the list will be attempted, even if these methods would have succeeded.</maml:para></maml:alertSet>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title>Authentication methods</maml:title><maml:introduction>
<maml:para>Only one authentication method can be used between a pair of computers, regardless of how many are configured. If you have multiple rules that apply to the same pair of computers, you must configure the authentication methods list in those rules to enable the pair to use the same method. For example, if a rule between a pair of computers specifies only Kerberos for authentication and filters only TCP data and, in another rule, specifies only certificates for authentication and filters only UDP data, authentication will fail. Authentication methods are configured on the <maml:ui>Authentication Methods</maml:ui> tab of the <maml:ui>Edit Rule Properties</maml:ui> or <maml:ui>Add Rule Properties</maml:ui> property sheets.</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>The Kerberos version 5 authentication protocol is the default authentication technology. This method can be used for any computers running the Kerberos V5 authentication protocol that are members of the same or trusted domains. This method is useful for domain isolation using Internet Protocol security (IPsec).</maml:para></maml:listItem>
<maml:listItem><maml:para>A public key certificate should be used in situations that include Internet access, remote access to corporate resources, external business partner communications, or computers that do not run the Kerberos V5 authentication protocol. This requires that at least one trusted certification authority (CA) has been configured. This version of Windows supports X.509 Version 3 certificates, including CA certificates generated by commercial certifying authorities.</maml:para></maml:listItem>
<maml:listItem><maml:para>A preshared key can be specified. This is a shared, secret key that is previously agreed upon by two users. It is simple to use and does not require the client to run the Kerberos V5 authentication protocol or have a public key certificate. Both parties must manually configure IPsec to use this preshared key. This is a simple method for authenticating standalone computers or any computers that are not using the Kerberos V5 authentication protocol. A preshared key is for authentication protection only; it is not used for data integrity or encryption.</maml:para></maml:listItem>
</maml:list>

<maml:alertSet class="important"><maml:title>Important </maml:title><maml:para>The preshared key is stored in plaintext and is not considered a secure method. Preshared keys should be used for testing purposes only.</maml:para></maml:alertSet>
</maml:introduction></maml:section></maml:sections></maml:content><maml:relatedLinks type="seeAlso"><maml:title>See Also</maml:title><maml:navigationLink><maml:linkText>Filter Actions</maml:linkText><maml:uri href="mshelp://windows/?id=813b928a-e67b-4e35-a5f8-d1e352a5609f"></maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>IPsec Rules</maml:linkText><maml:uri href="mshelp://windows/?id=e2851bb4-63d0-4c18-b0cc-7b6f6458a6e4"></maml:uri></maml:navigationLink></maml:relatedLinks></maml:conceptual><?xml version="1.0" encoding="utf-8"?>
<HelpCollection Id="ipsecpolicy" DTDVersion="1.0" FileVersion="" LangId="1033" Copyright="© 2005 Microsoft Corporation. All rights reserved." Title="IPsec Policies" xmlns="http://schemas.microsoft.com/help/collection/2004/11">
	<CompilerOptions CompileResult="H1S" CreateFullTextIndex="Yes" BreakerId="Microsoft.NLG.en.WordBreaker">
		<IncludeFile File="ipsecpolicy.H1F" />
	</CompilerOptions>
	<TOCDef File="ipsecpolicy.H1T" Id="ipsecpolicy_TOC" />
	<VTopicDef File="ipsecpolicy.H1V" />
	<KeywordIndexDef File="ipsecpolicy_AssetId.H1K" />
	<KeywordIndexDef File="ipsecpolicy_BestBet.H1K" />
	<KeywordIndexDef File="ipsecpolicy_LinkTerm.H1K" />
	<KeywordIndexDef File="ipsecpolicy_SubjectTerm.H1K" />
	<ItemMoniker Name="!DefaultTOC" ProgId="HxDs.HxHierarchy" InitData="AnyString" />
	<ItemMoniker Name="!DefaultFullTextSearch" ProgId="HxDs.HxFullTextSearch" InitData="AnyString" />
	<ItemMoniker Name="!DefaultAssetIdIndex" ProgId="HxDs.HxIndex" InitData="AssetId" />
	<ItemMoniker Name="!DefaultBestBetIndex" ProgId="HxDs.HxIndex" InitData="BestBet" />
	<ItemMoniker Name="!DefaultAssociativeIndex" ProgId="HxDs.HxIndex" InitData="LinkTerm" />
	<ItemMoniker Name="!DefaultKeywordIndex" ProgId="HxDs.HxIndex" InitData="SubjectTerm" />
</HelpCollection><?xml version="1.0" encoding="utf-8"?>
