windows-nt/Source/XPSP1/NT/net/ipsec/ipseccmd/usage.txt

298 lines
11 KiB
Plaintext
Raw Normal View History

2020-09-26 03:20:57 -05:00
v1.51 Copyright(c) 1998-2001, Microsoft Corporation
USAGE:
ipseccmd \\machinename -f FilterList -n NegotiationPolicyList -t TunnelAddr
-a AuthMethodList -1s SecurityMethodList -1k Phase1RekeyAfter -1p
-1f MMFilterList -1e SoftSAExpirationTime -soft -confirm
[-dialup OR -lan]
{-w TYPE:DOMAIN -p PolicyName:PollInterval -r RuleName -x -y -o}
ipseccmd \\machinename show filters policies auth stats sas all
BATCH MODE:
ipseccmd -file filename
File must contain regular ipseccmd commands,
all these commands will be executed in one shot.
ipseccmd has three mutually exclusive modes: static, dynamic, and query.
The default mode is dynamic.
Dynamic mode will plumb policy directly into the IPSec Services
Security Policies Database. The policy will be persisted, i.e. it will stay
after a reboot. The benefit of dynamic policy is that it can co-exist with
DS based policy.
To delete all dynamic policies, execute "ipseccmd -u" command
When the tool is used in static mode,
it creates or modifies stored policy. This policy can be used again and
will last the lifetime of the store. Static mode is indicated by the -w
flag. The flags in the {} braces are only valid for static mode. The usage
for static mode is an extension of dynamic mode, so please read through
the dynamic mode section.
In query mode, the tool queries IPSec Security Policies Database.
NOTE: references to SHA in ipseccmd are referring to the SHA1 algorithm.
------------
QUERY MODE
------------
The tool displays requested type of data from IPSec Security Policies Database
filters - shows main mode and quick mode filters
policies - shows main mode and quick mode policies
auth - shows main mode authentication methods
stats - shows Internet Key Exchange (IKE) and IPSec statistics
sas - shows main mode and quick mode Security Associations
all - shows all of the above data
It is possible to combine several flags
EXAMPLE: ipseccmd show filters policies
------------
DYNAMIC MODE
------------
Each execution of the tool sets an IPSec rule, an IKE policy,
or both. When setting the IPSec policy, think of it as setting an "IP Security Rule"
in the UI. So, if you need to set up a tunnel policy, you will need
to execute the tool twice, once for the outbound filters and outgoing tunnel
endpoint, and once for the inbound filters and incoming tunnel endpoint.
OPTIONS:
\\machinename sets policies on that machine. If not included, the
local machine is assumed.
NOTE: that if you use this it must be the first argument AND
you MUST have administrative privileges on that machine.
-confirm will ask you to confirm before setting policy
can be abbreviated to -c
*OPTIONAL, DYNAMIC MODE ONLY*
The following flags deal with IPSec policy. If omitted, a default value
is used where specified.
-f FilterList
where FilterList is one or more space separated filterspecs
a filterspec is of the format:
A.B.C.D/mask:port=A.B.C.D/mask:port:protocol
you can also specify DEFAULT to create default response rule
The Source address is always on the left of the '=' and the Destination
address is always on the right.
MIRRORING: If you replace the '=' with a '+' two filters will be created,
one in each direction.
mask and port are optional. If omitted, Any port and
mask 255.255.255.255 will be used for the filter.
You can replace A.B.C.D/mask with the following for
special meaning:
0 means My address(es)
* means Any address
a DNS name (NOTE: multiple resolutions are ignored)
a GUID of the local network interface in the form {12345678-1234-1234-1234-123456789ABC}
GUIDs are NOT supported for static mode
protocol is optional, if omitted, Any protocol is assumed. If you
indicate a protocol, a port must precede it or :: must preceded it.
NOTE BENE: if protocol is specified, it must be the last item in
the filter spec.
Examples:
Machine1+Machine2::6 will filter TCP traffic between Machine1 and Machine2
172.31.0.0/255.255.0.0:80=157.0.0.0/255.0.0.0:80:TCP will filter
all TCP traffic from the first subnet, port 80 to the second subnet,
port 80
PASSTHRU and DROP filters: By surrounding a filter specification with (),
the filter will be a passthru filter. If you surround it with [], the
filter will be a blocking, or drop, filter.
Example: (0+128.2.1.1) will create 2 filters (it's mirrored) that will
be exempted from policy.
You can use the following protocol symbols: ICMP UDP RAW TCP
Star notation:
If you're subnet masks are along octet boundaries, then you
can use the star notation to wildcard subnets.
Examples:
128.*.*.* is same as 128.0.0.0/255.0.0.0
128.*.* is the same as above
128.* is the same as above
144.92.*.* is same as 144.92.0.0/255.255.0.0
There is no DEFAULT, -f is required
-n NegotiationPolicyList
where NegotiationPolicyList is one or more space separated
IPSec policies in the one of the following forms:
ESP[ConfAlg,AuthAlg]RekeyPFS[Group]
AH[HashAlg]
AH[HashAlg]+ESP[ConfAlg,AuthAlg]
where ConfAlg can be NONE, DES, or 3DES
and AuthAlg can be NONE, MD5, or SHA
and HashAlg is MD5 or SHA
NOTE: ESP[NONE,NONE] is not a supported config
NOTE: SHA refers the SHA1 hash algorithm
Rekey is number of KBytes or number of seconds to rekey
put K or S after the number to indicate KBytes or seconds, respectively
Example: 3600S will rekey after 1 hour
To use both, separate with a slash.
