IPseccmd.docx

1、IPseccmdUSAGE:ipseccmd machinename -f FilterList -n NegotiationMethodList -t TunnelAddr -a AuthMethodList -1s SecurityMethodList -1k MMRekeyTime -1e SoftSAExpirationTime -soft -confirm -dialup OR -lan -w Location -p PolicyName:PollInterval -r RuleName -x OR -y -o Creates or modifies IPSec policy.ips

2、eccmd machinename show gpo filters policies auth stats sas all Displays current IPSec configuration.ipseccmd machinename set logike OR dontlogike Turns on/off IKE logging.ipseccmd machinename import OR export Location FileName Imports or exports a static policy file.ipseccmd -file FileName Executes

3、a file containing regular static or dynamic ipseccmd commands.Ipseccmd has multiple mutually exclusive modes: dynamic, static, show, setimport, and export. The default mode is dynamic. Dynamic mode will set policy directly into the IPSec ServicesSecurity Policies Database (SPD). The policy will not

4、be persisted, and willonly exist during the current instance of the service.Dynamic policy will be lost after a system or service restart.The benefit of dynamic policy is that it can co-exist with DS based policy.To delete all dynamic policies, execute ipseccmd -uStatic mode will create or modify st

5、ored policy in either theLocal or Persistent registry locations. Such policy will continue to be usedafter a system or service restart, however policies stored in the Local storewill be overwritten by assigned DS policy while policies stored in thePersistent store will be merged with assigned DS pol

6、icy.The syntax for creating policy in Static mode is almost identical to that ofDynamic mode. The significant difference is the requirement of additionalinformation as indicated by the options listed in braces as well as achange in syntax for creating Permit and Block filters.Show mode will query SP

7、D and display information about currently active policy.Set mode will change IPSec configuration parameters for the lifetime of thecurrent instance of the service.Import and export mode will import or export a .ipsec policy file to/from thelocal or persistent storage location.- DYNAMIC MODE -Each ex

8、ecution of ipseccmd sets an IPSec rule, an IKE policy, or both.OPTIONS: machinename sets policies on a remote computer. If not included, the local machine is assumed. NOTE: If you use this option, it must be the first argument AND you MUST have administrative privileges on the remote computer. The f

9、ollowing parameters are used to create an IPSec policy. If omitted, a default value is used when applicable. -f FilterList A list of one or more space separated filter specifications in the following format: A.B.C.D/mask:port=A.B.C.D/mask:port:protocol Optionally, you can specify the keyword DEFAULT

10、 to set the Default Response rule The Source address is always on the left of the =, and the Destination address is always on the right. Mask: Optional subnet mask. If omitted, 255.255.255.255 will be used. If subnets lie along octet boundaries, then you can use the following wildcard notation: 144.

11、92.*.* is the same as 144.92.0.0/255.255.0.0 128.*.*.* is same as 128.0.0.0/255.0.0.0 128.*.* is the same as above 128.* is the same as above You can replace A.B.C.D/mask with the following for special meaning: 0 means My address(es) * means Any address a DNS name (NOTE: only the first name resoluti

12、on will be set) DNS, WINS, DHCP, or GATEWAY can be specified. SPD will dynamically replace such settings with the associated addresses set on the computer. Port and Protocol are optional. If omitted, the values are set to ANY If you indicate a protocol, a port value or : must precede it. You can use

13、 also use these protocol symbols: ICMP TCP UDP RAW Examples: M1+M2:6 will filter TCP traffic between addresses M1 and M2 on any port 172.31.0.0/255.255.0.0:80+157.0.0.0/255.0.0.0:80:TCP will filter all TCP traffic from the first subnet and the second subnet on port 80. IF you want to filter Protocol

14、 ,You should be Use ：follow the Destination Addr. MIRRORING: If you replace the = with a +, two filters will be created, one in each direction. PASS and BLOCK filters: By surrounding a filter specification with (), the filter will be a Pass (or Permit) filter. If you surround the specification with

15、, it will be a Block filter. Example: (0+128.2.1.1) will create 2 filters that will be exempted from policy. NOTE: This syntax is available only in Dynamic mode. Static mode requires setting options in the negotiation method. DEFAULT: There is no default, -f is required for all Dynamic commands. -n

16、NegotiationMethodList A list of one or more space separated negotiation methods in the following format: ESPConfAlg,AuthAlgRekeyPFS AHHashAlgRekeyPFS AHHashAlg+ESPConfAlg,AuthAlgRekeyPFS where ConfAlg can be NONE, DES, or 3DES and AuthAlg can be NONE, MD5, or SHA and HashAlg is MD5 or SHA NOTE: ESPN