<HelpFileList xmlns="http://schemas.microsoft.com/help/filelist/2004/11">
	<File Url="assets\1f44770d-8fd9-41bd-a835-faaf550ca32d.xml" />
	<File Url="assets\61c29a2f-179c-4d5e-8177-713b85322e0c.xml" />
	<File Url="assets\813b928a-e67b-4e35-a5f8-d1e352a5609f.xml" />
	<File Url="assets\ad046fcc-8909-4b41-9f4f-6c399ebc13bf.xml" />
	<File Url="assets\bbd8817c-a8ca-4f6a-9712-d7c190d211e3.xml" />
	<File Url="assets\ccdd1c18-471d-4226-9618-253042819909.xml" />
	<File Url="assets\e2851bb4-63d0-4c18-b0cc-7b6f6458a6e4.xml" />
	<File Url="assets\f66ee267-2f51-46e8-a841-aa5220ca35ee.xml" />
</HelpFileList><?xml version="1.0" encoding="utf-8"?>
<VTopicSet DTDVersion="1.0" xmlns="http://schemas.microsoft.com/help/vtopic/2004/11">
	<Vtopic Url="assets\1f44770d-8fd9-41bd-a835-faaf550ca32d.xml" RLTitle="IPsec Tunnel Settings">
		<Attr Name="assetid" Value="1f44770d-8fd9-41bd-a835-faaf550ca32d" />
		<Keyword Index="AssetId" Term="1f44770d-8fd9-41bd-a835-faaf550ca32d" />
		<Keyword Index="AssetId" Term="1f44770d-8fd9-41bd-a835-faaf550ca32d1033" />
		<Attr Name="appliesToProduct" Value="Windows 7" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1808" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="1f44770d-8fd9-41bd-a835-faaf550ca32d" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\61c29a2f-179c-4d5e-8177-713b85322e0c.xml" RLTitle="Creating and Using IPsec Policies">
		<Attr Name="assetid" Value="61c29a2f-179c-4d5e-8177-713b85322e0c" />
		<Keyword Index="AssetId" Term="61c29a2f-179c-4d5e-8177-713b85322e0c" />
		<Keyword Index="AssetId" Term="61c29a2f-179c-4d5e-8177-713b85322e0c1033" />
		<Attr Name="appliesToProduct" Value="Windows 7" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1808" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="61c29a2f-179c-4d5e-8177-713b85322e0c" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\813b928a-e67b-4e35-a5f8-d1e352a5609f.xml" RLTitle="Filter Actions">
		<Attr Name="assetid" Value="813b928a-e67b-4e35-a5f8-d1e352a5609f" />
		<Keyword Index="AssetId" Term="813b928a-e67b-4e35-a5f8-d1e352a5609f" />
		<Keyword Index="AssetId" Term="813b928a-e67b-4e35-a5f8-d1e352a5609f1033" />
		<Attr Name="appliesToProduct" Value="Windows 7" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1808" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="813b928a-e67b-4e35-a5f8-d1e352a5609f" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\ad046fcc-8909-4b41-9f4f-6c399ebc13bf.xml" RLTitle="IPsec Key Exchange">
		<Attr Name="assetid" Value="ad046fcc-8909-4b41-9f4f-6c399ebc13bf" />
		<Keyword Index="AssetId" Term="ad046fcc-8909-4b41-9f4f-6c399ebc13bf" />
		<Keyword Index="AssetId" Term="ad046fcc-8909-4b41-9f4f-6c399ebc13bf1033" />
		<Attr Name="appliesToProduct" Value="Windows 7" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1808" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="ad046fcc-8909-4b41-9f4f-6c399ebc13bf" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\bbd8817c-a8ca-4f6a-9712-d7c190d211e3.xml" RLTitle="Filter Lists">
		<Attr Name="assetid" Value="bbd8817c-a8ca-4f6a-9712-d7c190d211e3" />
		<Keyword Index="AssetId" Term="bbd8817c-a8ca-4f6a-9712-d7c190d211e3" />
		<Keyword Index="AssetId" Term="bbd8817c-a8ca-4f6a-9712-d7c190d211e31033" />
		<Attr Name="appliesToProduct" Value="Windows 7" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1808" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="bbd8817c-a8ca-4f6a-9712-d7c190d211e3" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\ccdd1c18-471d-4226-9618-253042819909.xml" RLTitle="IPsec Connection Type">
		<Attr Name="assetid" Value="ccdd1c18-471d-4226-9618-253042819909" />
		<Keyword Index="AssetId" Term="ccdd1c18-471d-4226-9618-253042819909" />
		<Keyword Index="AssetId" Term="ccdd1c18-471d-4226-9618-2530428199091033" />
		<Attr Name="appliesToProduct" Value="Windows 7" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1808" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="ccdd1c18-471d-4226-9618-253042819909" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\e2851bb4-63d0-4c18-b0cc-7b6f6458a6e4.xml" RLTitle="IPsec Rules">
		<Attr Name="assetid" Value="e2851bb4-63d0-4c18-b0cc-7b6f6458a6e4" />
		<Keyword Index="AssetId" Term="e2851bb4-63d0-4c18-b0cc-7b6f6458a6e4" />
		<Keyword Index="AssetId" Term="e2851bb4-63d0-4c18-b0cc-7b6f6458a6e41033" />
		<Attr Name="appliesToProduct" Value="Windows 7" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1808" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="e2851bb4-63d0-4c18-b0cc-7b6f6458a6e4" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\f66ee267-2f51-46e8-a841-aa5220ca35ee.xml" RLTitle="IPsec Authentication">
