ipsecpol [\\computername] [-?] [flags]ipsecpol [\\computername] [-?] [flags]
Where:
Note
You must have administrative privileges on the computer specified.
Other flags are listed under either Dynamic Mode or Static Mode.
Flags for dynamic or static mode (listed under Dynamic Mode below):
-f FilterList [-n NegotiationPolicyList] [-t TunnelAddress] [-a AuthMethodList] [-u] [-soft] [{-dialup | -lan}] [-1s SecurityMethodList] [-1k Phase1RekeyAfter] [-1p]
Flag for dynamic mode only:
[-confirm]
Flags for static mode only:
[-w TYPE:DOMAIN] [-p PolicyName:PollInterval] [-r RuleName] [-x] [-y] [-o]
All flags except -f have defaults. You must usually provide -f to specify to which filters to apply the policy, except with the ûu, ûx, or ûy flags, which delete policies or rules.
Dynamic mode plumbs policy into the Policy Agent, which is active only for the lifetime of the Policy Agent service. This means it will not be active after a restart or stopping of the service. The benefit of dynamic mode is that the policy can co-exist with directory service-based policies, which override any local policy not plumbed by IPSecPol.
Each execution of the tool sets an IPSec rule, an IKE policy, or both. When setting the IPSec policy, think of it as setting an IP Security Rule in the UI. So, if you need to set up a tunnel policy, you will need to execute the tool twice, once for the outbound filters and outgoing tunnel endpoint, and once for the inbound filters and incoming tunnel endpoint.
In dynamic mode, if you use a DNS name that resolves to multiple addresses only the first address in the list is used. This is not a problem in static mode.
Read the filter spec help carefully, it is the most difficult and easiest to confuse. In particular, pay attention to how a protocol is specified.
Note
References to SHA in IPSecPol refer to the SHA1 algorithm.
The following flags deal with IPSec policy. If omitted, a default value is used where specified.
A filterspec is of the format:
A.B.C.D/mask:port=A.B.C.D/mask:port:protocol
The Source address is always on the left of the = and the Destination address is always on the right.
MIRRORING: If you replace the = with a + two filters will be created, one in each direction.
mask and port are optional. If omitted, Any port and
mask 255.255.255.255 will be used for the filter.
You can replace A.B.C.D/mask with the following for
special meaning:
0 means My address(es)
* means Any address
a DNS name (Note that multiple resolutions are ignored)
protocol is optional, if omitted, Any protocol is assumed. If you indicate a protocol, a port must precede it or :: must preceded it. Note that if protocol is specified, it must be the last item in the filter spec.
Examples:
Machine1+Machine2::6 will filter TCP traffic between Machine1 and Machine2
172.31.0.0/255.255.0.0:80=157.0.0.0/255.0.0.0:80:TCP will filter all TCP traffic from the first subnet, port 80 to the second subnet, port 80
PASSTHRU and DROP filters: By surrounding a filter specification with (),
the filter will be a passthru filter. If you surround it with [], the
filter will be a blocking, or drop, filter.
Example: (0+128.2.1.1) will create 2 filters (it's mirrored) that will
be exempted from policy.
You can use the following protocol symbols: ICMP UDP RAW TCP
Star notation:
If you're subnet masks are along octet boundaries, then you
can use the star notation to wildcard subnets.
Examples:
128.*.*.* is same as 128.0.0.0/255.0.0.0
128.*.* is the same as above
128.* is the same as above
144.92.*.* is same as 144.92.0.0/255.255.0.0
ESP[ConfAlg,AuthAlg]RekeyPFS
AH[HashAlg]
AH[HashAlg]+ESP[ConfAlg,AuthAlg]
where ConfAlg can be NONE, DES, or 3DES
and AuthAlg can be NONE, MD5, or SHA
and HashAlg is MD5 or SHA
NOTE: ESP[NONE,NONE] is not a supported config
NOTE: SHA refers the SHA1 hash algorithm
Rekey is number of KBytes or number of seconds to rekey
put K or S after the number to indicate KBytes or seconds, respectively
Example: 3600S will rekey after 1 hour
To use both, separate with a slash.
Example: 3600S/5000K will rekey every hour and 5 MB.
REKEY PARAMETERS ARE OPTIONAL
PFS this is OPTIONAL, if it is present it will enable phase 2 perfect
forward secrecy. You may use just P for short.
A.B.C.D
DNS name
A list of space separated auth methods of the form:
PRESHARE:"preshared key string"
KERBEROS
CERT:"CA Info"
The strings provided to preshared key and CA info ARE case sensitive.
You can abbreviate the method with the first letter, ie. P, K, or C.
The following three flags deal with IKE phase 1 policy. An easy way to remember this is that all IKE phase 1 parameters are passed with a 1 in the flag. If no IKE flags are specified, the current IKE policy is used. If there is no current IKE policy, the defaults specified below are used.
ConfAlg-HashAlg-GroupNum
where ConfAlg can be DES or 3DES
and HashAlg is MD5 or SHA
and GroupNum is:
1 (Low)
2 (Med)
Example: DES-SHA-1
Example: 10Q will rekey after 10 quick modes
To use both, separate with a slash.
Example: 10Q/3600S will rekey every hour and 10 quick modes
In static mode, IPSecPol creates or modifies stored policy. This policy can be used again and will last the lifetime of the store. This is the mode that the IPSec MMC snap-in uses. Static mode is indicated by the -w flag. The following flags are valid only for static mode. The usage for static mode is an extension of dynamic mode, so please read through the dynamic mode section.
Static mode uses most of the dynamic mode syntax, but adds a few flags that enable it work at a policy level as well. Remember, dynamic mode just lets you add anonymous rules to the policy agent. Static mode allows you to create named policies and named rules. It also has some functionality to modify existing policies and rules, provided they were originally created with IpSecPol.
Static mode is designed to provide most of the functionality of the IPSec user interface in a command-line tool, so there are references here to the snap-in.
Static mode requires one change to the dynamic-mode usage. In static mode, pass through and block filters are indicated in the NegotiationPolicyList that is specified by -n. There are three items you can pass in the NegotiationPolicyList that have special meaning:
For static mode, authorized users can modify the ACLs of the storage to give you access. For the local or remote computer case, IP Security policy objects are stored in:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Policy\Local
For the Directory Service case, they are stored in:
CN=IP Security,CN=System,DC=YourDCName,DC=ParentDCName,DC=TopLevelDC
in other words, the IP Security container under the System container.
All static-mode flags are required unless otherwise indicated.
TYPE can be either REG for registry or DS for Directory Storage
if \\machinename was specified and TYPE is REG, will be written
to the remote machine's registry
DOMAIN for the DS case only. Indicates the domain name of the
DS to write to. If omitted, use the domain the local machine is in.