Ipseccmd
Configures Internet Protocol Security (IPSec) policies in a directory service or in a local or remote registry. Ipseccmd is a command-line alternative to the IP Security Policies Microsoft Management Console (MMC) snap-in. Ipseccmd has three modes: dynamic mode, static mode, and query mode.
To view the command syntax, click a command:
ipseccmd dynamic mode
You can use Ipseccmd dynamic mode to add anonymous rules to the existing IPSec policy by adding them to the IPSec security policies database. The rules added will be present even after the IPSEC Services service is restarted. The benefit of using dynamic mode is that the rules you add coexist with domain-based IPSec policy. Dynamic mode is the default mode for Ipseccmd.
Syntax
To add a rule, use the following syntax:
ipseccmd [\\ComputerName] -f FilterList [-n NegotiationPolicyList] [-t TunnelAddr] [-a AuthMethodList] [-1s SecurityMethodList] [-1k MainModeRekeySettings] [-1p] [-1f MMFilterList] [-1e SoftSAExpirationTime] [-soft] [-confirm] [{-dialup | -lan}]
To delete all dynamic policies, use the following syntax:
ipseccmd -u
Parameters
\\ ComputerName : Specifies the computer name of a remote computer to which you want to add a rule.
-f FilterList : Required for first syntax. Specifies one or more filter specifications, separated by spaces, for quick mode security associations (SAs). Each filter specification defines a set of network traffic affected by this rule.
-n NegotiationPolicyList : Specifies one or more security methods, separated by spaces, for securing traffic defined by the filter list.
-t TunnelAddr : Specifies the tunnel endpoint for tunnel mode as either an IP address or a DNS domain name.
-a AuthMethodList : Specifies one or more authentication methods, separated by spaces.
-1s SecurityMethodList : Specifies one or more key exchange security methods, separated by spaces.
-1k MainModeRekeySettings : Specifies main mode SA rekey settings.
-1p : Enables master key perfect forward secrecy.
-1f MMFilterList : Specifies one or more filter specifications for main mode SAs, separated by spaces.
-1e SoftSAExpirationTime : Specifies the expiration time for soft SAs in seconds.
-soft : Enables soft SAs.
-confirm : Specifies that a confirmation prompt appears before the rule or policy is added.
{ -dialup | -lan } : Specifies whether the rule applies only to remote access or dial-up connections or whether the rule applies only to local area network (LAN) connections.
-u : Required for the second syntax. Specifies that all dynamic rules are deleted.
/? : Displays help at the command prompt.
Remarks
Ipseccmd cannot be used to configure rules on computers running Windows 2000.
If you do not specify the ComputerName parameter, the rule is added to the local computer.
If you use the ComputerName parameter, you must use it before all other parameters, and you must have administrator permissions on the computer to which you want to add the rule.
For the -f parameter, a filter specification is one or more filters that are separated by spaces and defined by the format:
SourceAddress / SourceMask : SourcePort = DestAddress / DestMask : DestPort : Protocol
SourceMask, SourcePort, DestMask, and DestPort are optional. If you omit them, the mask of 255.255.255.255 and all ports are used for the filter.
Protocol is optional. If you omit it, all protocols are used for the filter. If you specify a protocol, you must specify the port or precede the protocol with two colons (::). (See the first example for dynamic mode.) The protocol must be the last item in the filter. You can use the following protocol symbols: ICMP, UDP, RAW, or TCP.
You can create mirrored filters by replacing the equals sign (=) with a plus sign (+).
You can replace SourceAddress**/SourceMask or DestAddress/**DestMask with the values in the following table.
Value
Description
0
My address or addresses
*
Any address
DNSName
DNS domain name. If the DNS name resolves to multiple addresses, it is ignored.
GUID
A globally unique identifier (GUID) of a local network interface in the form {12345678-1234-1234-1234-123456789ABC}. Specifying a GUID is not supported when the -n parameter is used in static mode.
You can enable the default response rule by specifying the filter specification of default.
You can specify a permit filter by surrounding the filter specification with parentheses. You can specify a blocking filter by surrounding the filter specification with brackets ([ ]).
If you are using Internet address class-based subnet masks (the subnet masks are defined along octet boundaries), you can use wildcard notation to specify subnet masks. For example, 10.*.*.* is the same as 10.0.0.0/255.0.0.0 and 10.92.*.* is the same as 10.92.0.0/255.255.0.0.
Filter examples
To create mirrored filters to filter TCP traffic between Computer1 and Computer2, type:
Computer1+Computer2::TCP
To create a filter for all TCP traffic from the subnet 172.31.0.0/255.255.0.0, port 80, to the subnet 10.0.0.0/255.0.0.0, port 80, type:
172.31.0.0/255.255.0.0:80=10.0.0.0/255.0.0.0:80:TCP
To create a mirrored filter that permits traffic between the local IP address and the IP address 10.2.1.1, type:
(0+10.2.1.1)
For the -n parameter, one or more negotiation policies are separated by spaces and follow one of the following forms:
esp[ EncrypAlg , AuthAlg ] Rekey PFS [ Group ]
ah[ HashAlg ]
ah[ HashAlg ]+esp[ EncrypAlg , AuthAlg ]
where EncrypAlg can be none, des, or 3des, AuthAlg can be none, md5, or sha, and HashAlg can be md5 or sha.