		<Attr Name="assetid" Value="f66ee267-2f51-46e8-a841-aa5220ca35ee" />
		<Keyword Index="AssetId" Term="f66ee267-2f51-46e8-a841-aa5220ca35ee" />
		<Keyword Index="AssetId" Term="f66ee267-2f51-46e8-a841-aa5220ca35ee1033" />
		<Attr Name="appliesToProduct" Value="Windows 7" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1808" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="f66ee267-2f51-46e8-a841-aa5220ca35ee" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
</VTopicSet><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpTOC>
<HelpTOC xmlns="http://schemas.microsoft.com/help/toc/2004/11" DTDVersion="1.0" Id="ipsecpolicy_TOC" FileVersion="" LangId="1033" ParentNodeIcon="Book" PluginStyle="Hierarchical">
	<HelpTOCNode Url="mshelp://windows/?tocid=782ac071-295b-49c2-8aa6-ffc409be0ed8" Title="">
		<HelpTOCNode Url="mshelp://windows/?id=61c29a2f-179c-4d5e-8177-713b85322e0c" Title="Creating and Using IPsec Policies">
			<HelpTOCNode Url="mshelp://windows/?id=bbd8817c-a8ca-4f6a-9712-d7c190d211e3" Title="Filter Lists" />
			<HelpTOCNode Url="mshelp://windows/?id=813b928a-e67b-4e35-a5f8-d1e352a5609f" Title="Filter Actions" />
			<HelpTOCNode Url="mshelp://windows/?id=f66ee267-2f51-46e8-a841-aa5220ca35ee" Title="IPsec Authentication" />
			<HelpTOCNode Url="mshelp://windows/?id=1f44770d-8fd9-41bd-a835-faaf550ca32d" Title="IPsec Tunnel Settings" />
			<HelpTOCNode Url="mshelp://windows/?id=ccdd1c18-471d-4226-9618-253042819909" Title="IPsec Connection Type" />
			<HelpTOCNode Url="mshelp://windows/?id=e2851bb4-63d0-4c18-b0cc-7b6f6458a6e4" Title="IPsec Rules" />
			<HelpTOCNode Url="mshelp://windows/?id=ad046fcc-8909-4b41-9f4f-6c399ebc13bf" Title="IPsec Key Exchange" />
		</HelpTOCNode>
	</HelpTOCNode>
</HelpTOC><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="AssetId" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="BestBet" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="LinkTerm" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="SubjectTerm" /> ŃyT`!VU?;qE+RJUC*i&eRPQhB"	ea{V$fVp|P[/09֡.ՌEb,D*#R@!0T͆6
&Z
.	
DpnPC@TD3k@EMPD)gMk8]s[kWڔeyɻkշ}_^;<QNOM:67+ywyKyC[y.o97xs*7+S=y/DGԻF\7_2g[w9m,|V>xص./Ar|/؛p\9w?]ݻp۷6ߖm?3^ȃ|yȷrvg<;^\|snMIw>8 96O휍oϓorߝ?Uʹy^+峜;v#vn@z6.nWz>A=[oG=sD2ms2?>7}ɷOf^qǾw=3ɉ]N=t/GK6=u=_kwkC߆a׵/ͽ;&;cvv|}_ynzJ韩q3ꩾ7֧ySokygkHԞ_E~\)W5gCgk5FZ='}9_\_cK6u3};_zn\v]sG_PV<ׯbڻwkׄk\U.\uΩM_k6\k];_gT[z]Xg_;flcquf]عzw/z:&.я>6ړ>3}cN~>6N}lcK{~lM}c[ۏvS=g~ۛ
o;wNWs΍{ǝw;7mw}s݀<[/ugsoݻ+w<^nuoW8w5̮WrUM-Qο	_\Rzm9إ6Wa̱Wll}KsvKsKplƗ:lǺǗ:cӐ/_j#j%_۳/ٓZʗl:dZeٗʚ˗l̗lKv~|U\:f͗gΗlϗlZhu.]ꌫ=_vێϼ%?N1.
~Co~σq^쎗>~a㨏_;~'ʧ;oaw~ؾwPΰh~x}샅h>}qõ8ăox$kw?ȹ><?f
pLtNp7_
u_}st	vUG[;8lN)=:S:tUٞ)ҝ))9:_S:t{JtJuOv|xOΜOzY)=:Ss=S:>:Ss:t],OLN靽)ҹS:>:SJgvN))Yҝ)ҙ)ҝ)C>S:s>:KSS>S:gvJ\OlOΗ錙OάN)yS:3>:wSF;tiYS:gvJN):SJgwOΠOY:ϺSJg}tgwJ\N)ҝM)ߝS:3;tyΜN)>S:>:SJgwN)ҹS:<tקJxO)c)>:SJg}t΅LOlOη
O)<tFYJ:KyRJgx{?㋷x^/ŋx/^x^/ŋx/^x^/ŋx/^x^/ŋx/^x^/ŋx/^x^/ŋx/^x^/ŋx/^ȥ?5GC4tr|=4wGhh(|4z?>
CG!0
ÝGp4|>
K&ahS>
ßGph

-!h
?Cя!XhG?!h*?Kӏ!h6?Nӏh4~
1GCP4|?TՏahX|4q>
CG~4
GCaP|4\?aѐ~4
=CGGh?bGCp4$~
CGaPh8$~4
ECG4D&}>
KCGah?@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@x/r'<#`00``00``00``00``00``00``00``00`}㯬""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""">"$xW?8s%o}/hCr?m_7uM,d7i%徻p3WC	>X6
rN6
p.sJ6
z8G>o4sw,ϲ6#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F?Ȑ̜b
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbcbc!Ȑ2dC!d2!CȐ2dC!d2!CȐ2dC!d2!CȐ2dC!d2!CȐ2dC!d2!CȐ2dC!d2!CȐ2dC!d2!CȐ2dC!d2!CȐ2dC!d2
]%?f~_燺@¸p.\…p\.¸p.\Dž.…p\.¸p.\…p\.n…q7g¸p.\…p\<7ykep\.¸p.\_py]ep\.¸p.\…p\.¸p.\ڡlǴvgWp}C;1Mߏ;Nվ#zGQ}77;G]P
}>QxG<p6@#D΄_<;}ni$iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiin{V[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mn|NH4MM4Mc44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MOm~:ګjjګjjګjjv
V˵[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[H|M44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM4¿57۝7.\}'…p͸YmMV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mn|NH4MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44M8?KM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44mM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM4=M~5iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiwM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM4eyZiiݶ{usn=zR嫞$Ly9y;]߻???֝Υ@b7,_'}y?>o'
"\~75#G/_Ci^_ к'afsXʂZtEE4ƤUIF1Ex_~33D4XfdX}}{{A:`~oݽIqX*ŖɵM%D HKXR-C$2cU!˜wmxYV._gQ 㼫Īr98RnU"({GVDSsbC7a&0$pq|I|_b+ZS>%'f-ۀ}gr֥K_W+T~WB+Tl3N30[?h5sU	Hm
{R} 
X*|ZȲ!gմH0<I%ZfO%63!_sb6A#VONř{\;qP1
R[ƛ%
OUPZ:۫ mHK|b+l~@z*g.
