Security Tools netsh ipsec use method [IP Security Policy]_dos/bat

netsh ipsec usage methods

Under the command line, IPSec security policy is configured through netsh ipsec static. If the IPSec service is already open.
One IPSec consists of one or more rules; A rule consists of an IP filter list and a corresponding filter action; This filter list and filter can be not in the system itself, and if not, it needs to be established, and a filter consists of one or more filters. Therefore, IPSec must be configured in a step-by-step way. A rule consists of a filter list and a filter action. And it's stored in the policy, and the policy is saved by the list of the filters, this determines a step: Establish an empty security policy, set up a filter list, set up a filter action that does not require a specific order, set up a filter after the empty filter list is established, and establish a rule after the three steps have been completed. The following starts to configure the new, modified, deleted, and most important activation of the policy;

For more detailed information, please refer to Microsoft's Technical Resource library:

Netsh Commands for Internet Protocol Security (IPSEC)

The connection is as follows: http://technet.microsoft.com/zh-cn/cc725926

Note: Notice the connection in theNetsh Commands for Windows Firewall with Advanced security. Connection, he gives you the help will be greater;

Export IPSec security Policy: Netsh ipsec static Exportpolicy file = D:\ExportSecurity.ipsec
Import IPSec security Policy: Netsh ipsec static Importpolicy file = D:\ImportSecurity.ipsec
1, to establish a new strategy
1.1 First set up an empty security policy [Michael's security Policy]
Netsh IPSec static Add policy name = Michael ' s security policy
1.2 Establish a filter action "block"
Netsh IPSec static add filteraction name = Block Action =block
1.3 Create a filter list "Accessible Terminal list"
Netsh IPSec static add filterlist name = accessible Terminal List
Netsh IPSec static add filter filterlist = List of accessible terminals
srcaddr=203.86.32.248
dstaddr = Me dstport = 3389
Description = Department 1 Access Protocol =TCP mirrored = yes
Netsh IPSec static add filter filterlist = List of accessible terminals
srcaddr = 203.86.31.0 srcmask=255.255.255.0
dstaddr = 60.190.145.9 dstport = 0
Description = Department 2 Access Protocol =any mirrored = yes
1.4 Establish policy rules
Netsh IPSec static Add rule name = Accessible Terminal policy rules
Policy = Michael ' s security policy
filterlist = List of accessible terminals
filteraction = Block
2, modify the strategy
netsh ipsec static set filter filterlist = List of accessible terminals
srcaddr = 220.207.31.249
dstaddr = Me dstport=3389 protocol=tcp
3, delete the policy
netsh ipsec static delete rule name = Accessible Terminal policy rules policy = Michael ' s security policy
netsh ipsec static delete filterlist name = accessible Terminal List
4, the most important step is to activate;
netsh ipsec static set policy name = Michael ' s security Policy assign = y
Here's a sample I wrote myself:

Copy Code code as follows:

Echo Create security Policy
Netsh IPsec static Add policy name = APU Security Policy
Echo Create filter is blocked operation
Netsh IPsec static add filteraction name = Prevent action = block
Echo Create filter is allowed operation
Netsh IPsec static add filteraction name = Allow action = Permit
Echo establishes a list of terminals that a filter can access
Netsh IPsec static add filterlist name = accessible Terminal List
Netsh IPsec static add filter filterlist = accessible Terminal List srcaddr = 203.86.32.248 dstaddr = Me dstport = 3389 Description = Department 1 visit Ask protocol = TCP mirrored = yes
Echo establishes a list of terminals that a filter can access
Netsh IPSec static add filter filterlist = accessible Terminal List srcaddr = 203.86.31.0 srcmask=255.255.255.0 dstaddr = 60.190.145.9 DST Port = 0 Description = Department 2 Access Protocol =any mirrored = yes
ECHO establishes policy rules
Netsh IPSec static Add rule name = Accessible Terminal policy rules Policy = APU Security policy filterlist = accessible Terminal list filteraction = block
echo Activation Policy
netsh ipsec static set policy name = APU Security Policy assign = y
Pause

Or

Copy Code code as follows:

Netsh IPSec static Add policy name = Default Policy name
Pause
Netsh IPSec static add filteraction name = Blocking Action action = Block
Pause
Netsh IPSec static add filteraction name = Allow action action = Permit
Pause
Netsh IPSec static add filterlist name = Access List
Pause
Netsh IPSec static add filterlist name = Block List
Pause
Netsh IPSec static add filter filterlist = Access list 1 srcaddr = 203.86.32.248 dstaddr = Me dstport = 3389 Description = Department 1 Access p Rotocol = TCP mirrored = yes
Pause
Netsh IPSec static add filter filterlist = Access List 2 srcaddr = 203.86.31.0 Srcmask = 255.255.255.0 dstaddr = 60.190.145.9 DSTP ORT = 0 Description = Department 2 Access Protocol = Any mirrored = yes
Pause
Netsh IPSec static Add rule name = Accessible Terminal policy rules Policy = Default Policy name filterlist = Access List 1 filteraction = block action
Pause
Netsh IPSec static Add rule name = Accessible Terminal policy rules Policy = Default Policy name filterlist = Access List 2 filteraction = block action
Pause
netsh ipsec static set policy name = Default Policy name assign = y
Pause

