IPseccmd文档格式.docx

IPseccmd文档格式.docx

《IPseccmd文档格式.docx》由会员分享，可在线阅读，更多相关《IPseccmd文档格式.docx（17页珍藏版）》请在冰豆网上搜索。

Dynamicpolicywillbelostafterasystemorservicerestart.

Thebenefitofdynamicpolicyisthatitcanco-existwithDSbasedpolicy.

Todeletealldynamicpolicies,execute"

ipseccmd-u"

Staticmodewillcreateormodifystoredpolicyineitherthe

LocalorPersistentregistrylocations.Suchpolicywillcontinuetobeused

afterasystemorservicerestart,howeverpoliciesstoredintheLocalstore

willbeoverwrittenbyassignedDSpolicywhilepoliciesstoredinthe

PersistentstorewillbemergedwithassignedDSpolicy.

ThesyntaxforcreatingpolicyinStaticmodeisalmostidenticaltothatof

Dynamicmode.Thesignificantdifferenceistherequirementofadditional

informationasindicatedbytheoptionslistedinbracesaswellasa

changeinsyntaxforcreatingPermitandBlockfilters.

ShowmodewillquerySPDanddisplayinformationaboutcurrentlyactivepolicy.

SetmodewillchangeIPSecconfigurationparametersforthelifetimeofthe

currentinstanceoftheservice.

Importandexportmodewillimportorexporta.ipsecpolicyfileto/fromthe

localorpersistentstoragelocation.

--------------

DYNAMICMODE

EachexecutionofipseccmdsetsanIPSecrule,anIKEpolicy,orboth.

OPTIONS:

\\machinenamesetspoliciesonaremotecomputer.Ifnotincluded,

thelocalmachineisassumed.

NOTE:

Ifyouusethisoption,itmustbethefirstargumentAND

youMUSThaveadministrativeprivilegesontheremotecomputer.

ThefollowingparametersareusedtocreateanIPSecpolicy.

Ifomitted,adefaultvalueisusedwhenapplicable.

-fFilterList

Alistofoneormorespaceseparatedfilterspecifications

inthefollowingformat:

A.B.C.D/mask:

port=A.B.C.D/mask:

port:

protocol

Optionally,youcanspecifythekeywordDEFAULTtosetthe

DefaultResponserule

TheSourceaddressisalwaysontheleftofthe'

='

andtheDestinationaddressisalwaysontheright.

Mask:

Optionalsubnetmask.Ifomitted,255.255.255.255willbeused.

Ifsubnetsliealongoctetboundaries,thenyoucanusethefollowing

wildcardnotation:

144.92.*.*isthesameas144.92.0.0/255.255.0.0

128.*.*.*issameas128.0.0.0/255.0.0.0

128.*.*isthesameasabove

128.*isthesameasabove

YoucanreplaceA.B.C.D/maskwiththefollowingforspecialmeaning:

0meansMyaddress（es）

*meansAnyaddress

aDNSname（NOTE:

onlythefirstnameresolutionwillbeset）

DNS,WINS,DHCP,orGATEWAYcanbespecified.SPDwilldynamically

replacesuchsettingswiththeassociatedaddressessetonthecomputer.

PortandProtocolareoptional.Ifomitted,thevaluesaresettoANY

Ifyouindicateaprotocol,aportvalueor'

:

'

mustprecedeit.

Youcanusealsousetheseprotocolsymbols:

ICMPTCPUDPRAW

Examples:

M1+M2:

6willfilterTCPtrafficbetweenaddressesM1andM2onanyport

172.31.0.0/255.255.0.0:

80+157.0.0.0/255.0.0.0:

80:

TCPwillfilter

allTCPtrafficfromthefirstsubnetandthesecondsubnetonport80.

IFyouwanttofilterProtocol,YoushouldbeUse：

：

followtheDestinationAddr.

MIRRORING:

Ifyoureplacethe'

witha'

+'

twofilterswillbecreated,oneineachdirection.

PASSandBLOCKfilters:

Bysurroundingafilterspecificationwith（）,

thefilterwillbeaPass（orPermit）filter.Ifyousurroundthe

specificationwith[],itwillbeaBlockfilter.

Example:

（0+128.2.1.1）willcreate2filtersthatwillbeexempted

frompolicy.

ThissyntaxisavailableonlyinDynamicmode.Staticmode

requiressettingoptionsinthenegotiationmethod.

DEFAULT:

Thereisnodefault,-fisrequiredforallDynamiccommands.

-nNegotiationMethodList

Alistofoneormorespaceseparatednegotiationmethodsinthe

followingformat:

ESP[ConfAlg,AuthAlg]RekeyPFS<

Group>

AH[HashAlg]RekeyPFS<

AH[HashAlg]+ESP[ConfAlg,AuthAlg]RekeyPFS<

whereConfAlgcanbeNONE,DES,or3DES

andAuthAlgcanbeNONE,MD5,orSHA

andHashAlgisMD5orSHA

ESP[NONE,NONE]isnotasupportedconfiguration.

ESP[3DES,SHA]ESP[3DES,MD5]ESP[DES,SHA]ESP[DES,MD5]

Rekey:

OptionalsettingtospecifythenumberofKBytesand/orseconds

afterwhichIKEshouldrekeyaQuickModesecurityassociation.