W#ﱍj6c#ue-ҜCS{7e̕VunAmvZOS6]睴%h~(6+ʣ'֖d
us.!H:xcR-$ӹ!& 
iͽ36
>a]KږpS:r7KsIcpɭ1-
aHe7[%3O9d_/D*jpeFDVΧL`*9uARlCP/I$GXL>dOA|)eyU>D-#OUps!>%<GaPYP
:J޾IR4صck+/%4>㡨Z%<5)JkW;6 5*-bWCqJ>.w9WЌ^bgϥ
W#Mגdl]ΌZ%`y
ͺyksoWA[:se@Z06T-FLe6}#aءZ9DDlxUCm'Ȏ|nnZaW`gA)
;#e6pIݬ.
0^WϲLJ~Jh?	
62^l,=_\qAiu;Lr@aC!k)Kc
zGE!@?L2ʍU1=F^*^247v3jHdtv(5vK@zTNPǰ.X[%2^7/@*	=2>{)fÌ$EIN5W1.fUgpFOvIG@*}q8b!jUN>c#nCFvI Q+e&xEHo{DA@crp@ch,|~߾0?.dOE퍑9ز

t641957{~jZV-,W<HfK߄VsU%KPJǣ@iEcb 4K"3̨9"Qsj:=1ۈ;lE?@647sjj-Yc*TPuNDoAVݡgE5W.!sDQ?<j<J(bjwqo:;0ӟ̫S"2*T|L/sg *t>EnV?;.ͼ
b2<e5$t8p]ىķ,W˟UhxbvJ\S9
jmΘGRa,TlPĸ!֕|_lr\JvSj)rNXOcaPkYfx:[eYXɛi&i
gd1
s5P6,%g2/+_,M`7<dΘE5Qw͊iO6s^	
ҙbh
/~L=|qAr^N!oltoQ
96Tφ dY#>[ruLbk8\ua7!є\RF+G!+-A!$Ӳ#Wc0oiruL,jg+Vi5q[UPӻ:
ð%PRK͢Iк`hNilZN>(s匚dЋM8sGYU[7,/7븥dIVgd<TFLއ)X(&70Œh`QfEI{iB;<(&>m̰uQ#"ģo5#m*HB{?H&}Y=S+"8F|>WOe?~pLz41sDZ)YAc4Q^jXe>(ybZy<!q1'H$TV^[TR;?|\b)PviQAol\<x%%Nc0ͧf<NjPq#InY@	4Fboh-J	QBg*˸QHL<}zuYݩro75{QZ$쨷p<̬Še$,&]ϐ%aql8D~"GH).F(hpCuSr	S6-h=.y-9Cx]?pZfK'k9;y
oayA `UQ/ƻD~u9tzދW'~>%(NŰ*8WR	ԫv¸f1[Kª%8ҁZ"\9[hi䃒W}:sĂg\ꗖn3\v~\ؗ+(Du.nMyaH Ý֍ئ3HtSC3,TZVC_9^@Fb>'oZI
	dWvqd~wx+_JQ@KA<|x_6b=
,]w*So:ǩ5)^6H.7LUC8@ 8C¼V5[`te\jL
N%|W%#U=峝HUADhGxvTSPVg[iq΍3ЯfqsC05ۯ\eNc*vY
%*Aqg$IXОCaوਝxxuxlk5G#LnÈ/v
޻gɵ.̒KE
mF2h˵b#-K'ͻ!0ǭD
}}K%F%MD}|}]#!P]}3`5 cJH#%!Mn;}rPQѳDQ/"ұ_&FѮ:09+y½rS_6冪12ofj:!\9"e>cs9}J &TAHx=WQُTWu7in<FV
WpG,qxKq4D"dh=L)iZc@#Z?Эh1o͑sr.RT kgPU1AQ{P$ޟ}-)Z>=4!