The configuration esp[none,none] is not supported.
The sha parameter refers to the SHA1 hash algorithm.
The Rekey parameter is optional, and it specifies the number of kilobytes (indicated by placing a K after the number) or the number of seconds (indicated by placing an S after the number) that precede a rekeying of the quick mode SA. To specify both rekey parameters, separate the two numbers with a slash (/). For example, to rekey the quick mode SA every hour and after every 5 megabytes of data, type:
3600S/5000K
The PFS parameter is optional, and it enables session key perfect forward secrecy. By default, session key perfect forward secrecy is disabled.
The Group parameter is optional, and it specifies the Diffie-Hellman group for session key perfect forward secrecy. For the Low(1) Diffie-Hellman group, specify PFS1 or P1. For the Medium(2) Diffie-Hellman group, specify PFS2 or P2. By default, the group value for session key perfect forward secrecy is taken from the current main mode settings.
If you do not specify negotiation policies, the default negotiation policies are the following:
esp[3des,sha]
esp[3des,md5]
esp[des,sha]
esp[des,md5]
If you omit the -t parameter, IPSec transport mode is used.
For the -a parameter, one or more authentication methods are separated by spaces and are in one of the following forms:
preshare:" PresharedKeyString "
kerberos
cert:" CAInfo "
The PresharedKeyString parameter specifies the string of characters of the preshared key. The CAInfo parameter specifies the distinguished name of the certificate as displayed in the IP Security Policies snap-in when the certificate is selected as an authentication method for a rule. The PresharedKeyString and CAInfo parameters are case-sensitive. You can abbreviate the method by using the first letter: p, k, or c. If you omit the -a parameter, the default authentication method is Kerberos.
For the -1s parameter, one or more key exchange security methods are separated by spaces and defined by the following format:
EncrypAlg - HashAlg - GroupNum
where EncrypAlg can be des or 3des, HashAlg can be md5 or sha, and GroupNum can be 1 for the Low(1) Diffie-Hellman group or 2 for the Medium(2) Diffie-Hellman group. If you omit the -1s parameter, the default key exchange security methods are 3des-sha-2, 3des-md5-2, des-sha-1, and des-md5-1.
For the -1k parameter, you can specify the number of quick mode SAs (indicated by placing a Q after the number) or the number of seconds (indicated by placing an S after the number) to rekey the main mode SA. To specify both rekey parameters, you must separate the two numbers with a slash (/). For example, to rekey the main mode SA after every 10 quick mode SAs and every hour, type:
10Q/3600S
If you omit the -1k parameter, the default values for main mode rekey are an unlimited number of quick mode SAs and 480 minutes.
Master key perfect forward secrecy is disabled by default.
For the -1f parameter, the syntax for specifying main mode filter specifications is the same as for the -f parameter, except that you cannot specify permit filters, blocking filters, ports, or protocols. If you omit the -1f parameter, the main mode filters are automatically created based on the quick mode filters.
If you omit the -1e parameter, the expiration time for soft SAs is 300 seconds. However, soft SAs are disabled unless you include the -soft parameter.
Confirmation is available for dynamic mode only.
If you specify neither the -dialup parameter nor the -lan parameter, the rule applies to all adapters.
Examples
To create a rule that uses the Authentication Header (AH) with MD5 hashing for all traffic to and from the local computer, type:
ipseccmd -f 0+* -n ah[md5]
To create a tunnel rule for traffic from 10.2.1.1 and 10.2.1.13 using the tunnel endpoint 10.2.1.13, with AH tunnel mode using the SHA1 hash algorithm, with master key perfect forward secrecy enabled, and with a confirmation prompt for the rule before it is created, type:
ipseccmd -f 10.2.1.1=10.2.1.13 -t 10.2.1.13 -n ah[sha] -1p -c
To create a rule on the computer named corpsrv1 for all traffic between the computers named corpsrv1 and corpsrv2, using the combination of both AH and Encapsulating Security Payload (ESP), with preshared key authentication, type:
ipseccmd \\corpsrv1 -f corpsrv2+corpsrv1 -n ah[md5]+esp[des,sha] -a p:"corpauth"
ipseccmd static mode
You can use Ipseccmd static mode to create named policies and named rules. You can also use static mode to modify existing policies and rules, provided they were originally created with Ipseccmd. The syntax for static mode combines the syntax for dynamic mode with parameters that enable it to work at a policy level.
Syntax
ipseccmd DynamicModeParameters -w Type[:Location] -p PolicyName[:PollInterval] -r RuleName [{-x | -y}] [-o]
Parameters
DynamicModeParameters : Required. Specifies a set of dynamic mode parameters for an IPSec rule as described earlier.