Addavalueand'

k'

or'

s'

afterthenegotiationmethodtoindicate

KBytesorseconds.Touseboth,separatethemwithaslash.

ESP[DES,SHA]5120k/3600swillrekeyafter5MBor1hour

100000k/3600s

PFS:

OptionalsettingtoenableQuickModeperfectforwardsecrecy.

Add'

PFS'

withanoptionalgroupvalueafterthenegotiationmethod:

1,2,or3,correspondingtothefollowingDiffie-Hellmangroups:

DH1-（Low,768bit）

DH2-（Med,1024bit）

DH14-（High,2048bit）

Ifnogroupnumberisspecified,theMainModegroupwillbeused.

ESP[DES,SHA]P2willsetperfectforwardsecrecytouseDH2

PFSisnotenabledbydefault.

-tTunnelAddr

Atunnelmodeendpointinoneofthefollowingformats:

A.B.C.D

DNSname

Ifyouneedtosetupatunnelpolicy,youwillneedtoexecute

ipseccmdtwice--oncefortheoutboundfiltersandoutgoingtunnel

endpoint,andoncefortheinboundfiltersandincomingtunnelendpoint.

Omissionoftunneladdressassumestransportmode.

-aAuthMethodList

Alistofspaceseparatedauthenticationmethodsinthefollowingformat:

KERBEROS

CERT:

"

<

CAinfo>

e.g.CERT:

CN=CA1,OU=O,O=MEME,C=DE,E=ME@here"

PRESHARE:

presharedkey>

ThestringsprovidedasthepresharedkeyorCAinfoarecasesensitive

andcannotincludequotationmarks.

Youcanabbreviateamethodwithitsfirstletter,i.e.P,K,orC.

-soft

Optionalparametertoallow'

soft'

securityassociations.

Optionisnotset.

-confirm

Optionalparametertoaskforconfirmationbeforesettingpolicy.

OptioncanonlybeusedinDynamicmode.

-lan

OptionalparametertosetpolicyonlyonaddressesofLANadapters.

-dialup

Optionalparametertosetpolicyonlyonaddressesofdial-upadapters.

Ifneitherparameterisspecified,alllocaladaptersareused.

ThefollowingdealwithMainMode（phase1）policy.

IfnoIKEoptionsarespecified,thecurrentIKEpolicywillbeused.

IfthereisnocurrentIKEpolicy,thedefaultswillbeset.

-1sSecurityMethodList

Alistofoneormorespaceseparatedsecuritymethodsinthe

ConfAlg-HashAlg-GroupNum

whereConfAlgcanbeDESor3DES

andHashAlgcanbeMD5orSHA

andGroupNumcanbe1,2,or3,correspondingtothefollowingDHgroups:

DES-SHA-1

3DES-SHA-23DES-MD5-2DES-SHA-1DES-MD5-1

-1kMMRekeyTime

ThenumberofQuickModesand/orsecondsafterwhichIKEshouldrekeya

MainModesecurityassociation.Addavaluewith'

Q'

S'

toindicate

alimitonQuickModesorseconds.

Touseboth,separatethemwithaslash.

10Q/3600Swillrekeyafter10quickmodesoreveryhour.

NoQuickModelimit,480minlifetime.

-1eSoftSAExpirationTime

Thetimeinsecondstomaintaina'

securityassociation.

Valueisnotsetif-Softisnotspecified.

ValueissettotheMainModelifetimeif-Softisspecified.

-------------

STATICMODE

Staticmodeusesmostofthedynamicmodesyntax,butaddsafewoptions

thatenablepolicystorageinthesameformatastheIPSecManagementsnap-in.

WhileDynamicmodeonlyletsyouaddanonymousrulestoSPD,Staticmode

allowsyoutocreatenamedpoliciesandnamedrules.Italsohassome

functionalitytomodifyexistingpoliciesandrules,providedtheywere

originallycreatedwithipseccmd.PoliciescanbesetaseitherAssignedor

Unassigned.OnlyAssignedpolicieswillbeaddedtoSPD.

Inadditiontothenewparameterslistedinbraces,achangeinsyntaxmustbe

madetosignifyfiltersasPass（orpermit）andBlock.InStaticmode,these

optionsaresetintheNegotiationMethodListspecifiedby-n.Therearethree

valuesyoucanpassintheNegotiationMethodListthathavespecialmeaning:

BLOCKwillignoreanymethodsintheNegotiationMethodsListand

willmakeallofthefiltersintheFilterListBlockfilters.

PASSwillignoreanymethodsinNegotiationMethodListand

willmakeallofthefiltersintheFilterListPassfilters.

INPASSwillsetanyinboundfiltersintheFilterListasPassfilterswhile

settingoutboundfilterstousethesecuritymethodsprovided.

Thisisthesameascheckingthe"

Allowunsecuredcommunication,

butalwaysrespondusingIPSEC"

checkboxinthesnap-in.

StaticModeParameters:

AllparametersareREQUIREDunlessotherwiseindicated.

-wLocation.

Locationtowritepolicych