,,ƹB@J^v.?zz,˪1VPg&YA{t.{^KxiY1m^DcTSg'&ўݑ5G3`?k+
C,w=z~y nlۃG8gL̔v$EѝF/C"]i{=Jan6?c@!6
F4

*)G$d'4#A!i(^'e(]8nt;eT1@m8!"mi	Z^")k@nrz
	M%m zP]ݝYXi|=	E:=ц',>@nlY.x"=GXQ1/T rbCS
|dFz8HOU	,I4U{֜6O6L=G[	@OjkrfzbZ[EWΙ*mRen5q6=:)wxȑ5=VO6e2#qUO*)eqjl}j{CSw6.2.`\뤘˘i K62וM
>%R-zfӺ;/aP8vtGigyoYg]uٻ5T4C=*>T[0_b7	1л=J(H3̀lr
wĆ
V)JQt,;biF6ul<oBL'd]-Z+%LvԧXUaLAө=oѴa2/uX֕_%"dP^$r9.thh'tkwyGqcRT;@PX?~= 9rmFLOLڹdjͯ`[f^՗.q'Ϩ<yٴ$PYF忭]E_	u2s
7Y6^TSk'Hp^lb[ebh5'SzpRM1ݯ-*OLFbw߻]ͺ?1wj?qZ5<GtM8G'atj;&AB!޾Ϧ4W{xcp>:R
yNE6kםZ^wuփĎ,\~c'(S9Xn4b6hHr&Rbw'XuUxJgVKc@y@K_?qEhOÃIy֝?ɫ%C'u
sdǑ&5R2`_\ll$i54T&dTpU/_.T-fx5da`P{UQ<ėmE΁xl[H@x0_;W`00``00~UB"hDCo;?o|M*a6z
,*IQ`,#=,ށXEQxJuU}xZP6/Gs%πj
vU+S]]{UEŎ.,#]ר?%
5f,I[KLm/o9$b3
Ql`sтH~\
6[7,/	f8Wm[3y2#7#r2Se#{D2$7PqM`oWp<M"7'b5L8dG܍*s*A<_w(y3(TΨԅ6]#2PP𹬝鳓4nj/WrYjHL>3ʍ'c%W_5=}6%x0<҉p9t=3z}K=|7q,W#*PŝsBWe{'F7<FrW
wu\D'N`:"8Ԉ~FYG]]`_}Rw;ZᙣٶN7hbwF
]Ɂq[ {1׃ub031^&+6bia?|Z
,g&&n8 {e1*ʃ錓	߯vX=LJק-bE|Rv{(ai1_M1=Z~~VNmm4n\Ȗw6
#
:Ej%
.5,<I-ӋOymNWx$\U=.zϗMUDz}Zg(9rc0/2
30^y0>ʼn4PkCσ̈e6&V/2R`ǥ TPȸ\پ`
52Ai%ssgEzVy9{v_WJ'QQ((4t`g6^V[G췢YxHѴ>%БrW/!E%x:g|ϟh`@~ù+q־foD1xF=E/s7_*]⸶Wg/KܻCduĥݘ:z>.5D xQBg^K7#[[e
"}~W<X(CԎa|VbhMXb#Ub?9@Oss,9ih7Fq&L$%Q;ǜ8CݝHnӻ`eA+/
i;ʭ[3wҙf>Dnhk`S?1K+`cЉ1iUB&|;xjI, 7{:
}_9ȵu.;p֚9*PƁƉ*ON (1>Uzi:alrp3'N`
>+n'_~XLmݭRxir	!Fy@?aήYϽ 2=2Λ
Ө]NtHSTݔ>`Vvр=}Gk
(ggg̕[I)nO
NBk))O--#&ڲʹ2eRԈjrZ4TzqA.;A?I:WQ37?
\;~Y.`435pʕ281 )3F9ҡ 1!w'S5OG)߲J*	46
qW]D?bSȌ߅%nsL"3oʬ=QΘ%u8'SZmdGd3W/д3nJVf&pEPM(fXYo!#	
Tzac8vU!q'4`%9CayMDp喅94`~\.*3`~;TmSoKN`Vnp^
	&z]upD-<yN!\m(`Ʋ-iF6PL0_ 0yrl_#;	l%ObxoOHN,=
p\1ퟒf
uِ-&IwpìHeFq,	%	5U#ph<0<z'[Z2ɗUsy9hqk
6ֽ!/}QFb::x]Zj\
Wz'@3[=.{9-G.5"w\M^P[J	E'u(iZg
JÁnфSPݍlt^j)ï|R}tvⳋ+DeF;轼,kD-+Dix_^7<DgGnks˅.Q鈇=ИHGGi@/f&Puǿƽ}Eö.Y=7hLExSspEݹI1:
o8"[K}XàY!i|atJL|YQl?3q,RVlVdmJ,4b~I4],
QJ!κ'H`sS9n{R,ryo>t?aDD4*½	-sFWCϞjTsL=.sdMj )G<Da͓))Ļux^LJ96<q#lf]ZR2[wyNa,L7/n3$ W).3p.V~&:/՛9h7VW2.Ӭl_4d8[Л:R-VY95Y,sO+rj@R\Sc&E65fb$FgVտN̶UapS!h9ψYE;&ч!?;WZ5ETl4x?ӣ7+[lQ:$@M	0xCҡnѡM
