IPSecPol Examples

Tunnel Policy

This example establishes an AH tunnel between the two specified IP addresses. Note that the phase 1 security method is set with PFS. It also uses -confirm, abbreviated to -c.

ipsecpol -f 128.2.1.1=128.2.1.13 -t 128.2.1.13 -n ah[sha] -apreshare:tooltime -1s des40-md5-3 -1p -c ipsecpol -f 128.2.1.13=128.2.1.1 -t 128.2.1.1 -n ah[sha] -apreshare:tooltime -1s des40-md5-3 -1p -c

Tunnel Policy Tips

Each time you run IPSecPol you are plumbing a "rule" into IPSec. So for tunnel policies, you must run the tool twice, once for the inbound and once for the outbound.
Specify the tunnel endpoint with -t.
Don't use mirroring (the plus symbol) in your tunnel files.

Dynamic Mode For All Traffic From This Host To Any Other Host

This example sets a mirrored filter of me to any using AH md5. It uses Kerberos for the Oakley authority on the local computer.

ipsecpol -f 0+* -n ah[md5]

Setting Dynamic Policy on a Remote Computer

This example establishes a mirrored filter between the two computers named randyram and randyram0, using an AND proposal and a preshared key. It sets policy on \\randyram0.

ipsecpol \\randyram0 -f randyram+randyram0 -n esp[des,sha]+ah[md5] -apreshare:tooltime -c

Using Static Mode to Set up a Domain Policy

This example sets up a policy in the Directory Service for the domain that the computer running this command is in. It sets up a Directory Service-based policy for clients to two secured servers. Both ESP and AH are sent as security offers and the computers negotiate which one they will use. Note the use of abbreviation in the authentication methods (KERBEROS could have been abbreviated as a K) and that this rule is only for LAN interfaces.

ipsecpol -w DS -p "Default Domain Policy":30 -r "Secured Servers" -f 0+SecuredServer1 0+SecuredServer2 -n ESP[MD5,DES] AH[MD5] -a KERBEROS P:ace -lan

Using Static Mode to Set Up a Local Policy

This example sets up a local policy that would negotiate properly with the policy from the previous example (Using static mode to set up a domain policy), so it would be run on SecuredServer1 or SecuredServer2. Note the use of -x to make the policy active.

ipsecpol -w REG -r "Me to Anyone" -p "Secure My Traffic" -f 0+*
-n AH[MD5] -a P:ace -x

Updating a rule in static mode is not augmenting the existing rule. Rather, it replaces the rule's current settings with the settings you specify on the command line. For example if you take the policy from Example 5 and want to modify just the negotiation policy, you would execute:

ipsecpol -w REG -r "Me to Anyone" -p "Secure My Traffic" -n ESP[DES,SHA] AH[SHA]PFS

This would replace the original negotiation policy with the one specified above. It would not touch any of the other settings in the existing rule.