75 lines
2.9 KiB
Plaintext
75 lines
2.9 KiB
Plaintext
IPSEC POLICY CONFIGURATION COMMAND LINE TOOL
|
|
by Randy Ramig (RandyRam@Microsoft.com)
|
|
and Dennis Kalinichenko (DKalin@Microsoft.com)
|
|
|
|
This tool is used to configure IP Security policies in the Directory
|
|
Service, or in a local or remote registry. It does everything that the
|
|
IP Security MMC snap-in does, and is even modeled after the snap-in.
|
|
|
|
In addition, it can query IPSec Security Policies Database (SPD) and
|
|
display the current state of IPSec Services
|
|
|
|
ipseccmd has three mutually exclusive modes: static, dynamic and query.
|
|
|
|
Dynamic mode will plumb policy into the IPSec Services
|
|
Security Policies Database. The policy will be persisted, ie. it will stay
|
|
after a reboot. The benefit of dynamic mode is that the policy can co-exist
|
|
with DS based policies, which overrides any local policy not plumbed
|
|
by ipseccmd.
|
|
|
|
When the tool is used in static mode,
|
|
it creates or modifies stored policy. This policy can be used again and
|
|
will last the lifetime of the store. Static mode is indicated by the -w
|
|
flag. The flags in the {} braces are only valid for static mode. The usage
|
|
for static mode is an extension of dynamic mode, so please read through
|
|
the dynamic mode section.
|
|
|
|
In query mode, the tool queries IPSec Security Policies Database.
|
|
|
|
WHY WOULD I WANT TO USE IPSECCMD?
|
|
|
|
* You have a large and/or complex IPSec policy that you want to
|
|
configure. IPSECCMD can help you by providing a scriptable way to
|
|
create that policy. Just put your IPSECCMD commands into a batch file.
|
|
|
|
This also provides a backup in case you lose the DS or registry that
|
|
the policy is stored in. Just re-run the batch file.
|
|
|
|
* IPSECCMD facilitates just in time policy with it's batch ability.
|
|
If someone wants a secured channel with your server, simply send them
|
|
the tool binaries and the command line or batch file to run.
|
|
|
|
* Your machine is using DS policy and you want to enhance or add rules
|
|
that will allow you to speak IPSec to machines not covered in the
|
|
DS policy. Dynamic mode of IPSECCMD will achieve this for you.
|
|
|
|
* You prefer command line tools to GUI apps.
|
|
|
|
RESTRICTIONS
|
|
|
|
You must have privileges to the storage that you write to in static mode.
|
|
This is typically administrative privileges, but authorized users can
|
|
modify the ACLs of the storage to give you access. IP Security policy
|
|
objects are stored in
|
|
|
|
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\IPSec\Policy\Local
|
|
for the local/remote machine case
|
|
AND
|
|
|
|
CN=IP Security,CN=System,DC=YourDCName,DC=ParentDCName,DC=TopLevelDC
|
|
ie, the IP Security container under the System container,
|
|
for the Directory Service case.
|
|
|
|
CAVEATS
|
|
|
|
* In dynamic mode, if you use a DNS name that resolves to multiple addresses
|
|
only the first address in the list is used. This is not a problem in
|
|
static mode.
|
|
|
|
* Read the filter spec help carefully, it is the most difficult and
|
|
easiest to confuse. In particular, pay attention to how a protocol
|
|
is specified.
|
|
|
|
REQUIRED FILES:
|
|
ipseccmd.exe
|