298 lines
11 KiB
Plaintext
298 lines
11 KiB
Plaintext
|
|
||
|
v1.51 Copyright(c) 1998-2001, Microsoft Corporation
|
||
|
USAGE:
|
||
|
ipseccmd \\machinename -f FilterList -n NegotiationPolicyList -t TunnelAddr
|
||
|
-a AuthMethodList -1s SecurityMethodList -1k Phase1RekeyAfter -1p
|
||
|
-1f MMFilterList -1e SoftSAExpirationTime -soft -confirm
|
||
|
[-dialup OR -lan]
|
||
|
{-w TYPE:DOMAIN -p PolicyName:PollInterval -r RuleName -x -y -o}
|
||
|
ipseccmd \\machinename show filters policies auth stats sas all
|
||
|
|
||
|
|
||
|
BATCH MODE:
|
||
|
ipseccmd -file filename
|
||
|
File must contain regular ipseccmd commands,
|
||
|
all these commands will be executed in one shot.
|
||
|
|
||
|
|
||
|
ipseccmd has three mutually exclusive modes: static, dynamic, and query.
|
||
|
|
||
|
The default mode is dynamic.
|
||
|
|
||
|
Dynamic mode will plumb policy directly into the IPSec Services
|
||
|
Security Policies Database. The policy will be persisted, i.e. it will stay
|
||
|
after a reboot. The benefit of dynamic policy is that it can co-exist with
|
||
|
DS based policy.
|
||
|
|
||
|
To delete all dynamic policies, execute "ipseccmd -u" command
|
||
|
|
||
|
When the tool is used in static mode,
|
||
|
it creates or modifies stored policy. This policy can be used again and
|
||
|
will last the lifetime of the store. Static mode is indicated by the -w
|
||
|
flag. The flags in the {} braces are only valid for static mode. The usage
|
||
|
for static mode is an extension of dynamic mode, so please read through
|
||
|
the dynamic mode section.
|
||
|
|
||
|
In query mode, the tool queries IPSec Security Policies Database.
|
||
|
|
||
|
NOTE: references to SHA in ipseccmd are referring to the SHA1 algorithm.
|
||
|
|
||
|
------------
|
||
|
QUERY MODE
|
||
|
------------
|
||
|
|
||
|
The tool displays requested type of data from IPSec Security Policies Database
|
||
|
|
||
|
filters - shows main mode and quick mode filters
|
||
|
policies - shows main mode and quick mode policies
|
||
|
auth - shows main mode authentication methods
|
||
|
stats - shows Internet Key Exchange (IKE) and IPSec statistics
|
||
|
sas - shows main mode and quick mode Security Associations
|
||
|
all - shows all of the above data
|
||
|
It is possible to combine several flags
|
||
|
EXAMPLE: ipseccmd show filters policies
|
||
|
|
||
|
------------
|
||
|
DYNAMIC MODE
|
||
|
------------
|
||
|
|
||
|
Each execution of the tool sets an IPSec rule, an IKE policy,
|
||
|
or both. When setting the IPSec policy, think of it as setting an "IP Security Rule"
|
||
|
in the UI. So, if you need to set up a tunnel policy, you will need
|
||
|
to execute the tool twice, once for the outbound filters and outgoing tunnel
|
||
|
endpoint, and once for the inbound filters and incoming tunnel endpoint.
|
||
|
|
||
|
|
||
|
OPTIONS:
|
||
|
|
||
|
\\machinename sets policies on that machine. If not included, the
|
||
|
local machine is assumed.
|
||
|
NOTE: that if you use this it must be the first argument AND
|
||
|
you MUST have administrative privileges on that machine.
|
||
|
|
||
|
-confirm will ask you to confirm before setting policy
|
||
|
can be abbreviated to -c
|
||
|
*OPTIONAL, DYNAMIC MODE ONLY*
|
||
|
|
||
|
The following flags deal with IPSec policy. If omitted, a default value
|
||
|
is used where specified.
|
||
|
|
||
|
-f FilterList
|
||
|
where FilterList is one or more space separated filterspecs
|
||
|
a filterspec is of the format:
|
||
|
A.B.C.D/mask:port=A.B.C.D/mask:port:protocol
|
||
|
you can also specify DEFAULT to create default response rule
|
||
|
|
||
|
The Source address is always on the left of the '=' and the Destination
|
||
|
address is always on the right.
|
||
|
|
||
|
MIRRORING: If you replace the '=' with a '+' two filters will be created,
|
||
|
one in each direction.
|
||
|
|
||
|
mask and port are optional. If omitted, Any port and
|
||
|
mask 255.255.255.255 will be used for the filter.
|
||
|
|
||
|
You can replace A.B.C.D/mask with the following for
|
||
|
special meaning:
|
||
|
0 means My address(es)
|
||
|
* means Any address
|
||
|
a DNS name (NOTE: multiple resolutions are ignored)
|
||
|
a GUID of the local network interface in the form {12345678-1234-1234-1234-123456789ABC}
|
||
|
GUIDs are NOT supported for static mode
|
||
|
|
||
|
protocol is optional, if omitted, Any protocol is assumed. If you
|
||
|
indicate a protocol, a port must precede it or :: must preceded it.
