Improved ipsec Security configuration script in win2k3

As we all know, although the basic firewall in Windows is robust, it has a single function and is more powerless to actively send packets. ipsec is a good supplement, but the operations in the ipsec graph are very clumsy, most of the ipsec Security Configuration scripts circulating on the internet can only run once. The second operation after modification may result in unwanted policies or rules.

Therefore, in this improvement, commands for deleting policies or rules are added. However, the commands that come with the system will also be deleted. It does not matter. The commands that come with the system are useless and the scripts are simplified, you can run it again after each modification to facilitate batch modification.
The description at the end of each rule in the script appears in the ipsec description, so you do not have to worry about affecting the script running.

Configuration strategy: Disable all, partial

@ Echo offrem ============================================ ============== rem author Zhao yaonan rem date rem apply to win2k3 rem ================ ======================================== SC config "yyagent" start = auto SC start yyagent Netsh ipsec static del rule all ipsec_base_config Netsh ipsec static del policy allNetsh ipsec static del filteraction allNetsh ipsec static del filterlist allNetsh ipsec static add policy name = ipsec_base_config region = noNetsh ipsec static add filteraction name = block action = block Netsh ipsec static add filteraction name = permit action = permit Netsh ipsec static add filterlist name = permitlist Netsh ipsec static add filterlist name = alllist Netsh ipsec static add filter filterlist = permitlist srcaddr = any dstaddr = me protocol = tcp mirrored = yes dstport = 80 external service port Netsh ipsec static add filter filterlist = permitlist srcaddr = 1.2.3.4 dstaddr = me protocol = tcp mirrored = yes dstport = 3306 database Netsh ipsec static add filter filterlist = permitlist srcaddr = 2.3.4.5 srcmask = 32 dstaddr = me dstmask = 32 protocol = any mirrored = yes dstport = 0 VPN-IP Netsh ipsec static add filter filterlist = permitlist srcaddr = export protocol = me protocol = any mirrored = yes dstport = 0 VPN-IP rem Netsh ipsec static add filter filterlist = permitlist srcaddr = 192.168.1.0 srcmask = 255.255.255.0 dstaddr = me protocol = any mirrored = yes dstport = 0 Intranet trusted network Netsh ipsec static add filter filterlist = permitlist srcaddr = datagsrcmask = 255.255.255.255 srcport = 123 dstaddr = me dstport = 123 protocol = UDP mirrored = yes Fudan University university NTP time synchronization server Netsh ipsec static add filter filterlist = permitlist srcaddr = any dstaddr = me protocol = ICMP mirrored = yes PING response, note that ping can be disabled, even the local machine cannot be pinged. Netsh ipsec static add filter filterlist = permitlist srcaddr = 60.195.252.107 dstaddr = me protocol = udp mirrored = yes dstport = 161 monitoring Bao snmp Netsh ipsec static add filter filterlist = permitlist srcaddr = mongodstaddr = me protocol = udp mirrored = yes dstport = 161 monitoring Bao snmp Netsh ipsec static add filter filterlist = permitlist srcaddr = mongodstaddr = me protocol = tcp mirrored = yes dstport = 3306 monitoring Bao mysql Netsh ipsec static add filter filterlist = permitlist srcaddr = me dstaddr = 202.96.128.86 protocol = udp mirrored = yes dstport = 53 access the Internet DNS, change to your local DNS Netsh ipsec static add filter filterlist = permitlist srcaddr = me dstaddr = any protocol = tcp mirrored = yes dstport = 80 to access the Internet WEB Netsh ipsec static add filter filterlist = permitlist srcaddr = me dstaddr = any protocol = tcp mirrored = yes dstport = 8080 access to the Internet WEB Netsh ipsec static add filter filterlist = permitlist srcaddr = me dstaddr = any protocol = tcp mirrored = yes dstport = 443 access Internet WEB Netsh ipsec static add filter filterlist = permitlist srcaddr = me dstaddr = any protocol = tcp mirrored = yes dstport = 21 access Internet FTP Netsh ipsec static add filter filterlist = alllist srcaddr = any dstaddr = me protocol = any mirrored = yes dstport = 0 finally, all other Netsh ipsec static add rule name = 1 policy = ipsec_base_config filterlist = permitlist filteraction = permit Netsh ipsec static add rule name = 2 policy = ipsec_base_config filterlist = alllist filteraction = block netsh ipsec static set policy name = ipsec_base_config assign = y

After the test is passed, note that only the VPN can be remotely connected after the operation.