Deploying IPSec Using Scripts

If a computer is not a member of a Windows 2000 domain or a Windows Server 2003 domain, it cannot retrieve IPSec policy from Active Directory. However, as Chapter 8 described, you can use the Netsh, Ipseccmd.exe, and Ipsecpol.exe command-line tools to create IPSec scripts. You can then include these scripts as startup scripts for each computer on your network. You can use Ipsecpol.exe only on computers running Windows 2000, Ipseccmd.exe only on computers running Windows XP, and the Netsh commands for IPSec only on computers running Windows Server 2003.

Although having three separate scripting tools for the three operating systems makes managing a typical network challenging, the three tools are similar in functionality. Although the exact parameters vary, each tool provides separate static and dynamic configuration modes and the ability to display existing IPSec configuration information. For each tool, the dynamic configuration mode changes the currently running IPSec settings, although static configuration mode changes the persistent configuration. In other words, dynamic configuration changes are lost after you restart your computer, but static configuration changes will remain.

Real World Scripting IPSec Policies

Avoid scripting IPSec policies at all costs. I would make a different recommendation if Microsoft provided a single command-line interface that worked for all Windows operating systems, but, for now, it's just not worth the trouble.

Every organization I've worked with has to support several versions of Windows. So, if you want to script IPSec policies for your entire organization, you'll need to either create separate scripts for Windows Server 2003, Windows XP, and Windows 2000, or create a single complex script that contains commands for each of the scripting tools.

I'm glad Microsoft integrated IPSec functionality into Netsh, but I wish Microsoft would provide a single scripting interface for all supported Windows platforms. Scripting IPSec would be much more practical if the Netsh IPSec extensions were available for previous versions of Windows (perhaps in a feature pack), or if Windows Server 2003 were backwards-compatible with IPSecCmd and IPSecPol. Help, Microsoft!

In the meantime, if you must use IPSec scripting with Active Directory, you'll have to create separate GPOs for each version of Windows and use Windows Management Instrumentation (WMI) filtering to deploy separate logon scripts to different platforms. Or you could create a single script that incorporates each of the three different IPSec scripting tools. That script would look something like this:

Netsh IPSec static add ... Netsh IPSec static add ... Netsh IPSec static add ... IPSecCmd ... IPSecPol ...

Sure, several of the commands won't work on any given version of Windows, but Windows will simply show an error that you can ignore. Besides being sloppy, the biggest drawback to this approach is that it's error prone. You have to know three separate scripting tools, and every time you make a change to IPSec policy, you need to update the commands for each of the tools.


To script the creation of IPSec policy on computers running Windows Server 2003, use the Netsh IPSec commands. There are two ways to do this: use the Netsh ipsec static add command to add IP filters, rules, and IPSec policies, or use the Netsh ipsec static importpolicy command to import a saved IPSec policy.

The simplest way to populate a list of IP security policies on a computer using a script is, ironically, to use a graphical tool. First, create the policies using the IP Security Policy Management snap-in. Then export the policies to a file. Finally, create a script that imports the policies on the destination Windows Server 2003-based computers by using the Netsh command-line tool. In this way, you can centrally manage the IPSec policies in your organization by exporting policies used by all computers to a central file server. Then distribute startup scripts that import the IP security policies, and assign one of the policies. Exercise 2 at the end of this lesson takes you through the process of exporting an IPSec policy and then importing it by using Netsh.

You can also create IPSec policies directly from the command line, without ever relying on graphical tools. The Netsh ipsec static add filteraction command can be used to create new filter actions. The Netsh ipsec static add filter and Netsh ipsec static add filterlist commands are used to create IP filters and IP filter lists. The Netsh ipsec static add policy command creates new policies, which can be immediately assigned. Finally, use the Netsh ipsec static add rule command to add rules to a policy by specifying IP filter lists and filter actions.

Was this article helpful?

0 -1
Advance SEO Techniques

Advance SEO Techniques

Turbocharge Your Traffic And Profits On Auto-Pilot. Would you like to watch visitors flood into your websites by the 1,000s, without expensive advertising or promotions? The fact is, there ARE people with websites doing exactly that right now. How is that possible, you ask? The answer is Advanced SEO Techniques.

Get My Free Ebook

Post a comment