|
||
|
NOTE BENE: if protocol is specified, it must be the last item in
|
||
|
the filter spec.
|
||
|
|
||
|
Examples:
|
||
|
Machine1+Machine2::6 will filter TCP traffic between Machine1 and Machine2
|
||
|
172.31.0.0/255.255.0.0:80=157.0.0.0/255.0.0.0:80:TCP will filter
|
||
|
all TCP traffic from the first subnet, port 80 to the second subnet,
|
||
|
port 80
|
||
|
|
||
|
PASSTHRU and DROP filters: By surrounding a filter specification with (),
|
||
|
the filter will be a passthru filter. If you surround it with [], the
|
||
|
filter will be a blocking, or drop, filter.
|
||
|
Example: (0+128.2.1.1) will create 2 filters (it's mirrored) that will
|
||
|
be exempted from policy.
|
||
|
|
||
|
You can use the following protocol symbols: ICMP UDP RAW TCP
|
||
|
|
||
|
Star notation:
|
||
|
If you're subnet masks are along octet boundaries, then you
|
||
|
can use the star notation to wildcard subnets.
|
||
|
Examples:
|
||
|
128.*.*.* is same as 128.0.0.0/255.0.0.0
|
||
|
128.*.* is the same as above
|
||
|
128.* is the same as above
|
||
|
144.92.*.* is same as 144.92.0.0/255.255.0.0
|
||
|
|
||
|
There is no DEFAULT, -f is required
|
||
|
|
||
|
-n NegotiationPolicyList
|
||
|
where NegotiationPolicyList is one or more space separated
|
||
|
IPSec policies in the one of the following forms:
|
||
|
|
||
|
ESP[ConfAlg,AuthAlg]RekeyPFS[Group]
|
||
|
AH[HashAlg]
|
||
|
AH[HashAlg]+ESP[ConfAlg,AuthAlg]
|
||
|
|
||
|
where ConfAlg can be NONE, DES, or 3DES
|
||
|
and AuthAlg can be NONE, MD5, or SHA
|
||
|
and HashAlg is MD5 or SHA
|
||
|
|
||
|
NOTE: ESP[NONE,NONE] is not a supported config
|
||
|
NOTE: SHA refers the SHA1 hash algorithm
|
||
|
|
||
|
Rekey is number of KBytes or number of seconds to rekey
|
||
|
put K or S after the number to indicate KBytes or seconds, respectively
|
||
|
Example: 3600S will rekey after 1 hour
|
||
|
To use both, separate with a slash.
|
||
|
Example: 3600S/5000K will rekey every hour and 5 MB.
|
||
|
|
||
|
REKEY PARAMETERS ARE OPTIONAL
|
||
|
|
||
|
PFS this is OPTIONAL, if it is present it will enable phase 2 perfect
|
||
|
forward secrecy. You may use just P for short.
|
||
|
It is also possible to specify which PFS Group to use:
|
||
|
PFS1 or P1, PFS2 or P2
|
||
|
By Default, PFS Group value will be taken from current Main Mode settings
|
||
|
DEFAULT: ESP[3DES,SHA] ESP[3DES,MD5] ESP[DES,SHA]
|
||
|
ESP[DES,MD5]
|
||
|
|
||
|
-t tunnel address in one of the following forms:
|
||
|
A.B.C.D
|
||
|
DNS name
|
||
|
|
||
|
DEFAULT: omission of tunnel address assumes transport mode
|
||
|
|
||
|
-a AuthMethodList
|
||
|
A list of space separated auth methods of the form:
|
||
|
PRESHARE:"preshared key string"
|
||
|
KERBEROS
|
||
|
CERT:"CA Info"
|
||
|
|
||
|
The strings provided to preshared key and CA info ARE case sensitive.
|
||
|
You can abbreviate the method with the first letter, ie. P, K, or C.
|
||
|
|
||
|
DEFAULT: KERBEROS
|
||
|
|
||
|
-soft will allow soft associations
|
||
|
DEFAULT: don't allow soft SAs
|
||
|
|
||
|
-lan will set policy only for lan adapters
|
||
|
-dialup will set policy only for dialup adapters
|
||
|
*BOTH ARE OPTIONAL, if not specified, All adapters are used*
|
||
|
DEFAULT: All adapters
|
||
|
|
||
|
The following deal with IKE phase 1 policy. An easy way to remember
|
||
|
is that all IKE phase 1 parameters are passed with a 1 in the flag.
|
||
|
|
||
|
If no IKE flags are specified, the current IKE policy
|
||
|
will be used. If there is no current IKE policy, the defaults
|
||
|
specified below will be used.
