The following Netsh script creates a new policy. The first line creates and assigns a policy named TestPolicy. Assigning the policy automatically un-assigns any other IPSec policies. The second line adds a filter action named DropPacket with the Block action. The third line adds a rule named NoICMP to the new TestFilter IPSec policy. The NoICMP rule is created by using the built-in IP filter list All ICMP Traffic and the newly created rule named Drop Packet.
netsh ipsec static add policy name=TestPolicy assign=yes activatedefaultrule=no netsh ipsec static add filteraction name=DropPacket action=block netsh ipsec static add rule name=NoICMP policy=TestPolicy filterlist="All ICMP Traffic " filteraction=DropPacket
Note Windows 2000 and Windows XP also include Netsh; however, they lack the IPSec extensions.
Tip The Netsh command has a very complicated set of parameters. For a detailed list of parameters, run any of the commands without any parameters. For example, to view the syn tax for adding a rule by using Netsh, open a command prompt and run Netsh ipsec static add rule .
I used the command netsh ipsec static add policy to create the batch file to configure and assign IPSec policy for the troubleshooting lab in Chapter 8. To script the creation of local or Active Directory-based IPSec policy on computers running Windows XP, you can use Ipseccmd.exe, a Windows Support Tool that is included in the Support Tools folder of the Windows XP operating system disc. To install IPSecCmd, you must perform a complete installation of the Support Tools. A normal installation does not install the IPSecCmd tool.
The syntax for IPSecCmd is complex. Creating scripts by using IPSecCmd is challenging even for people experienced with scripting, and the resulting scripts are difficult to maintain. Whenever you create a script, you need to plan for someone else to maintain that script in the event that you leave the organization. Because of IPSecCmd's confusing syntax, administrators who take over the maintenance of your script will certainly have a difficult time updating the scripts. For these reasons, you should avoid using IPSecCmd except when absolutely necessary.
IPSecCmd uses a syntax similar to that of IPSecPol but very different from that of Netsh. While Netsh uses separate commands to create IP filters, rules, filter actions, and policies, IPSecCmd can create each of these components of an IPSec policy with a single command. For example, to create and assign a local policy named TestPolicy, with a rule named SecureTraffic, using a mirrored filter for any traffic to the local computer and a preshared key as the authentication method, run the following command:
ipseccmd -f 0+* -a p:"localauth" -w reg -p TestPolicy -r "SecureTraffic" -x
Was this article helpful?
Turbocharge Your Traffic And Profits On Auto-Pilot. Would you like to watch visitors flood into your websites by the 1,000s, without expensive advertising or promotions? The fact is, there ARE people with websites doing exactly that right now. How is that possible, you ask? The answer is Advanced SEO Techniques.