archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-xp/Source/XPSP1/NT/net/ipsec/ipseccmd/usage.txt

297 lines
11 KiB
Raw Permalink Normal View History

Add source files
4 years ago
  2. v1.51 Copyright(c) 1998-2001, Microsoft Corporation
  3. USAGE:
  4. ipseccmd \\machinename -f FilterList -n NegotiationPolicyList -t TunnelAddr
  5. -a AuthMethodList -1s SecurityMethodList -1k Phase1RekeyAfter -1p
  6. -1f MMFilterList -1e SoftSAExpirationTime -soft -confirm
  7. [-dialup OR -lan]
  8. {-w TYPE:DOMAIN -p PolicyName:PollInterval -r RuleName -x -y -o}
  9. ipseccmd \\machinename show filters policies auth stats sas all
  12. BATCH MODE:
  13. ipseccmd -file filename
  14. File must contain regular ipseccmd commands,
  15. all these commands will be executed in one shot.
  18. ipseccmd has three mutually exclusive modes: static, dynamic, and query.
  20. The default mode is dynamic.
  22. Dynamic mode will plumb policy directly into the IPSec Services
  23. Security Policies Database. The policy will be persisted, i.e. it will stay
  24. after a reboot. The benefit of dynamic policy is that it can co-exist with
  25. DS based policy.
  27. To delete all dynamic policies, execute "ipseccmd -u" command
  29. When the tool is used in static mode,
  30. it creates or modifies stored policy. This policy can be used again and
  31. will last the lifetime of the store. Static mode is indicated by the -w
  32. flag. The flags in the {} braces are only valid for static mode. The usage
  33. for static mode is an extension of dynamic mode, so please read through
  34. the dynamic mode section.
  36. In query mode, the tool queries IPSec Security Policies Database.
  38. NOTE: references to SHA in ipseccmd are referring to the SHA1 algorithm.
  40. ------------
  41. QUERY MODE
  42. ------------
  44. The tool displays requested type of data from IPSec Security Policies Database
  46. filters - shows main mode and quick mode filters
  47. policies - shows main mode and quick mode policies
  48. auth - shows main mode authentication methods
  49. stats - shows Internet Key Exchange (IKE) and IPSec statistics
  50. sas - shows main mode and quick mode Security Associations
  51. all - shows all of the above data
  52. It is possible to combine several flags
  53. EXAMPLE: ipseccmd show filters policies
  55. ------------
  56. DYNAMIC MODE
  57. ------------
  59. Each execution of the tool sets an IPSec rule, an IKE policy,
  60. or both. When setting the IPSec policy, think of it as setting an "IP Security Rule"
  61. in the UI. So, if you need to set up a tunnel policy, you will need
  62. to execute the tool twice, once for the outbound filters and outgoing tunnel
  63. endpoint, and once for the inbound filters and incoming tunnel endpoint.
  66. OPTIONS:
  68. \\machinename sets policies on that machine. If not included, the
  69. local machine is assumed.
  70. NOTE: that if you use this it must be the first argument AND
  71. you MUST have administrative privileges on that machine.
  73. -confirm will ask you to confirm before setting policy
  74. can be abbreviated to -c
  75. *OPTIONAL, DYNAMIC MODE ONLY*
  77. The following flags deal with IPSec policy. If omitted, a default value
  78. is used where specified.
  80. -f FilterList
  81. where FilterList is one or more space separated filterspecs
  82. a filterspec is of the format:
  83. A.B.C.D/mask:port=A.B.C.D/mask:port:protocol
  84. you can also specify DEFAULT to create default response rule
  86. The Source address is always on the left of the '=' and the Destination
  87. address is always on the right.
  89. MIRRORING: If you replace the '=' with a '+' two filters will be created,
  90. one in each direction.
  92. mask and port are optional. If omitted, Any port and
  93. mask 255.255.255.255 will be used for the filter.
  95. You can replace A.B.C.D/mask with the following for
  96. special meaning:
  97. 0 means My address(es)
  98. * means Any address
  99. a DNS name (NOTE: multiple resolutions are ignored)
  100. a GUID of the local network interface in the form {12345678-1234-1234-1234-123456789ABC}
  101. GUIDs are NOT supported for static mode
  103. protocol is optional, if omitted, Any protocol is assumed. If you
  104. indicate a protocol, a port must precede it or :: must preceded it.