17、ONE,NONE is not a supported configuration. DEFAULT: ESP3DES,SHA ESP3DES,MD5 ESPDES,SHA ESPDES,MD5 Rekey: Optional setting to specify the number of KBytes and/or seconds after which IKE should rekey a Quick Mode security association. Add a value and k or s after the negotiation method to indicate KBy

18、tes or seconds. To use both, separate them with a slash. Example: ESPDES,SHA5120k/3600s will rekey after 5MB or 1 hour DEFAULT: 100000k/3600s PFS: Optional setting to enable Quick Mode perfect forward secrecy. Add PFS with an optional group value after the negotiation method: 1, 2, or 3, correspondi

19、ng to the following Diffie-Hellman groups: DH1- (Low, 768 bit) DH2- (Med, 1024 bit) DH14- (High, 2048 bit) If no group number is specified, the Main Mode group will be used. Example: ESPDES,SHAP2 will set perfect forward secrecy to use DH2 DEFAULT: PFS is not enabled by default. -t TunnelAddr A tunn

20、el mode endpoint in one of the following formats: A.B.C.D DNS name NOTE: If you need to set up a tunnel policy, you will need to execute ipseccmd twice- once for the outbound filters and outgoing tunnel endpoint, and once for the inbound filters and incoming tunnel endpoint. DEFAULT: Omission of tun

21、nel address assumes transport mode. -a AuthMethodList A list of space separated authentication methods in the following format: KERBEROS CERT:, e.g. CERT:CN=CA1,OU=O,O=MEME,C=DE,E=MEhere PRESHARE: The strings provided as the preshared key or CA info are case sensitive and can not include quotation m

22、arks. You can abbreviate a method with its first letter, i.e. P, K, or C. DEFAULT: KERBEROS -soft Optional parameter to allow soft security associations. DEFAULT: Option is not set. -confirm Optional parameter to ask for confirmation before setting policy. NOTE: Option can only be used in Dynamic mo

23、de. DEFAULT: Option is not set. -lan Optional parameter to set policy only on addresses of LAN adapters. -dialup Optional parameter to set policy only on addresses of dial-up adapters. DEFAULT: If neither parameter is specified, all local adapters are used. The following deal with Main Mode (phase 1

24、) policy. If no IKE options are specified, the current IKE policy will be used. If there is no current IKE policy, the defaults will be set. -1s SecurityMethodList A list of one or more space separated security methods in the following format: ConfAlg-HashAlg-GroupNum where ConfAlg can be DES or 3DE

25、S and HashAlg can be MD5 or SHA and GroupNum can be 1, 2, or 3, corresponding to the following DH groups: DH1- (Low, 768 bit) DH2- (Med, 1024 bit) DH14- (High, 2048 bit) Example: DES-SHA-1 DEFAULT: 3DES-SHA-2 3DES-MD5-2 DES-SHA-1 DES-MD5-1 -1k MMRekeyTime The number of Quick Modes and/or seconds aft

26、er which IKE should rekey a Main Mode security association. Add a value with Q or S to indicate a limit on Quick Modes or seconds. To use both, separate them with a slash. Example: 10Q/3600S will rekey after 10 quick modes or every hour. DEFAULT: No Quick Mode limit, 480 min lifetime. -1e SoftSAExpi

27、rationTime The time in seconds to maintain a soft security association. DEFAULT: Value is not set if -Soft is not specified. Value is set to the Main Mode lifetime if -Soft is specified.- STATIC MODE -Static mode uses most of the dynamic mode syntax, but adds a few optionsthat enable policy storage

28、in the same format as the IPSec Management snap-in.While Dynamic mode only lets you add anonymous rules to SPD, Static modeallows you to create named policies and named rules. It also has somefunctionality to modify existing policies and rules, provided they wereoriginally created with ipseccmd. Pol

29、icies can be set as either Assigned orUnassigned. Only Assigned policies will be added to SPD.In addition to the new parameters listed in braces, a change in syntax must bemade to signify filters as Pass (or permit) and Block. In Static mode, theseoptions are set in the NegotiationMethodList specifi

30、ed by -n. There are threevalues you can pass in the NegotiationMethodList that have special meaning:BLOCK will ignore any methods in the NegotiationMethodsList and will make all of the filters in the FilterList Block filters.PASS will ignore any methods in NegotiationMethodList and will make all of

31、the filters in the FilterList Pass filters.INPASS will set any inbound filters in the FilterList as Pass filters while setting outbound filters to use the security methods provided. This is the same as checking the Allow unsecured communication, but always respond using IPSEC check box in the snap-in.Static Mode Parameters:All parameters are REQUIRED unless otherwise indicated. -w Location. Location to write policy ch