#Jӵ0yp=09TKfqcʎV.jfwg-a]Pn``ۇ(N&MźEО;	`A>IbyՅk{V,x%X=.0x8
ßs-6ʌ\AU'I)6cG^$/ܩoc|EXuo
CiJ.O(@SSyN~2H'^\޺]Ǔ9e_ij#B+Fz31ӽ/Ua'Mw'P<8;{JlV5ND7NDҵ9sЛ@ȷ_VUڥ,\=IɐcXZ9YHN,7LE{3ci!:[MݫF;ƹ*;w/Gl"(-=1%Է+2M=bW2o؍njZ#)3eQ-%>U`4Duh9n˔QKwUIE`v9)q2R=ecP_kD!QLFԦsM6٩0FhrI2hnMD6G:Rr3(ܘJ%`c)!LEE	۰sIXfĉpbGXm.6+CJf~f<YvxL#"
?5p`@Lng['Uߵ;B:LNwΩ5toy^lo<԰2A$t	A]	Jpigbtn3{_~i:$tTԼL\CQ#1)Yt+)@5blZBB58'ǥȢ0ɚmr^Bɲ`ˏt~* 5<9i>vӲB6#;;6PfmX

t}rTqrTxFf19scGp-Bsܕ.\H>ͻ&&j+M4rC¦`"
ukaXL(!mh\',z!qki7f݀+~ˏ/-

tچ5ahw^	U-	ƻ
qt(1yM
imI	*Ìt W{X(5>#lD.A_kW |q+-;ҋCtJÅ.f١.ox$}{S9L.mp[̾'e ,?1x֖lcB~UO^lhER]T4ćdBLmicb1eDeMF4B\UA=34ÌVD骶,gqdT=xu#PJ9PeNaot1vDAJq"wAG#$:<pVa="I8YK[͓3S44wZnRѴH^?s`9Z''q&8@trY
/K6d	fLe11M0|0I;/q/9..Fߋ.k)VLM\M8DE<=0|ppyx~1Ąц`g@$_O#i<pYݼkC#N(/07kL)€@R	}"X"V_//Qkoz8dl-6?`pӟ,eCOZ?P9a&;ރ	P(3qJbIb';儚Kl+ה2RL:ibBU|'HFPӞ{SJ}ZVmjWOD<X#޼R9lxf4{?3DoIP#c;ws7A|ÓMB/Ly"as/ށMxM>\X	[)̯0#\70ӥ܋;yu X7Ge;>|vW PgӼ-gf&T@ߞfE"	\,{1K>.K>F5BW=x;F;~Oxl_&P/'t(>B@/B$ <huVq"XpR̞vxE,6ކi#v~A	h-n5U꺨r^mCOҵT3iHGu~:zy$O`EMf5,<*O7o8uĀ٨-_0-Nlw'~h/w^E	e>pʙl^wq37KxRO	0mT@:h<IQ_N1
3qͻ$,8lL2*tIWT|ʉk
(#yR,{r1gyT
調&36.^҂x@?f(5ag,{|9@:l2pmM@JA,~*J{ʛnDtJ1б}W,t򟘉Ds,(cb}K㜸*=!*gݼ#
3Eb@.BȐ<.
X+я3x'z=xK',
5-KLK<eٙ&}/yt昹H.#]_C}ͯ4OQ`0.a~	W.8SyQ.4hbx}#yaRg’a^aY6}T;nr^szzzK)h=.;!^#O)4t/Yau͍XFױn	Q7CrW0C>#\[h#P2~6D1nǴ&h,֫!EtD{c-ƠPUّ5gC`ܰŞڔT͟xOv<w1Aoz-I>1k;N\pWLfNe1e.A<JtdWW8^zun
)Lo.<KL9JvcK3-Aа
G|SL`jz:'=RK1n|edBb~f]'M԰34KD$۞i]kUSHڭ,:viXe/NLRcQY5
%MSs,Z'-Ks`*	wLiD%T;`^lɧP`rNɂ&c7FYspđ?N*5n	M]Y1P7lV#ߝ+O^b	IPgeol"=.RCGzw"Q8gZQ_щ4T9AJlMFW~TpvujJn声,`i
!3e
u\
rTjlŘkGFx(/i35NV?v2R*|j~ipԋ8>xO8#V1h8+z2TOAL$*--5Tel)aK7H87r2Iݜ`',v%hLx؞$I\7[՜Bu9:z(7\}sXQE2Mch~PӍe浪LTV@1@^s6D;Q)Xz*?aub#!]ᖲ̳+pI`vpOU.;h0].I+&Nx;<a\,"U+S&ԅa"NO$e: ۍqq(zv,C%]0јWhrWAf5IFPq+d3Z?R`2@^W$+XۅMd
m$$U'5wb[!G/j콮+%7e.zNLVvvp\^:4tHuև'#9oT8	:%"xx"+O=BєK,c!i1D:-bjY<6˥
něF޾\'ĹqS&S@6A*Dc|JC7Tgj-<d2_ݘИy-Te7݇0tpLZ>
HoO>)J^xƳ|Z}h.Z.9!V*xਕoy찡@|nq9q{}5h2P#!