  105. NOTE BENE: if protocol is specified, it must be the last item in
  106. the filter spec.
  108. Examples:
  109. Machine1+Machine2::6 will filter TCP traffic between Machine1 and Machine2
  110. 172.31.0.0/255.255.0.0:80=157.0.0.0/255.0.0.0:80:TCP will filter
  111. all TCP traffic from the first subnet, port 80 to the second subnet,
  112. port 80
  114. PASSTHRU and DROP filters: By surrounding a filter specification with (),
  115. the filter will be a passthru filter. If you surround it with [], the
  116. filter will be a blocking, or drop, filter.
  117. Example: (0+128.2.1.1) will create 2 filters (it's mirrored) that will
  118. be exempted from policy.
  120. You can use the following protocol symbols: ICMP UDP RAW TCP
  122. Star notation:
  123. If you're subnet masks are along octet boundaries, then you
  124. can use the star notation to wildcard subnets.
  125. Examples:
  126. 128.*.*.* is same as 128.0.0.0/255.0.0.0
  127. 128.*.* is the same as above
  128. 128.* is the same as above
  129. 144.92.*.* is same as 144.92.0.0/255.255.0.0
  131. There is no DEFAULT, -f is required
  133. -n NegotiationPolicyList
  134. where NegotiationPolicyList is one or more space separated
  135. IPSec policies in the one of the following forms:
  137. ESP[ConfAlg,AuthAlg]RekeyPFS[Group]
  138. AH[HashAlg]
  139. AH[HashAlg]+ESP[ConfAlg,AuthAlg]
  141. where ConfAlg can be NONE, DES, or 3DES
  142. and AuthAlg can be NONE, MD5, or SHA
  143. and HashAlg is MD5 or SHA
  145. NOTE: ESP[NONE,NONE] is not a supported config
  146. NOTE: SHA refers the SHA1 hash algorithm
  148. Rekey is number of KBytes or number of seconds to rekey
  149. put K or S after the number to indicate KBytes or seconds, respectively
  150. Example: 3600S will rekey after 1 hour
  151. To use both, separate with a slash.
  152. Example: 3600S/5000K will rekey every hour and 5 MB.
  154. REKEY PARAMETERS ARE OPTIONAL
  156. PFS this is OPTIONAL, if it is present it will enable phase 2 perfect
  157. forward secrecy. You may use just P for short.
  158. It is also possible to specify which PFS Group to use:
  159. PFS1 or P1, PFS2 or P2
  160. By Default, PFS Group value will be taken from current Main Mode settings
  161. DEFAULT: ESP[3DES,SHA] ESP[3DES,MD5] ESP[DES,SHA]
  162. ESP[DES,MD5]
  164. -t tunnel address in one of the following forms:
  165. A.B.C.D
  166. DNS name
  168. DEFAULT: omission of tunnel address assumes transport mode
  170. -a AuthMethodList
  171. A list of space separated auth methods of the form:
  172. PRESHARE:"preshared key string"
  173. KERBEROS
  174. CERT:"CA Info"
  176. The strings provided to preshared key and CA info ARE case sensitive.
  177. You can abbreviate the method with the first letter, ie. P, K, or C.
  179. DEFAULT: KERBEROS
  181. -soft will allow soft associations
  182. DEFAULT: don't allow soft SAs
  184. -lan will set policy only for lan adapters
  185. -dialup will set policy only for dialup adapters
  186. *BOTH ARE OPTIONAL, if not specified, All adapters are used*
  187. DEFAULT: All adapters
  189. The following deal with IKE phase 1 policy. An easy way to remember
  190. is that all IKE phase 1 parameters are passed with a 1 in the flag.
  192. If no IKE flags are specified, the current IKE policy
  193. will be used. If there is no current IKE policy, the defaults
  194. specified below will be used.
