To list out the ports that are protected by IPSec, you can either use a static approach by using the filter management functions or write a kernel mode callout driver.
1. User Mode.
IPSec policies added using the netsh or Advanced windows firewall will plumb an inbound filter at the transport layer to verify that the packets that were supposed to arrive over a security association did indeed arrive securely. The filters are associated with the well known following callouts with callout ids
FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4
FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V6
Use the FwpmFilterCreateEnumHandle0 function to create a handle to enumerate the filter objects.
One of the parameters to this function is the enumTemplate(FWPM_FILTER_ENUM_TEMPLATE0) that restricts the enumeration.
Set the callout key member of the enumTemplate to the ipsec callout id(FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4).
Use the FwpmFilterEnum0 function with the enum handle returned by the FwpmFilterCreateEnumHandle0 to list all filters that match the enum template.
For more on the filter management functions refer to
http://msdn2.microsoft.com/en-us/library/ms758486.aspx
2. Kernel Mode.
Write a callout driver and this would be a more dynamic approach as you can inspect every connection to verify that it is secure.
This driver will reside at the ALE_AUTH_CONNECT(TCP) and at the ALE_AUTH_RECV_ACCEPT layer. This will make sure that the classify function gets invoked for every new connection
The FWPS_INCOMING_VALUES0 is a structure that defines data values that are passed by the filter engine to a callout drivers classify function.
flags=inFixedValues->incomingValue[#LAYER#].value.uint32;
if (flags & FWP_CONDITION_FLAG_IS_IPSEC_SECURED) implies that the connection is protected by IPSec
For more on callout drivers refer to
http://msdn2.microsoft.com/en-us/library/aa504873.aspx