Example: 3600S/5000K will rekey every hour and 5 MB.
REKEY PARAMETERS ARE OPTIONAL
PFS this is OPTIONAL, if it is present it will enable phase 2 perfect
forward secrecy. You may use just P for short.
It is also possible to specify which PFS Group to use:
PFS1 or P1, PFS2 or P2
By Default, PFS Group value will be taken from current Main Mode settings
DEFAULT: ESP[3DES,SHA] ESP[3DES,MD5] ESP[DES,SHA]
ESP[DES,MD5]
-t tunnel address in one of the following forms:
A.B.C.D
DNS name
DEFAULT: omission of tunnel address assumes transport mode
-a AuthMethodList
A list of space separated auth methods of the form:
PRESHARE:"preshared key string"
KERBEROS
CERT:"CA Info"
The strings provided to preshared key and CA info ARE case sensitive.
You can abbreviate the method with the first letter, ie. P, K, or C.
DEFAULT: KERBEROS
-soft will allow soft associations
DEFAULT: don't allow soft SAs
-lan will set policy only for lan adapters
-dialup will set policy only for dialup adapters
*BOTH ARE OPTIONAL, if not specified, All adapters are used*
DEFAULT: All adapters
The following deal with IKE phase 1 policy. An easy way to remember
is that all IKE phase 1 parameters are passed with a 1 in the flag.
If no IKE flags are specified, the current IKE policy
will be used. If there is no current IKE policy, the defaults
specified below will be used.
-1s SecurityMethodList
where SecurityMethodList is one or more space separated SecurityMethods
in the form:
ConfAlg-HashAlg-GroupNum
where ConfAlg can be DES or 3DES
and HashAlg is MD5 or SHA
and GroupNum is:
1 (Low)
2 (Med)
Example: DES-SHA-1
DEFAULT: 3DES-SHA-2 3DES-MD5-2 DES-SHA-1 DES-MD5-1
-1p enable PFS for phase 1
DEFAULT: not enabled
-1k number of Quick Modes or number of seconds to rekey for phase 1
put Q or S after the number to indicate Quick Modes or seconds,
respectively
Example: 10Q will rekey after 10 quick modes
To use both, separate with a slash.
Example: 10Q/3600S will rekey every hour and 10 quick modes
*OPTIONAL*
DEFAULT: no QM limit, 480 min lifetime
-1e SoftSAExpirationTime
set Soft SA expiration time attribute of the main mode policy
value is specified in seconds
DEFAULT: not set if Soft SA is not allowed
set to 300 seconds if Soft SA is allowed
-1f MMFilterList
set specific main mode filters. Syntax is the same as for -f option
except that you cannot specify passthru, block filters, ports and protocols
DEFAULT: filters are generated automatically based on quick mode filters
-----------
STATIC MODE
-----------
Static mode uses most of the dynamic mode syntax, but adds a few flags
that enable it work at a policy level as well. Remember, dynamic mode
just lets you add anonymous rules to the policy agent. Static mode
allows you to create named policies and named rules. It also has some
functionality to modify existing policies and rules, provided they were
originally created with ipseccmd.
Static mode is supposed to provide most of the functionality of the IPSec UI
in a command line tool, so there are references here to the UI.
First, there is one change to the dynamic mode usage that static mode
requires. In static mode, pass through and block filters are indicated
in the NegotiationPolicyList that is specified by -n. There are three
items you can pass in the NegotiationPolicyList that have special meaning:
BLOCK will ignore the rest of the policies in NegotiationPolicyList and
will make all of the filters blocking or drop filters.
This is the same as checking the "Block" radio button
in the UI
PASS will ignore the rest of the policies in NegotiationPolicyList and
will make all of the filters pass through filters.
This is the same as checking the "Permit"
radio button in the UI
INPASS will plumb any inbound filters as pass through.
This is the same as checking the "Allow unsecured communication,
but always respond using IPSEC" check box in the UI
Static Mode flags:
All flags are REQUIRED unless otherwise indicated.
-w Write the policy to storage indicated by TYPE:LOCATION
TYPE can be either REG for registry or DS for Directory Storage
if \\machinename was specified and TYPE is REG, will be written
to the remote machine's registry
DOMAIN for the DS case only. Indicates the domain name of the
DS to write to. If omitted, use the domain the local machine is in.
OPTIONAL
-p PolicyName:PollInterval
Name the policy with this string. If a policy with this name is
already in storage, this rule will be added to the policy.
Otherwise a new policy will be created. If PollInterval is specified,
the polling interval for the policy will be set.
-r RuleName
Name the rule with this string. If a rule with that name already exists,
that rule is modified to reflect the information supplied to ipseccmd.
For example, if only -f is specified and the rule exists,
only the filters of that rule will be replaced.
-x will set the policy active in the LOCAL registry case OPTIONAL
-y will set the policy inactive in the LOCAL registry case OPTIONAL
-o will delete the policy specified by -p OPTIONAL
(NOTE: this will delete all aspects of the specified policy
don't use if you have other policies pointing to the objects in that policy)
The command completed successfully.