This command-line tool configures Internet Protocol Security (IPSec) policies in the Directory Service, or in a local or remote registry. It does everything that the IPSec Microsoft Management Console (MMC) snap-in does, and is even modeled after the snap-in.
IPSecPol has two mutually exclusive modes: dynamic and static. The default mode is dynamic.
This tool runs only on Microsoft Windows 2000.
Note
For a more thorough explanation of IPSec policy terminology, see the online Help for the IPSec MMC snap-in.
Files Required
IPSecPol Topics
IPSecPol has two modes: Dynamic and Static.
Dynamic mode plumbs policy into the Policy Agent, which is active only for the lifetime of the Policy Agent service. This means it will not be active after a restart or stopping of the service. The benefit of dynamic mode is that the policy can co-exist with directory service-based policies, which override any local policy not plumbed by IPSecPol.
Each execution of the tool sets an IPSec rule, an IKE policy, or both. When setting the IPSec policy, think of it as setting an IP Security Rule in the UI. So, if you need to set up a tunnel policy, you will need to execute the tool twice, once for the outbound filters and outgoing tunnel endpoint, and once for the inbound filters and incoming tunnel endpoint.
In dynamic mode, if you use a DNS name that resolves to multiple addresses only the first address in the list is used. This is not a problem in static mode.
Read the filter spec help carefully, it is the most difficult and easiest to confuse. In particular, pay attention to how a protocol is specified.
Note
References to SHA in IPSecPol refer to the SHA1 algorithm.
In static mode, IPSecPol creates or modifies stored policy. This policy can be used again and will last the lifetime of the store. This is the mode that the IPSec MMC snap-in uses. Static mode is indicated by the -w flag. The following flags are valid only for static mode. The usage for static mode is an extension of dynamic mode, so please read through the dynamic mode section.
Static mode uses most of the dynamic mode syntax, but adds a few flags that enable it to work at a policy level as well. Remember, dynamic mode just lets you add anonymous rules to the policy agent. Static mode allows you to create named policies and named rules. It also has some functionality to modify existing policies and rules, provided they were originally created with IpSecPol.
Static mode is designed to provide most of the functionality of the IPSec user interface in a command-line tool, so there are references here to the snap-in.
Static mode requires one change to the dynamic-mode usage. In static mode, pass through and block filters are indicated in the NegotiationPolicyList that is specified by -n. There are three items you can pass in the NegotiationPolicyList that have special meaning:
For static mode, authorized users can modify the ACLs of the storage to give you access. For the local or remote computer case, IP Security policy objects are stored in:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Policy\Local
For the Directory Service case, they are stored in:
CN=IP Security,CN=System,DC=YourDCName,DC=ParentDCName,DC=TopLevelDC
In other words, the IP Security container under the System container.
ipsecpol [\\computername] [-?] [-f FilterList] [-n NegotiationPolicyList] [-t TunnelAddress] [-a AuthMethodList] [-u] [-soft] [{-dialup | -lan}] [-1s SecurityMethodList] [-1k Phase1RekeyAfter] [-1p] [-confirm] [-w TYPE:DOMAIN] [-p PolicyName:PollInterval] [-r RuleName] [-x] [-y] [-o]
Where:
Note
You must have administrative privileges on the computer specified.
The following flags deal with IPSec policy. If omitted, a default value is used where specified.
A filterspec is of the format:
A.B.C.D/mask:port=A.B.C.D/mask:port:protocol
The Source address is always on the left of the = and the Destination address is always on the right.
MIRRORING: If you replace the = with a + two filters will be created, one in each direction.
mask and port are optional. If omitted, Any port and
mask 255.255.255.255 will be used for the filter.
You can replace A.B.C.D/mask with the following for
special meaning:
0 means My address(es)
* means Any address
a DNS name (Note that multiple resolutions are ignored)
protocol is optional, if omitted, Any protocol is assumed. If you indicate a protocol, a port must precede it or :: must preceded it. Note that if protocol is specified, it must be the last item in the filter spec.
Examples:
Machine1+Machine2::6 will filter TCP traffic between Machine1 and Machine2
172.31.0.0/255.255.0.0:80=157.0.0.0/255.0.0.0:80:TCP will filter all TCP traffic from the first subnet, port 80 to the second subnet, port 80
PASSTHRU and DROP filters: By surrounding a filter specification with (),
the filter will be a passthru filter. If you surround it with [], the
filter will be a blocking, or drop, filter.
Example: (0+128.2.1.1) will create 2 filters (it's mirrored) that will
be exempted from policy.
You can use the following protocol symbols: ICMP UDP RAW TCP
Star notation:
If you're subnet masks are along octet boundaries, then you
can use the star notation to wildcard subnets.