[The following is reproduced without testing, Baidu can be found on the. ]

Copy Code code as follows:

REM ================= begins ================
netsh ipsec static ^
Add Policy Name=bim
REM adds 2 actions, block and permit
netsh ipsec static ^
Add FilterAction name=permit Action=permit
netsh ipsec static ^
Add FilterAction name=block Action=block
REM First disables all access
netsh ipsec static ^
add FilterList name=allaccess
netsh ipsec static ^
Add Filter filterlist=allaccess Srcaddr=me dstaddr=any
netsh ipsec static ^
Add Rule name=blockallaccess Policy=bim filterlist=allaccess Filteraction=block
REM open certain IP unrestricted access
netsh ipsec static ^
add FilterList Name=unlimitedip
netsh ipsec static ^
Add Filter Filterlist=unlimitedip srcaddr=61.128.128.67 dstaddr=me
netsh ipsec static ^
Add Rule name=allowunlimitedip Policy=bim filterlist=unlimitedip Filteraction=permit
REM Open certain ports
netsh ipsec static ^
add FilterList Name=opensomeport
netsh ipsec static ^
Add Filter filterlist=opensomeport srcaddr=any dstaddr=me dstport=20 protocol=tcp
netsh ipsec static ^
Add Filter filterlist=opensomeport srcaddr=any dstaddr=me dstport=21 protocol=tcp
netsh ipsec static ^
Add Filter filterlist=opensomeport srcaddr=any dstaddr=me dstport=80 protocol=tcp
netsh ipsec static ^
Add Filter filterlist=opensomeport srcaddr=any dstaddr=me dstport=3389 protocol=tcp
netsh ipsec static ^
Add Rule name=allowopensomeport Policy=bim filterlist=opensomeport Filteraction=permit
REM Open Some IP can access certain ports
netsh ipsec static ^
add FilterList Name=someipsomeport
netsh ipsec static ^
Add Filter filterlist=someipsomeport srcaddr=me dstaddr=any dstport=80 protocol=tcp
netsh ipsec static ^
Add Filter filterlist=someipsomeport srcaddr=61.128.128.68 dstaddr=me dstport=1433 protocol=tcp
netsh ipsec static ^
Add Rule name=allowsomeipsomeport Policy=bim filterlist=someipsomeport Filteraction=permit

