archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
3.8 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/net/ipsec/ipseccmd/overview.txt

74 lines
2.9 KiB
Raw Normal View History

Add source files
4 years ago
  1. IPSEC POLICY CONFIGURATION COMMAND LINE TOOL
  2. by Randy Ramig ([email protected])
  3. and Dennis Kalinichenko ([email protected])
  5. This tool is used to configure IP Security policies in the Directory
  6. Service, or in a local or remote registry. It does everything that the
  7. IP Security MMC snap-in does, and is even modeled after the snap-in.
  9. In addition, it can query IPSec Security Policies Database (SPD) and
  10. display the current state of IPSec Services
  12. ipseccmd has three mutually exclusive modes: static, dynamic and query.
  14. Dynamic mode will plumb policy into the IPSec Services
  15. Security Policies Database. The policy will be persisted, ie. it will stay
  16. after a reboot. The benefit of dynamic mode is that the policy can co-exist
  17. with DS based policies, which overrides any local policy not plumbed
  18. by ipseccmd.
  20. When the tool is used in static mode,
  21. it creates or modifies stored policy. This policy can be used again and
  22. will last the lifetime of the store. Static mode is indicated by the -w
  23. flag. The flags in the {} braces are only valid for static mode. The usage
  24. for static mode is an extension of dynamic mode, so please read through
  25. the dynamic mode section.
  27. In query mode, the tool queries IPSec Security Policies Database.
  29. WHY WOULD I WANT TO USE IPSECCMD?
  31. * You have a large and/or complex IPSec policy that you want to
  32. configure. IPSECCMD can help you by providing a scriptable way to
  33. create that policy. Just put your IPSECCMD commands into a batch file.
  35. This also provides a backup in case you lose the DS or registry that
  36. the policy is stored in. Just re-run the batch file.
  38. * IPSECCMD facilitates just in time policy with it's batch ability.
  39. If someone wants a secured channel with your server, simply send them
  40. the tool binaries and the command line or batch file to run.
  42. * Your machine is using DS policy and you want to enhance or add rules
  43. that will allow you to speak IPSec to machines not covered in the
  44. DS policy. Dynamic mode of IPSECCMD will achieve this for you.
  46. * You prefer command line tools to GUI apps.
  48. RESTRICTIONS
  50. You must have privileges to the storage that you write to in static mode.
  51. This is typically administrative privileges, but authorized users can
  52. modify the ACLs of the storage to give you access. IP Security policy
  53. objects are stored in
  55. HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\IPSec\Policy\Local
  56. for the local/remote machine case
  57. AND
  59. CN=IP Security,CN=System,DC=YourDCName,DC=ParentDCName,DC=TopLevelDC
  60. ie, the IP Security container under the System container,
  61. for the Directory Service case.
  63. CAVEATS
  65. * In dynamic mode, if you use a DNS name that resolves to multiple addresses
  66. only the first address in the list is used. This is not a problem in
  67. static mode.
  69. * Read the filter spec help carefully, it is the most difficult and
  70. easiest to confuse. In particular, pay attention to how a protocol
  71. is specified.
  73. REQUIRED FILES:
  74. ipseccmd.exe