|
||
|
|
||
|
-1s SecurityMethodList
|
||
|
where SecurityMethodList is one or more space separated SecurityMethods
|
||
|
in the form:
|
||
|
ConfAlg-HashAlg-GroupNum
|
||
|
where ConfAlg can be DES or 3DES
|
||
|
and HashAlg is MD5 or SHA
|
||
|
and GroupNum is:
|
||
|
1 (Low)
|
||
|
2 (Med)
|
||
|
|
||
|
Example: DES-SHA-1
|
||
|
DEFAULT: 3DES-SHA-2 3DES-MD5-2 DES-SHA-1 DES-MD5-1
|
||
|
|
||
|
-1p enable PFS for phase 1
|
||
|
DEFAULT: not enabled
|
||
|
|
||
|
-1k number of Quick Modes or number of seconds to rekey for phase 1
|
||
|
put Q or S after the number to indicate Quick Modes or seconds,
|
||
|
respectively
|
||
|
Example: 10Q will rekey after 10 quick modes
|
||
|
To use both, separate with a slash.
|
||
|
Example: 10Q/3600S will rekey every hour and 10 quick modes
|
||
|
*OPTIONAL*
|
||
|
DEFAULT: no QM limit, 480 min lifetime
|
||
|
|
||
|
-1e SoftSAExpirationTime
|
||
|
set Soft SA expiration time attribute of the main mode policy
|
||
|
value is specified in seconds
|
||
|
DEFAULT: not set if Soft SA is not allowed
|
||
|
set to 300 seconds if Soft SA is allowed
|
||
|
|
||
|
-1f MMFilterList
|
||
|
set specific main mode filters. Syntax is the same as for -f option
|
||
|
except that you cannot specify passthru, block filters, ports and protocols
|
||
|
DEFAULT: filters are generated automatically based on quick mode filters
|
||
|
|
||
|
-----------
|
||
|
STATIC MODE
|
||
|
-----------
|
||
|
|
||
|
Static mode uses most of the dynamic mode syntax, but adds a few flags
|
||
|
that enable it work at a policy level as well. Remember, dynamic mode
|
||
|
just lets you add anonymous rules to the policy agent. Static mode
|
||
|
allows you to create named policies and named rules. It also has some
|
||
|
functionality to modify existing policies and rules, provided they were
|
||
|
originally created with ipseccmd.
|
||
|
|
||
|
Static mode is supposed to provide most of the functionality of the IPSec UI
|
||
|
in a command line tool, so there are references here to the UI.
|
||
|
|
||
|
First, there is one change to the dynamic mode usage that static mode
|
||
|
requires. In static mode, pass through and block filters are indicated
|
||
|
in the NegotiationPolicyList that is specified by -n. There are three
|
||
|
items you can pass in the NegotiationPolicyList that have special meaning:
|
||
|
|
||
|
BLOCK will ignore the rest of the policies in NegotiationPolicyList and
|
||
|
will make all of the filters blocking or drop filters.
|
||
|
This is the same as checking the "Block" radio button
|
||
|
in the UI
|
||
|
|
||
|
PASS will ignore the rest of the policies in NegotiationPolicyList and
|
||
|
will make all of the filters pass through filters.
|
||
|
This is the same as checking the "Permit"
|
||
|
radio button in the UI
|
||
|
|
||
|
INPASS will plumb any inbound filters as pass through.
|
||
|
This is the same as checking the "Allow unsecured communication,
|
||
|
but always respond using IPSEC" check box in the UI
|
||
|
|
||
|
|
||
|
Static Mode flags:
|
||
|
All flags are REQUIRED unless otherwise indicated.
|
||
|
|
||
|
-w Write the policy to storage indicated by TYPE:LOCATION
|
||
|
TYPE can be either REG for registry or DS for Directory Storage
|
||
|
if \\machinename was specified and TYPE is REG, will be written
|
||
|
to the remote machine's registry
|
||
|
DOMAIN for the DS case only. Indicates the domain name of the
|
||
|
DS to write to. If omitted, use the domain the local machine is in.
|
||
|
OPTIONAL
|
||
|
|
||
|
-p PolicyName:PollInterval
|
||
|
Name the policy with this string. If a policy with this name is
|
||
|
already in storage, this rule will be added to the policy.
|
||
|
Otherwise a new policy will be created. If PollInterval is specified,
|
||
|
the polling interval for the policy will be set.
|
||
|
|
||
|
-r RuleName
|
||
|
Name the rule with this string. If a rule with that name already exists,
|
||
|
that rule is modified to reflect the information supplied to ipseccmd.
|
||
|
For example, if only -f is specified and the rule exists,
|
||
|
only the filters of that rule will be replaced.
|
||
|
|
||
|
-x will set the policy active in the LOCAL registry case OPTIONAL
|
||
|
|
||
|
-y will set the policy inactive in the LOCAL registry case OPTIONAL
|
||
|
|
||
|
-o will delete the policy specified by -p OPTIONAL
|
||
|
(NOTE: this will delete all aspects of the specified policy
|
||
|
don't use if you have other policies pointing to the objects in that policy)
|
||
|
|
||
|
The command completed successfully.
|