IPSEC POLICY CONFIGURATION COMMAND LINE TOOL
by Randy Ramig (RandyRam@Microsoft.com)
and Dennis Kalinichenko (DKalin@Microsoft.com)

This tool is used to configure IP Security policies in the Directory
Service, or in a local or remote registry.  It does everything that the
IP Security MMC snap-in does, and is even modeled after the snap-in.

In addition, it can query IPSec Security Policies Database (SPD) and
display the current state of IPSec Services

ipseccmd has three mutually exclusive modes: static, dynamic and query. 

Dynamic mode will plumb policy into the IPSec Services 
Security Policies Database. The policy will be persisted, ie. it will stay
after a reboot.  The benefit of dynamic mode is that the policy can co-exist 
with DS based policies, which overrides any local policy not plumbed 
by ipseccmd.

When the tool is used in static mode,
it creates or modifies stored policy.  This policy can be used again and 
will last the lifetime of the store. Static mode is indicated by the -w
flag.  The flags in the {} braces are only valid for static mode.  The usage 
for static mode is an extension of dynamic mode, so please read through
the dynamic mode section.

In query mode, the tool queries IPSec Security Policies Database.

WHY WOULD I WANT TO USE IPSECCMD?

*   You have a large and/or complex IPSec policy that you want to 
    configure.  IPSECCMD can help you by providing a scriptable way to
    create that policy.  Just put your IPSECCMD commands into a batch file.
    
    This also provides a backup in case you lose the DS or registry that
    the policy is stored in.  Just re-run the batch file.

*   IPSECCMD facilitates just in time policy with it's batch ability.
    If someone wants a secured channel with your server, simply send them
    the tool binaries and the command line or batch file to run.

*   Your machine is using DS policy and you want to enhance or add rules
    that will allow you to speak IPSec to machines not covered in the 
    DS policy.  Dynamic mode of IPSECCMD will achieve this for you.

*   You prefer command line tools to GUI apps.

RESTRICTIONS

You must have privileges to the storage that you write to in static mode.
This is typically administrative privileges, but authorized users can
modify the ACLs of the storage to give you access.  IP Security policy 
objects are stored in

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\IPSec\Policy\Local
    for the local/remote machine case
AND

CN=IP Security,CN=System,DC=YourDCName,DC=ParentDCName,DC=TopLevelDC
    ie, the IP Security container under the System container,
    for the Directory Service case.

CAVEATS

*   In dynamic mode, if you use a DNS name that resolves to multiple addresses
    only the first address in the list is used.  This is not a problem in
    static mode.

*   Read the filter spec help carefully, it is the most difficult and
    easiest to confuse.  In particular, pay attention to how a protocol
    is specified.

REQUIRED FILES:
ipseccmd.exe