Examples:
128.*.*.* is same as 128.0.0.0/255.0.0.0
128.*.* is the same as above
128.* is the same as above
144.92.*.* is same as 144.92.0.0/255.255.0.0
ESP[ConfAlg,AuthAlg]RekeyPFS
AH[HashAlg]
AH[HashAlg]+ESP[ConfAlg,AuthAlg]
where ConfAlg can be NONE, DES, or 3DES
and AuthAlg can be NONE, MD5, or SHA
and HashAlg is MD5 or SHA
NOTE: ESP[NONE,NONE] is not a supported config
NOTE: SHA refers the SHA1 hash algorithm
Rekey is number of KBytes or number of seconds to rekey
put K or S after the number to indicate KBytes or seconds, respectively
Example: 3600S will rekey after 1 hour
To use both, separate with a slash.
Example: 3600S/5000K will rekey every hour and 5 MB.
REKEY PARAMETERS ARE OPTIONAL
PFS this is OPTIONAL, if it is present it will enable phase 2 perfect
forward secrecy. You may use just P for short.
A.B.C.D
DNS name
A list of space separated auth methods of the form:
PRESHARE:"preshared key string"
KERBEROS
CERT:"CA Info"
The strings provided to preshared key and CA info ARE case sensitive.
You can abbreviate the method with the first letter, ie. P, K, or C.
The following three flags deal with IKE phase 1 policy. An easy way to remember this is that all IKE phase 1 parameters are passed with a 1 in the flag. If no IKE flags are specified, the current IKE policy is used. If there is no current IKE policy, the defaults specified below are used.
ConfAlg-HashAlg-GroupNum
where ConfAlg can be DES or 3DES
and HashAlg is MD5 or SHA
and GroupNum is:
1 (Low)
2 (Med)
Example: DES-SHA-1
Example: 10Q will rekey after 10 quick modes
To use both, separate with a slash.
Example: 10Q/3600S will rekey every hour and 10 quick modes
All static-mode flags are required unless otherwise indicated.
TYPE can be either REG for registry or DS for Directory Storage
if \\machinename was specified and TYPE is REG, will be written
to the remote machine's registry
DOMAIN for the DS case only. Indicates the domain name of the
DS to write to. If omitted, use the domain the local machine is in.
Note
All flags except –f have defaults. You must usually provide –f to specify to which filters to apply the policy, except with the –u, –x, and –y flags, which delete policies or rules.
This example establishes an AH tunnel between the two specified IP addresses. Note that the phase 1 security method is set with PFS. It also uses -confirm, abbreviated to -c.
ipsecpol -f 128.2.1.1=128.2.1.13 -t 128.2.1.13 -n ah[sha] -apreshare:tooltime -1s des40-md5-3 -1p -c
ipsecpol -f 128.2.1.13=128.2.1.1 -t 128.2.1.1 -n ah[sha] -apreshare:tooltime -1s des40-md5-3 -1p -c
This example sets a mirrored filter of me to any using AH md5. It uses Kerberos for the Oakley authority on the local computer.
ipsecpol -f 0+* -n ah[md5]
This example establishes a mirrored filter between the two computers named randyram and randyram0, using an AND proposal and a preshared key. It sets policy on \\randyram0.
ipsecpol \\randyram0 -f randyram+randyram0 -n esp[des,sha]+ah[md5] -apreshare:tooltime -c
This example sets up a policy in the Directory Service for the domain that the computer running this command is in. It sets up a Directory Service-based policy for clients to two secured servers. Both ESP and AH are sent as security offers and the computers negotiate which one they will use. Note the use of abbreviation in the authentication methods (KERBEROS could have been abbreviated as a K) and that this rule is only for LAN interfaces.
ipsecpol -w DS -p "Default Domain Policy":30 -r "Secured Servers" -f 0+SecuredServer1 0+SecuredServer2 -n ESP[MD5,DES] AH[MD5] -a KERBEROS P:ace -lan
This example sets up a local policy that would negotiate properly with the policy from the previous example (Using static mode to set up a domain policy), so it would be run on SecuredServer1 or SecuredServer2. Note the use of -x to make the policy active.
ipsecpol -w REG -r "Me to Anyone" -p "Secure My Traffic" -f 0+*
-n AH[MD5] -a P:ace -x
Updating a rule in static mode is not augmenting the existing rule. Rather, it replaces the rule's current settings with the settings you specify on the command line. For example, if you take the policy from Example 5 and want to modify just the negotiation policy, you would execute:
ipsecpol -w REG -r "Me to Anyone" -p "Secure My Traffic" -n ESP[DES,SHA] AH[SHA]PFS
This would replace the original negotiation policy with the one specified above. It would not touch any of the other settings in the existing rule.