&㗉\9R̯YӬz
񀹪
8j=?'x,aXaz;t _&z-zqJge%5toQ8I\	1~kjdF;'\̅V*s9C,A4ɓ~MÜ@iQ+(9ݸ;K^]]5ًF lFNVO x[Clkw"bM5cV
̡v70e{ҭ(.rph5'=
%?MA"FE
%>{j
-&ԣz{l{&`E*kpp`ypo6c`E{;Lbo
V=2
q`>aKٻi)J	)4G6%„QO
ţu;ۀ|svZz&
/֙_⼏#Cܧ.so*#	s;\G]baK"0(8ZD*t4bQBx6~IC	Cwj

K2G3p[_.TE!zқ|שyIUO1vZ|8_;	vVEȂ#-
i]Ģe5><vcy0!iEIJ|.,8*}FPKJk`tk`ngf61|Sq78ئě~lC@OQTt\<L_M/dDmhApIx0Lm*a~w=#ݽ ]5˭htF}m*y;q=h2tNEWwl^8L~ܿ\=T@_eη/>eO𛝠"?0a'Lh\s{%ᬦ#@VO
AN{W5oݸc;Gq<	܍
9\I@yRb]}/]rK+1LxJ.5"ٮ6ռ>"u2}vr!v*x}5;zVmx˅^L%Ղcw
sm}ߋEX6EKG<a$lm;{<yoU?;;6EXe(Zڨ_%Z3Y餹*<֔?"=[0Q;#K~k药#.7K9AUv}j1"(/X,a/c?ܽys2hD`G;ՑO}*Wy+6xfCoڱ8>	T@2M.kTr\F:5U
"2\
7yU
EGMSv<_	9
m3D0	A*/zK%V~hGzl
Ð9JaOטq;*s;ϨzS_9QOkS?j
B#ˣ
=&CPob>/+_$O{S(۲(U
ҀAhRgK׺a
hS$ȉRy@D
AB!h*V6<>G<n&Ei`l(
<)plL>aͻ$ک8>T)<!OBVF9^NTԛNp&KM^Βd^d%O$=Κy
L2LZdf)xΥilj(bv"HHʆ	/iB`AC/ѵ|\c,~v.Bo&P&nC'QCnŷr¥it_۟ߔI%n{RfPTބXCFIX!X<Fc!py*SGA"6|Bz+G!hT"dhἿ忇.e{^q9\dpV$aYH{)i#XKfOj=@27TX-L]t^Σ.k	>.%AءQW`+(?Xܧd+Y/ZUYQmDJc,cz:;]OhUo*CFRۗcic8ZuB DxT{د)02 …=H=9	vmշbb5Yڱ_ٶV
_/2z2nՒZNY9wZD,=i=%lÔ6W8Kl!8tUtz#
㉕汶>8e;MD!xVcluUP9<X5dB8$Yf%Ab4Yr֣p;XP+Md3u>?,[%aM|uKw
W6lv(5oIQu0
eʤh%rR%l\)R[}zm(8E]lģ]gӉM}¼p*9{	@K*u)l}8<NXK\`/k	$,Jzßk[|/Y)""&T`56!Ps;d=哿y/i zsXى|L$G~}PA:W|wp[y4/K%<~,C
Q7PGR~Jx7O]V4y=#䕑=~ToZ>#Z90EA9y|
R7M:'C2=#jܾ	VJg#@bIk0+a=ELU
YFOIU/o̗eAѴo
CG7vꚴ*k4}Ѩ1n!uWCȔLewxb"RDCJp당f|;U_Rd̵m[;'B.[	[e*lJ0YY,V@uҵ&Ƀ%D<6]YU:9zdJyV_xWE񻝬
s۸|
5WUQeڊ
IFQ\ٙkدTH0MG|oNdMny6ߕրUQjpG!1>nH".r/{zOw;YWv8mS-#X75mp,5eSIֆ2Es '*vב<!aPxJg#Tuᅨ<̉'LX.C,5ٜozmK2
1$Qꎡ0hu™#CDfO-Bu#3Zu?DbIՠ/ÛQQnoR<3o~M?=~cLtꇯL;O:ȷ\p+ؑR-Rd-71=eneAO"‡.9Z+Ue%Yt5a=rDZU"D1W>ZRˆ6VZuZftsᗯݚow(Wa郏@2)w˷RPWG>wQ*9TͮRY|/w9GWTGT9@}Btm?LzGQT1[F
L|-O-dS1F4Oi%8)Ae>x׳и"Uǂ-I7qN<ׇ
t=$%+T6J6GlLto1	V\&9p7}F^4«NyjT&Z1]q,܄=񱱂ݠ'[8|KAs[ft']*`%
WTjZM\)jl`	
QfTuJڂmNk|Fؚ`g	p1VjQIYTn]3)]&SH	 oiG0d,'j4dON|LM̩͠xᰓUA'+g'BCaM70!F G	]O[%6m˫ߴC5[m&`%g]L`tZ홂;5fDu]$7E⸅ ΅稑Vؐ{Ԯ#앙]G#ʆ0>[</\!>.NHԗૂiJ[uLk~svct$=G1az=c7ct)&͸x3H]l0A=^Rrlri4zNщ$0AP
,ʢ˧
aJԗGZ]xK3ɓ|RbZOj+(u8ET{FX.uQ^YWf EƩ{t	5	^0z+dLclqyb
y556–gm|fƗRwEא