Objective:
The full name of IPSec is Internet Protocol security, and translation into Chinese is Internet protocol secure. It has two main functions: one is to protect the content of IP packets, the other is to filter through the packet and implement trusted communications to defend against network attacks. This is good news for us when there are some important data that we need to protect or prevent from listening, because Windows 2000 is already built into this feature, and we no longer need to use other tools to do that.
Because it is a symmetric encryption of the data at the IP layer and encapsulates the entire IP packet, there is no need to set separate security for each protocol in the TCP/IP protocol group, because the application uses TCP/IP to pass data to the IP protocol layer and protect it here. The corresponding IPSec configuration is relatively complex, but transparent to the application and therefore does not require the application to support it. The following sections describe the concepts, work processes, and practical applications of IPSec:
first, the process of IPSec work:
Two computers in the communication, if the policy has been set up IPSec, the host in the communication will check this strategy, the strategy applied to the host when there will be a negotiation process, the process through the security association to achieve. After negotiation, according to policy configuration, the two computers establish an encrypted connection between the data for encrypted transmission. The driver transmits the decrypted packet to the TCP/IP driver and then transmits it to the receiving end application.
Second, enter the IPSec control interface:
There are two ways to turn on, and the functionality is exactly the same:
 Start-run-administration tools-Local Security policy
mmc-Add/Remove snap-in-add-IP Security Management policy-determine
third, predefined strategies:
By default, IPSec is not enabled and needs to be assigned. We can see that the system has defined three policies for us, which are described below.
 Secure Server: IPSec must be used and communication cannot be completed if the other person does not use IPSec. For computers that always require secure communication.
 Client: The default is that IPSec is not used during communication, and it can use IPSec if the other person requires IPSec. A computer that is not guaranteed to communicate for most of the time.
 Server: The function is to use IPSec by default, but it can also not use IPSec if it does not support IPSec. A computer that is used to guarantee communication for most of the time.
Policies can be assigned on a single computer, or they can be assigned in bulk on Group Policy. It is important to note that in order to be able to communicate through negotiation, both ends of the communication need to set the same policy and assign it.
iv. How IPSec works:
 Transfer Mode (security configuration between computers): Protects communication between two hosts, which is the default IPSec mode. The transfer mode supports only the Windows2000 operating system and provides point-to-point security.
 Tunnel mode (Security configuration between networks): encapsulation, dispatch, and unpacking processes are called "tunnels". The general implementation method is done on two routers. Configure the use of IPSec at both ends of the router to secure communication between the two routers. Mainly used in the WAN, do not provide the internal security of each network.
v. Authentication methods for IPSec:
kerberos V5: (default) If you are a member of a domain and are a client of the Kerberos V5 protocol, select this item. For example, a computer with Windows 2000 in a domain.
Certificate: A CA that requires a common configuration of trusts.
 Pre-shared key: The two sides use a common negotiated key when setting the policy.
All of the above three methods can be used as authentication methods, generally in the day-to-day work, if it is the Windows 2000 computer in the domain using Kerberos authentication method, because the domestic CA is not much, in general other cases can adopt a third way, the two sides negotiate a key, This is also covered in the second example.
vi. Encryption mode for IPSec:
 Authentication encryption Technology:
sna
md5
 Packet encryption technology:
40-bit DES
56-bit DES
3des: The most secure encryption method, the corresponding will also consume more system resources.
The above conceptual things you can access the relevant information, here is not much to tell.
vii. Application:
The above conceptual things say a lot, the following officially into combat, will be through two examples of IPSec features two aspects of the description.
1, protect the content of IP packets: In order to protect the security of communication information between two hosts, we will use IPSec to establish a secure connection between the two computers. A pre-shared key is used, and IPSec is enforced for communication encryption. There are two computers in the example, the first computer IP is 192.168.0.1, the second computer IP is 192.168 0.2, and if there are no special instructions, the operation is done on the first computer.
(1), access to the IPSec control interface, right click on the "Security Server", selected properties (the system has built three rules, we can look at their own detailed role, in order to demonstrate the process of adding the strategy of our own way to add). Click the "Add" button.
(2), enter the Security Rules Wizard, click the "Next" button.
(3), according to the actual situation, we are to achieve the security communication between the two hosts, not between the network, so select "This rule does not specify the tunnel", so we will adopt the transfer mode. Click the "Next" button.
(4), into the selection of the network type of interface, there are three options, the concept should be very well understood, we choose "All network Connections", click "Next" button.
(5), entered the authentication method interface, three authentication methods have been described above, we select the third "this string to protect the key exchange (preshared key)", and then in the dialog box to enter our negotiated key, such as "Hello." Click the "Next" button.
(6), entered the "IP Filter List" interface, because we are to protect all communications, all select "All IP Traffic", of course, you can add a new filter list, this part in the second example will be mentioned, click the "Next" button.
(7), enter the "Filter Action" interface, according to the requirements we mentioned earlier, we choose to require security settings, the filter action here can also be added, example two will also mention, click the "Next" button.
(8), this security rule is created, we click "Finish".
(9), to the beginning of the port, we will find that we have added new security rules. In addition to selecting the rules we created ourselves, we have to check the other default rules for nothing.
(10), finally, is also very important point, we have to create a policy to assign, otherwise the strategy will not take effect, click the "Secure Server" right, click "Assigned."
