v1.51 Copyright(c) 1998-2001, Microsoft Corporation USAGE: ipseccmd \\machinename -f FilterList -n NegotiationPolicyList -t TunnelAddr -a AuthMethodList -1s SecurityMethodList -1k Phase1RekeyAfter -1p -1f MMFilterList -1e SoftSAExpirationTime -soft -confirm [-dialup OR -lan] {-w TYPE:DOMAIN -p PolicyName:PollInterval -r RuleName -x -y -o} ipseccmd \\machinename show filters policies auth stats sas all BATCH MODE: ipseccmd -file filename File must contain regular ipseccmd commands, all these commands will be executed in one shot. ipseccmd has three mutually exclusive modes: static, dynamic, and query. The default mode is dynamic. Dynamic mode will plumb policy directly into the IPSec Services Security Policies Database. The policy will be persisted, i.e. it will stay after a reboot. The benefit of dynamic policy is that it can co-exist with DS based policy. To delete all dynamic policies, execute "ipseccmd -u" command When the tool is used in static mode, it creates or modifies stored policy. This policy can be used again and will last the lifetime of the store. Static mode is indicated by the -w flag. The flags in the {} braces are only valid for static mode. The usage for static mode is an extension of dynamic mode, so please read through the dynamic mode section. In query mode, the tool queries IPSec Security Policies Database. NOTE: references to SHA in ipseccmd are referring to the SHA1 algorithm. ------------ QUERY MODE ------------ The tool displays requested type of data from IPSec Security Policies Database filters - shows main mode and quick mode filters policies - shows main mode and quick mode policies auth - shows main mode authentication methods stats - shows Internet Key Exchange (IKE) and IPSec statistics sas - shows main mode and quick mode Security Associations all - shows all of the above data It is possible to combine several flags EXAMPLE: ipseccmd show filters policies ------------ DYNAMIC MODE ------------ Each execution of the tool sets an IPSec rule, an IKE policy, or both. When setting the IPSec policy, think of it as setting an "IP Security Rule" in the UI. So, if you need to set up a tunnel policy, you will need to execute the tool twice, once for the outbound filters and outgoing tunnel endpoint, and once for the inbound filters and incoming tunnel endpoint. OPTIONS: \\machinename sets policies on that machine. If not included, the local machine is assumed. NOTE: that if you use this it must be the first argument AND you MUST have administrative privileges on that machine. -confirm will ask you to confirm before setting policy can be abbreviated to -c *OPTIONAL, DYNAMIC MODE ONLY* The following flags deal with IPSec policy. If omitted, a default value is used where specified. -f FilterList where FilterList is one or more space separated filterspecs a filterspec is of the format: A.B.C.D/mask:port=A.B.C.D/mask:port:protocol you can also specify DEFAULT to create default response rule The Source address is always on the left of the '=' and the Destination address is always on the right. MIRRORING: If you replace the '=' with a '+' two filters will be created, one in each direction. mask and port are optional. If omitted, Any port and mask 255.255.255.255 will be used for the filter. You can replace A.B.C.D/mask with the following for special meaning: 0 means My address(es) * means Any address a DNS name (NOTE: multiple resolutions are ignored) a GUID of the local network interface in the form {12345678-1234-1234-1234-123456789ABC} GUIDs are NOT supported for static mode protocol is optional, if omitted, Any protocol is assumed. If you indicate a protocol, a port must precede it or :: must preceded it. NOTE BENE: if protocol is specified, it must be the last item in the filter spec. Examples: Machine1+Machine2::6 will filter TCP traffic between Machine1 and Machine2 172.31.0.0/255.255.0.0:80=157.0.0.0/255.0.0.0:80:TCP will filter all TCP traffic from the first subnet, port 80 to the second subnet, port 80 PASSTHRU and DROP filters: By surrounding a filter specification with (), the filter will be a passthru filter. If you surround it with [], the filter will be a blocking, or drop, filter. Example: (0+128.2.1.1) will create 2 filters (it's mirrored) that will be exempted from policy. You can use the following protocol symbols: ICMP UDP RAW TCP Star notation: If you're subnet masks are along octet boundaries, then you can use the star notation to wildcard subnets. Examples: 128.*.*.* is same as 128.0.0.0/255.0.0.0 128.*.* is the same as above 128.* is the same as above 144.92.*.