Fj@f}i9؋'qwR!x}Si]BHT`Xqx6$y=5'Υ濡FnHOѠNFSį0.@/J?lM)\FgOZksLZ(cQm :p927s{,5M]t(|x惫Ed<J'yI0S>JnrԔfʹDIQ(͇.7%WU)!u
Z16`|;_#ǏX(W<05ǜ@2'	j	vpNRDP$_f
&c\
;C[TJ7F7{?zx.FAqrngDjI{iXO,|Lr@:Ļ|VP'*z>-'˛P>̨/=:န/COyE1W`!7ԍCޕo&
990(Eoy?Gy$׫ްArU@=j5y:,Rn2ejn^~|I'=CL\oE,O>uB'+5]ea=?ڹYj@2%SԊɝ>&j^C'~O?i|6|WjΚ*0.ڊսVU\́h)ӥ}:2}X-z*cu.R8g1DӴ<Tך@PP04"y&LœΒ"⡸2T
gqGƒ]Rcgi3Mc
}OQլhvg\Xs-bm
O^G/v_UyGKt0v#оlgUfD{m}TYWGpva޳(:ލ q~b]Uci5epjjˌü{q]HS`l@(ONKV?-	<(B'GpA0zgj)JPtgt&ܩ8!2$V}-<>z,'Q"f+YY)P,6a{:J
V%+4M>DqQvq!I:eOHr-CÂ<`70߫

W יęVL&mS#qoR6H5leg['"!2@
at	)iB`(`:Bd֫Eg@a߿0Hhk6~hߍb#0RJpeE5I(#Oʦ0X졋aWE&|r1Cc7C	%i+Y(fe+QhA4I&\tz暵gtZfS1 
jlpndK`~.gBN֙gㅐT}%UKdCGR<]Q 
RN
=KwVYΗbZئP#[:`Fnqq#I8"=G8U1(UҵSy"mM^k\'Ħ`
|(nvb@jcXDܞ&e+u&M&ȀoZ<B^|2'9cʙ2|γ#FPȂ;>HAE@C,g-MTR3²@Z59؂nA5!(u%sA2.,kIQ+P6I0P鶇9I3+e%qQ#
s0Ʊ!xmvD=}%j~XDf8r&@UcjiwjQ'k'a)4];;ǻҽyBO#Pp*kLC?At_\{%Q=~[iQzC>܇E=$9@Y_"`#\Iy&A_׸坙"xcGf`tH!?'2o0P]7DH@{	RǿBWv׼ހyYhDB!hCk/tyeɑ>v~鐿~D(}F6~(HeSSѨ	bHwAϻ^=l!"{O,4mf76=Rbe
7Stݐ4`2a.LTH4HT[Rt3D̖nuڎ,ݨiWKES)(t7)Q^!?s4oj`jqC?ka;90ٸ1u<5SFۋEM3H䣓=ZB$ѓ/`W\v
*GňkҶ93%s`=! r_7mV5Zei1QZb&de\mg؉:(:E<ݤwe˖:[ĹGۋygגGNfʟk7P_^ez3^x
)HOZUOuG[+nm>׀~]SEVX1`Q!>RoTv5m{ͷm3USoz>n7NqW(Md:]o7ec$Z=}:>IKT"F뛸ꁆ/_:ϸn/`00``0r:
.Em9#°?Xzt<`@<CG}.:t,x`(Y$dJ=Ha?e{ (fDMHv6$H_<xE^<YoXڙРe2g,IBl_DDq+~_rF/[1b=f'o>Ѯb]R
:sn<
x:"_}<d+g:&T5-gF6,.goaj?={8Z8{m"YmW~Bt?LEt~@c8`F%q//ZPkld/6,gs@ֽykuiߠNE梵޵ҩ"ps_]ڢw_sw]P}i;n`>0@(X$bya0zm(EoW`0K8eGQ	x?	
u=N'iz+ȓԘIFQ։xѢ
qV뿒p6@Vgb>)g/p+|T(+JiI[ng~>5~>B0w{H|0{yNVp%
<nU6aZ'9 /C_ɾ:vbP}hQg"	=<iAyF'*$‰/
K>Ё(x(.z Tl@$1y^{:MT
LgV2gwܪh+_\D6!zFestB@Q+AGߑD)ʍ<tn$ߺ?Qshɾ+oک~*{zn^T:3J#wɝs|H<r;_ȑzg;fr=gE%@/:R85	w?!(?-Z{O©W%Ķ~	,;]hhÁ,x[k?p =ĖC8E0eP gWpN0n<ׂ%B9);FvE%0e
#٥|@ڌ7P۳EC[⑚c"7nʠplG\ާ+}ߖ_?r"D1eoJbZ!DzY>Pk9gW3%̂)fۡb8eF'?ibtњzK̰b""8;LA=?ʂߒ211<Ho߻<ZV0tZm dȞ--Bq#)\i9:"\OACbWӢ$$J%s%F_,`@qd#TϟܟGmzaϢ~: Ct߲[ё5^$ν(¯/=<LOX>Ig?/۴;[,4Q7ѣ}SI (AIWL=~	$#9֪ߥ
@|6СMT'pCI5L}Q["VvndؽiwYe7*RNncƠ("<@⽂6'e' U3xn{ԝ$%Ӻk:S~Į_b:za}o3Q^.щo]z?Cӑ9sT`00`(an|( `

Anon7 - 2022
AnonSec Team