IPseccmd文档格式.docx
- 文档编号:20598842
- 上传时间:2023-01-24
- 格式:DOCX
- 页数:17
- 大小:26.68KB
IPseccmd文档格式.docx
《IPseccmd文档格式.docx》由会员分享,可在线阅读,更多相关《IPseccmd文档格式.docx(17页珍藏版)》请在冰豆网上搜索。
Dynamicpolicywillbelostafterasystemorservicerestart.
Thebenefitofdynamicpolicyisthatitcanco-existwithDSbasedpolicy.
Todeletealldynamicpolicies,execute"
ipseccmd-u"
Staticmodewillcreateormodifystoredpolicyineitherthe
LocalorPersistentregistrylocations.Suchpolicywillcontinuetobeused
afterasystemorservicerestart,howeverpoliciesstoredintheLocalstore
willbeoverwrittenbyassignedDSpolicywhilepoliciesstoredinthe
PersistentstorewillbemergedwithassignedDSpolicy.
ThesyntaxforcreatingpolicyinStaticmodeisalmostidenticaltothatof
Dynamicmode.Thesignificantdifferenceistherequirementofadditional
informationasindicatedbytheoptionslistedinbracesaswellasa
changeinsyntaxforcreatingPermitandBlockfilters.
ShowmodewillquerySPDanddisplayinformationaboutcurrentlyactivepolicy.
SetmodewillchangeIPSecconfigurationparametersforthelifetimeofthe
currentinstanceoftheservice.
Importandexportmodewillimportorexporta.ipsecpolicyfileto/fromthe
localorpersistentstoragelocation.
--------------
DYNAMICMODE
EachexecutionofipseccmdsetsanIPSecrule,anIKEpolicy,orboth.
OPTIONS:
\\machinenamesetspoliciesonaremotecomputer.Ifnotincluded,
thelocalmachineisassumed.
NOTE:
Ifyouusethisoption,itmustbethefirstargumentAND
youMUSThaveadministrativeprivilegesontheremotecomputer.
ThefollowingparametersareusedtocreateanIPSecpolicy.
Ifomitted,adefaultvalueisusedwhenapplicable.
-fFilterList
Alistofoneormorespaceseparatedfilterspecifications
inthefollowingformat:
A.B.C.D/mask:
port=A.B.C.D/mask:
port:
protocol
Optionally,youcanspecifythekeywordDEFAULTtosetthe
DefaultResponserule
TheSourceaddressisalwaysontheleftofthe'
='
andtheDestinationaddressisalwaysontheright.
Mask:
Optionalsubnetmask.Ifomitted,255.255.255.255willbeused.
Ifsubnetsliealongoctetboundaries,thenyoucanusethefollowing
wildcardnotation:
144.92.*.*isthesameas144.92.0.0/255.255.0.0
128.*.*.*issameas128.0.0.0/255.0.0.0
128.*.*isthesameasabove
128.*isthesameasabove
YoucanreplaceA.B.C.D/maskwiththefollowingforspecialmeaning:
0meansMyaddress(es)
*meansAnyaddress
aDNSname(NOTE:
onlythefirstnameresolutionwillbeset)
DNS,WINS,DHCP,orGATEWAYcanbespecified.SPDwilldynamically
replacesuchsettingswiththeassociatedaddressessetonthecomputer.
PortandProtocolareoptional.Ifomitted,thevaluesaresettoANY
Ifyouindicateaprotocol,aportvalueor'
:
'
mustprecedeit.
Youcanusealsousetheseprotocolsymbols:
ICMPTCPUDPRAW
Examples:
M1+M2:
6willfilterTCPtrafficbetweenaddressesM1andM2onanyport
172.31.0.0/255.255.0.0:
80+157.0.0.0/255.0.0.0:
80:
TCPwillfilter
allTCPtrafficfromthefirstsubnetandthesecondsubnetonport80.
IFyouwanttofilterProtocol,YoushouldbeUse:
:
followtheDestinationAddr.
MIRRORING:
Ifyoureplacethe'
witha'
+'
twofilterswillbecreated,oneineachdirection.
PASSandBLOCKfilters:
Bysurroundingafilterspecificationwith(),
thefilterwillbeaPass(orPermit)filter.Ifyousurroundthe
specificationwith[],itwillbeaBlockfilter.
Example:
(0+128.2.1.1)willcreate2filtersthatwillbeexempted
frompolicy.
ThissyntaxisavailableonlyinDynamicmode.Staticmode
requiressettingoptionsinthenegotiationmethod.
DEFAULT:
Thereisnodefault,-fisrequiredforallDynamiccommands.
-nNegotiationMethodList
Alistofoneormorespaceseparatednegotiationmethodsinthe
followingformat:
ESP[ConfAlg,AuthAlg]RekeyPFS<
Group>
AH[HashAlg]RekeyPFS<
AH[HashAlg]+ESP[ConfAlg,AuthAlg]RekeyPFS<
whereConfAlgcanbeNONE,DES,or3DES
andAuthAlgcanbeNONE,MD5,orSHA
andHashAlgisMD5orSHA
ESP[NONE,NONE]isnotasupportedconfiguration.