* is same as 144.92.0.0/255.255.0.0 There is no DEFAULT, -f is required -n NegotiationPolicyList where NegotiationPolicyList is one or more space separated IPSec policies in the one of the following forms: ESP[ConfAlg,AuthAlg]RekeyPFS[Group] AH[HashAlg] AH[HashAlg]+ESP[ConfAlg,AuthAlg] where ConfAlg can be NONE, DES, or 3DES and AuthAlg can be NONE, MD5, or SHA and HashAlg is MD5 or SHA NOTE: ESP[NONE,NONE] is not a supported config NOTE: SHA refers the SHA1 hash algorithm Rekey is number of KBytes or number of seconds to rekey put K or S after the number to indicate KBytes or seconds, respectively Example: 3600S will rekey after 1 hour To use both, separate with a slash. Example: 3600S/5000K will rekey every hour and 5 MB. REKEY PARAMETERS ARE OPTIONAL PFS this is OPTIONAL, if it is present it will enable phase 2 perfect forward secrecy. You may use just P for short. It is also possible to specify which PFS Group to use: PFS1 or P1, PFS2 or P2 By Default, PFS Group value will be taken from current Main Mode settings DEFAULT: ESP[3DES,SHA] ESP[3DES,MD5] ESP[DES,SHA] ESP[DES,MD5] -t tunnel address in one of the following forms: A.B.C.D DNS name DEFAULT: omission of tunnel address assumes transport mode -a AuthMethodList A list of space separated auth methods of the form: PRESHARE:"preshared key string" KERBEROS CERT:"CA Info" The strings provided to preshared key and CA info ARE case sensitive. You can abbreviate the method with the first letter, ie. P, K, or C. DEFAULT: KERBEROS -soft will allow soft associations DEFAULT: don't allow soft SAs -lan will set policy only for lan adapters -dialup will set policy only for dialup adapters *BOTH ARE OPTIONAL, if not specified, All adapters are used* DEFAULT: All adapters The following deal with IKE phase 1 policy. An easy way to remember is that all IKE phase 1 parameters are passed with a 1 in the flag. If no IKE flags are specified, the current IKE policy will be used. If there is no current IKE policy, the defaults specified below will be used. -1s SecurityMethodList where SecurityMethodList is one or more space separated SecurityMethods in the form: ConfAlg-HashAlg-GroupNum where ConfAlg can be DES or 3DES and HashAlg is MD5 or SHA and GroupNum is: 1 (Low) 2 (Med) Example: DES-SHA-1 DEFAULT: 3DES-SHA-2 3DES-MD5-2 DES-SHA-1 DES-MD5-1 -1p enable PFS for phase 1 DEFAULT: not enabled -1k number of Quick Modes or number of seconds to rekey for phase 1 put Q or S after the number to indicate Quick Modes or seconds, respectively Example: 10Q will rekey after 10 quick modes To use both, separate with a slash. Example: 10Q/3600S will rekey every hour and 10 quick modes *OPTIONAL* DEFAULT: no QM limit, 480 min lifetime -1e SoftSAExpirationTime set Soft SA expiration time attribute of the main mode policy value is specified in seconds DEFAULT: not set if Soft SA is not allowed set to 300 seconds if Soft SA is allowed -1f MMFilterList set specific main mode filters. Syntax is the same as for -f option except that you cannot specify passthru, block filters, ports and protocols DEFAULT: filters are generated automatically based on quick mode filters ----------- STATIC MODE ----------- Static mode uses most of the dynamic mode syntax, but adds a few flags that enable it work at a policy level as well. Remember, dynamic mode just lets you add anonymous rules to the policy agent. Static mode allows you to create named policies and named rules. It also has some functionality to modify existing policies and rules, provided they were originally created with ipseccmd. Static mode is supposed to provide most of the functionality of the IPSec UI in a command line tool, so there are references here to the UI. First, there is one change to the dynamic mode usage that static mode requires. In static mode, pass through and block filters are indicated in the NegotiationPolicyList that is specified by -n. There are three items you can pass in the NegotiationPolicyList that have special meaning: BLOCK will ignore the rest of the policies in NegotiationPolicyList and will make all of the filters blocking or drop filters. This is the same as checking the "Block" radio button in the UI PASS will ignore the rest of the policies in NegotiationPolicyList and will make all of the filters pass through filters. This is the same as checking the "Permit" radio button in the UI INPASS will plumb any inbound filters as pass through. This is the same as checking the "Allow unsecured communication, but always respond using IPSEC" check box in the UI Static Mode flags: All flags are REQUIRED unless otherwise indicated. -w Write the policy to storage indicated by TYPE:LOCATION TYPE can be either REG for registry or DS for Directory Storage if \\machinename was specified and TYPE is REG, will be written to the remote machine's registry DOMAIN for the DS case only. Indicates the domain name of the DS to write to. If omitted, use the domain the local machine is in. OPTIONAL -p PolicyName:PollInterval Name the policy with this string. If a policy with this name is already in storage, this rule will be added to the policy. Otherwise a new policy will be created. If PollInterval is specified, the polling interval for the policy will be set. -r RuleName Name the rule with this string. If a rule with that name already exists, that rule is modified to reflect the information supplied to ipseccmd. For example, if only -f is specified and the rule exists, only the filters of that rule will be replaced. -x will set the policy active in the LOCAL registry case OPTIONAL -y will set the policy inactive in the LOCAL registry case OPTIONAL -o will delete the policy specified by -p OPTIONAL (NOTE: this will delete all aspects of the specified policy don't use if you have other policies pointing to the objects in that policy) The command completed successfully.