Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

74 lines
2.9 KiB

IPSEC POLICY CONFIGURATION COMMAND LINE TOOL
by Randy Ramig ([email protected])
and Dennis Kalinichenko ([email protected])
This tool is used to configure IP Security policies in the Directory
Service, or in a local or remote registry. It does everything that the
IP Security MMC snap-in does, and is even modeled after the snap-in.
In addition, it can query IPSec Security Policies Database (SPD) and
display the current state of IPSec Services
ipseccmd has three mutually exclusive modes: static, dynamic and query.
Dynamic mode will plumb policy into the IPSec Services
Security Policies Database. The policy will be persisted, ie. it will stay
after a reboot. The benefit of dynamic mode is that the policy can co-exist
with DS based policies, which overrides any local policy not plumbed
by ipseccmd.
When the tool is used in static mode,
it creates or modifies stored policy. This policy can be used again and
will last the lifetime of the store. Static mode is indicated by the -w
flag. The flags in the {} braces are only valid for static mode. The usage
for static mode is an extension of dynamic mode, so please read through
the dynamic mode section.
In query mode, the tool queries IPSec Security Policies Database.
WHY WOULD I WANT TO USE IPSECCMD?
* You have a large and/or complex IPSec policy that you want to
configure. IPSECCMD can help you by providing a scriptable way to
create that policy. Just put your IPSECCMD commands into a batch file.
This also provides a backup in case you lose the DS or registry that
the policy is stored in. Just re-run the batch file.
* IPSECCMD facilitates just in time policy with it's batch ability.
If someone wants a secured channel with your server, simply send them
the tool binaries and the command line or batch file to run.
* Your machine is using DS policy and you want to enhance or add rules
that will allow you to speak IPSec to machines not covered in the
DS policy. Dynamic mode of IPSECCMD will achieve this for you.
* You prefer command line tools to GUI apps.
RESTRICTIONS
You must have privileges to the storage that you write to in static mode.
This is typically administrative privileges, but authorized users can
modify the ACLs of the storage to give you access. IP Security policy
objects are stored in
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\IPSec\Policy\Local
for the local/remote machine case
AND
CN=IP Security,CN=System,DC=YourDCName,DC=ParentDCName,DC=TopLevelDC
ie, the IP Security container under the System container,
for the Directory Service case.
CAVEATS
* In dynamic mode, if you use a DNS name that resolves to multiple addresses
only the first address in the list is used. This is not a problem in
static mode.
* Read the filter spec help carefully, it is the most difficult and
easiest to confuse. In particular, pay attention to how a protocol
is specified.
REQUIRED FILES:
ipseccmd.exe