  196. -1s SecurityMethodList
  197. where SecurityMethodList is one or more space separated SecurityMethods
  198. in the form:
  199. ConfAlg-HashAlg-GroupNum
  200. where ConfAlg can be DES or 3DES
  201. and HashAlg is MD5 or SHA
  202. and GroupNum is:
  203. 1 (Low)
  204. 2 (Med)
  206. Example: DES-SHA-1
  207. DEFAULT: 3DES-SHA-2 3DES-MD5-2 DES-SHA-1 DES-MD5-1
  209. -1p enable PFS for phase 1
  210. DEFAULT: not enabled
  212. -1k number of Quick Modes or number of seconds to rekey for phase 1
  213. put Q or S after the number to indicate Quick Modes or seconds,
  214. respectively
  215. Example: 10Q will rekey after 10 quick modes
  216. To use both, separate with a slash.
  217. Example: 10Q/3600S will rekey every hour and 10 quick modes
  218. *OPTIONAL*
  219. DEFAULT: no QM limit, 480 min lifetime
  221. -1e SoftSAExpirationTime
  222. set Soft SA expiration time attribute of the main mode policy
  223. value is specified in seconds
  224. DEFAULT: not set if Soft SA is not allowed
  225. set to 300 seconds if Soft SA is allowed
  227. -1f MMFilterList
  228. set specific main mode filters. Syntax is the same as for -f option
  229. except that you cannot specify passthru, block filters, ports and protocols
  230. DEFAULT: filters are generated automatically based on quick mode filters
  232. -----------
  233. STATIC MODE
  234. -----------
  236. Static mode uses most of the dynamic mode syntax, but adds a few flags
  237. that enable it work at a policy level as well. Remember, dynamic mode
  238. just lets you add anonymous rules to the policy agent. Static mode
  239. allows you to create named policies and named rules. It also has some
  240. functionality to modify existing policies and rules, provided they were
  241. originally created with ipseccmd.
  243. Static mode is supposed to provide most of the functionality of the IPSec UI
  244. in a command line tool, so there are references here to the UI.
  246. First, there is one change to the dynamic mode usage that static mode
  247. requires. In static mode, pass through and block filters are indicated
  248. in the NegotiationPolicyList that is specified by -n. There are three
  249. items you can pass in the NegotiationPolicyList that have special meaning:
  251. BLOCK will ignore the rest of the policies in NegotiationPolicyList and
  252. will make all of the filters blocking or drop filters.
  253. This is the same as checking the "Block" radio button
  254. in the UI
  256. PASS will ignore the rest of the policies in NegotiationPolicyList and
  257. will make all of the filters pass through filters.
  258. This is the same as checking the "Permit"
  259. radio button in the UI
  261. INPASS will plumb any inbound filters as pass through.
  262. This is the same as checking the "Allow unsecured communication,
  263. but always respond using IPSEC" check box in the UI
  266. Static Mode flags:
  267. All flags are REQUIRED unless otherwise indicated.
  269. -w Write the policy to storage indicated by TYPE:LOCATION
  270. TYPE can be either REG for registry or DS for Directory Storage
  271. if \\machinename was specified and TYPE is REG, will be written
  272. to the remote machine's registry
  273. DOMAIN for the DS case only. Indicates the domain name of the
  274. DS to write to. If omitted, use the domain the local machine is in.
  275. OPTIONAL
  277. -p PolicyName:PollInterval
  278. Name the policy with this string. If a policy with this name is
  279. already in storage, this rule will be added to the policy.
  280. Otherwise a new policy will be created. If PollInterval is specified,
  281. the polling interval for the policy will be set.
  283. -r RuleName
  284. Name the rule with this string. If a rule with that name already exists,
  285. that rule is modified to reflect the information supplied to ipseccmd.
  286. For example, if only -f is specified and the rule exists,
  287. only the filters of that rule will be replaced.
  289. -x will set the policy active in the LOCAL registry case OPTIONAL
  291. -y will set the policy inactive in the LOCAL registry case OPTIONAL
  293. -o will delete the policy specified by -p OPTIONAL
  294. (NOTE: this will delete all aspects of the specified policy
  295. don't use if you have other policies pointing to the objects in that policy)
  297. The command completed successfully.