-w Type [ : Location ] : Required. Specifies that the policies and rules are written to the local registry, to the registry of a remote computer, or to an Active Directory domain.
-p PolicyName [ : PollInterval ] : Required. Specifies the name of the policy and how often, in minutes, the policy is checked for changes. If PolicyName contains any spaces, use quotation marks around the text (that is, "Policy Name").
-r RuleName : Required. Specifies the name of the rule. If RuleName contains any spaces, use quotation marks around the text (that is, "Rule Name").
[{ -x | -y }] : Specifies whether the local registry policy is assigned. The -x parameter specifies that the local registry policy is assigned. The -y parameter specifies that the local registry policy is unassigned.
-o : Specifies that the rule or policy should be deleted.
/? : Displays help at the command prompt.
Remarks
For the -w parameter, the Type is either reg to specify the registry of the local computer or a remote computer or ds to specify Active Directory.
If you specify reg for the Type parameter but you do not use the Location parameter, the rule is created for the registry of the local computer.
If you specify reg for the Type parameter and you specify the name of a remote computer for the Location parameter, the rule is created for the registry of the remote computer you specify.
If you specify ds for the Type parameter but you do not use the Location parameter, the rule is created for the Active Directory domain of which the local computer is a member.
If you specify ds for the Type parameter and you specify an Active Directory domain for the Location parameter, the rule is created for the specified domain.
For the -p parameter, if a policy with this name already exists, the rule you specify is added to the policy. Otherwise a policy is created with the name you specify. If you specify an integer for the PollInterval parameter, the polling interval for the policy is set to that number of minutes.
For the -r parameter, if a rule with that name already exists, the rule is modified to reflect the parameters you specify in the command. For example, if you include the -f parameter for an existing rule, only the filters of that rule are replaced. If no rule exists with the name you specify, a rule with that name is created.
For the -o parameter, all aspects of the specified policy are deleted. Do not use this parameter if you have other policies that point to the objects in the policy you want to delete.
Static mode usage differs from dynamic mode usage in one respect. Using dynamic mode, you indicate permit and blocking filters in FilterList, which you identify using the -f parameter. Using static mode, you indicate permit and blocking filters in NegotiationPolicyList, which you identify using the -n parameter. In addition to the parameters described for NegotiationPolicyList under dynamic mode, you can also use the block, pass, or inpass parameters in static mode. The following table list these parameters and a description of their behavior.
Parameter
Description
block
The rest of the policies in NegotiationPolicyList are ignored, and all of the filters are made blocking filters.
pass
The rest of the policies in NegotiationPolicyList are ignored, and all of the filters are made permit filters.
inpass
Inbound filters will allow initial communication to be unsecured, but responses will be secured using IPSec.
Examples
To create a policy named Default Domain Policy with a 30-minute polling interval in the Active Directory domain of which the local computer is a member, with a rule named Secured Servers for traffic between the local computer and computers named SecuredServer1 and SecuredServer2, using Kerberos and preshared key authentication methods, type:
ipseccmd -f 0+SecuredServer1 0+SecuredServer2 -a k p:"corpauth" -w ds -p "Default Domain Policy":30 -r "Secured Servers"
To create and assign a local policy named Me to Anyone, with a rule named Secure My Traffic, using a mirrored filter for any traffic to the local computer, using a preshared key as the authentication method, type:
ipseccmd -f 0+* -a p:"localauth" -w reg -p "Me to Anyone" -r "Secure My Traffic" -x
ipseccmd query mode
You can use Ipseccmd query mode to display data from the IPSec security policies database.
Syntax
ipseccmd [**\\**ComputerName] show {{[filters] | [policies] | [auth] | [stats] | [sas]} | all}
Parameters
\\ ComputerName : Specifies, by name, the remote computer for which you want to display data.
show : Required. Indicates that Ipseccmd should run in query mode.
filters : Displays main mode and quick mode filters.
policies : Displays main mode and quick mode policies.
auth : Displays main mode authentication methods.
stats : Displays statistics about Internet Key Exchange (IKE) and IPSec.
sas : Displays main mode and quick mode security associations (SAs).
all : Displays all of the above types of data.
/? : Displays help at the command prompt.
Remarks
Ipseccmd cannot be used to display IPSec data for computers running Windows 2000.
If you do not use the ComputerName parameter, information about the local computer is displayed.
If you use the ComputerName parameter, you must use it before all other parameters, and you must have administrator permissions on the computer for which you want to display information.
Examples
To display the main mode and quick mode filters and policies for the local computer, type:
ipseccmd show filters policies
To display all IPSec information for the remote computer Server1, type the following command:
ipseccmd \\Server1 show all
Formatting legend
Format |
Meaning |
---|---|
Italic |
Information that the user must supply |
Bold |
Elements that the user must type exactly as shown |
Ellipsis (...) |
Parameter that can be repeated several times in a command line |
Between brackets ([]) |
Optional items |
Between braces ({}); choices separated by pipe (|). Example: {even|odd} |
Set of choices from which the user must choose only one |
Courier font |
Code or program output |