ESP[3DES,SHA]ESP[3DES,MD5]ESP[DES,SHA]ESP[DES,MD5]
Rekey:
OptionalsettingtospecifythenumberofKBytesand/orseconds
afterwhichIKEshouldrekeyaQuickModesecurityassociation.
Addavalueand'
k'
or'
s'
afterthenegotiationmethodtoindicate
KBytesorseconds.Touseboth,separatethemwithaslash.
ESP[DES,SHA]5120k/3600swillrekeyafter5MBor1hour
100000k/3600s
PFS:
OptionalsettingtoenableQuickModeperfectforwardsecrecy.
Add'
PFS'
withanoptionalgroupvalueafterthenegotiationmethod:
1,2,or3,correspondingtothefollowingDiffie-Hellmangroups:
DH1-(Low,768bit)
DH2-(Med,1024bit)
DH14-(High,2048bit)
Ifnogroupnumberisspecified,theMainModegroupwillbeused.
ESP[DES,SHA]P2willsetperfectforwardsecrecytouseDH2
PFSisnotenabledbydefault.
-tTunnelAddr
Atunnelmodeendpointinoneofthefollowingformats:
A.B.C.D
DNSname
Ifyouneedtosetupatunnelpolicy,youwillneedtoexecute
ipseccmdtwice--oncefortheoutboundfiltersandoutgoingtunnel
endpoint,andoncefortheinboundfiltersandincomingtunnelendpoint.
Omissionoftunneladdressassumestransportmode.
-aAuthMethodList
Alistofspaceseparatedauthenticationmethodsinthefollowingformat:
KERBEROS
CERT:
"
<
CAinfo>
e.g.CERT:
CN=CA1,OU=O,O=MEME,C=DE,E=ME@here"
PRESHARE:
presharedkey>
ThestringsprovidedasthepresharedkeyorCAinfoarecasesensitive
andcannotincludequotationmarks.
Youcanabbreviateamethodwithitsfirstletter,i.e.P,K,orC.
-soft
Optionalparametertoallow'
soft'
securityassociations.
Optionisnotset.
-confirm
Optionalparametertoaskforconfirmationbeforesettingpolicy.
OptioncanonlybeusedinDynamicmode.
-lan
OptionalparametertosetpolicyonlyonaddressesofLANadapters.
-dialup
Optionalparametertosetpolicyonlyonaddressesofdial-upadapters.
Ifneitherparameterisspecified,alllocaladaptersareused.
ThefollowingdealwithMainMode(phase1)policy.
IfnoIKEoptionsarespecified,thecurrentIKEpolicywillbeused.
IfthereisnocurrentIKEpolicy,thedefaultswillbeset.
-1sSecurityMethodList
Alistofoneormorespaceseparatedsecuritymethodsinthe
ConfAlg-HashAlg-GroupNum
whereConfAlgcanbeDESor3DES
andHashAlgcanbeMD5orSHA
andGroupNumcanbe1,2,or3,correspondingtothefollowingDHgroups:
DES-SHA-1
3DES-SHA-23DES-MD5-2DES-SHA-1DES-MD5-1
-1kMMRekeyTime
ThenumberofQuickModesand/orsecondsafterwhichIKEshouldrekeya
MainModesecurityassociation.Addavaluewith'
Q'
S'
toindicate
alimitonQuickModesorseconds.
Touseboth,separatethemwithaslash.
10Q/3600Swillrekeyafter10quickmodesoreveryhour.
NoQuickModelimit,480minlifetime.
-1eSoftSAExpirationTime
Thetimeinsecondstomaintaina'
securityassociation.
Valueisnotsetif-Softisnotspecified.
ValueissettotheMainModelifetimeif-Softisspecified.
-------------
STATICMODE
Staticmodeusesmostofthedynamicmodesyntax,butaddsafewoptions
thatenablepolicystorageinthesameformatastheIPSecManagementsnap-in.
WhileDynamicmodeonlyletsyouaddanonymousrulestoSPD,Staticmode
allowsyoutocreatenamedpoliciesandnamedrules.Italsohassome
functionalitytomodifyexistingpoliciesandrules,providedtheywere
originallycreatedwithipseccmd.PoliciescanbesetaseitherAssignedor
Unassigned.OnlyAssignedpolicieswillbeaddedtoSPD.
Inadditiontothenewparameterslistedinbraces,achangeinsyntaxmustbe
madetosignifyfiltersasPass(orpermit)andBlock.InStaticmode,these
optionsaresetintheNegotiationMethodListspecifiedby-n.Therearethree
valuesyoucanpassintheNegotiationMethodListthathavespecialmeaning:
BLOCKwillignoreanymethodsintheNegotiationMethodsListand
willmakeallofthefiltersintheFilterListBlockfilters.
PASSwillignoreanymethodsinNegotiationMethodListand
willmakeallofthefiltersintheFilterListPassfilters.
INPASSwillsetanyinboundfiltersintheFilterListasPassfilterswhile
settingoutboundfilterstousethesecuritymethodsprovided.
Thisisthesameascheckingthe"
Allowunsecuredcommunication,
butalwaysrespondusingIPSEC"
checkboxinthesnap-in.
StaticModeParameters:
AllparametersareREQUIREDunlessotherwiseindicated.
-wLocation.
Locationtowritepolicych
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- IPseccmd