(11) This time we open a window and start using the ping command to check our communication status. The second computer in the example IP address is 192.168.0.2, we ping 192.168.0.2–t, we will find that has been "Negotiate IP Security", this is what reason? Because at this time we just set up the IPSec policy on the first computer, the other end does not make the appropriate settings, the negotiation can not be successful, so this time we have to go to the other end of the computer to do the same setup and assign.
(12), 192.168.0.2 on the computer set up and assigned after we found that information has changed, negotiate IP security through, we received a response from 192.168.0.2.
(13), if we open the IP Security Monitor before this, that is, ipsecmon, we will find that the window will have a corresponding record display. The lower-right corner also displays "IP security settings already enabled on this computer."
At this point, example one required the purpose has been achieved, we successfully created IPSec to ensure the security of the data, this time other non-IPSec-enabled computers if the computer to ping the command, will not be responded to, The following figure (my approach is to not assign the computer 192.168.0.1 set IPSec policy):
2, packet filtering: This feature for us is also very useful, remember that many netizens are asking how to shut down a computer port or how to prevent others ping my computer and so on, the firewall is a solution, but the need to pay additional costs and resources. Filtering through the advanced options in TCP/IP properties can be done, but it is only possible to set which ports to open and which ports to turn off. In fact, this requirement can be implemented by IPSec, some friends may ask, then what is the firewall do? As mentioned earlier, compared with professional firewalls, using IPSec configuration is relatively troublesome, not suitable for ordinary users, in addition, the current firewall has integrated many other functions, and the hardware firewall will consume less system resources.
The following example describes the use of IPSec for packet filtering, the shutdown of ICMP, which is very concerned about how to turn off Ping's response information, this is actually used ICMP (8,0), here is not a detailed description of ICMP, the formal entry into practice (example of two computers, The first computer IP is 192.168.0.1, the second computer IP is 192.168.0.2, and if there are no special instructions, the operation is done on the second machine. ）：
(1), access to the IPSec control interface, because we need to filter the policy and operation of the system inside the built-in does not have the appropriate, so we add ourselves below. First right click on "IP Security Policy" and select "Manage IP filter table and filter actions."
(2), select the Manage IP filter list, and click the "Add" button.
(3), for our IP filter List a name, such as "ICMP", you can also in the "description" information to enter the appropriate description information. Click the "Add" button.
(4), enter the IP Filter wizard, and click the Next button.
(5), select "Source Address" information, we choose "My IP Address", that is, the representative of the local, 192.168.0.2. Click the "Next" button.
(6), select "Destination Address" information, we choose "Any IP address", if you configure the firewall, you will find this step and the firewall configuration is exactly the same. Click the "Next" button.
(7), select "Protocol Type", we select "ICMP". This time you will find that there are many types of protocol for everyone to choose from, but also includes TCP, UDP and so on. Click Next.
(8), this time completes the IP filter the establishment, may click "Completes" the button. It is worth noting at this point that because I chose ICMP, but if I chose TCP at this time, then there will be a port selection, the port to set up and outbound.
(9) The next step is to add a filter action that matches our needs, where we need to create a blocking operation. First we click the "Add" button:
(10), entered the "IP Security Filter Action Wizard", click "Next" button.
(11), we give this operation a name, here I have "Deny", also can add some descriptive information in the description. Click the "Next" button.
(12), select the behavior of the operation, we choose to "block." Click the "Next" button.
(13), this completes the "IP Security filter Operation" Add work, click to complete.
(14) The work below is to create a new IP security policy that will use the filter lists and actions we created. Back to our first step, this time, click "Create IP Security Policy." This time we entered the IP Security Policy wizard and clicked the Next button.
(15), we give this IP security policy a name, my name is called "Shielding ICMP", can also be appropriate to add descriptive information. Click the "Next" button.
(16), select "Activate Default response rule" and click "Next" button.
(17), select the default value, click "Next" button.
(18), click "Finish".
(19), this policy is now configured. Click the "Add" button.
(20), enter the "Create IP Security Rules Wizard," Click "Next" button.
(21), similar to the example one, we choose "This rule does not specify a tunnel" according to our requirements. Click the "Next" button.
(22), select "All network Connection", click "Next" button.
(23), select "Default Value" and click "Next" button.
(24), select our newly established filter "ICMP", click "Next" button.
(25), select our newly established operation "Deny" and click "Next" button.
(26), so far, we have completed the entire setup process. Click Finish.
(27) Finally, we need to remind everyone that we need to assign the new strategy.
(28) The following figure shows the changes before and after assigning our strategy, and after 192.168.0.2 this computer has assigned this rule, we will not get an ICMP response from the 192.168.0.2 computer from 192.168.0.1.
We have done this through three parts of the work of packet filtering, which is to create IP filter lists and IP filter actions, and to create IP Security policies. However, not every rule requires so many operations, such as IP filter operations, the next time there is a blocking of a port operation can be directly used this "deny" operation.
Viii. Concluding remarks
Through the above, you can find that using IPSec can really do a lot of things, if we know the other service ports, such as Terminal Services, FTP services, etc., can use IPSec to protect data communications. Now, you may as soon as possible to do this thing, who knows now is not listening to your information?
If you encounter problems in use, you may wish to try from the following aspects to the wrong. Check that IPSec policy settings are already in place for both ends, check whether the policy has been assigned, check the system and security log related records, and use the monitor, which is the command line Ipsecmon. Finally, I wish you all the best use of Windows 2000, the function of this good tool!
------------------------------------------
Kuka:ipsec is a very useful thing, many do server-hosted friends often worry about security issues, in fact, as long as the use of IPSEC,NTFS rights and so can completely solve most of the security problems

In actual use, we are exporting the rule, the IPSec extension, and then importing.

Copy Code code as follows:

:: Import common network dedicated IP security policy
netsh ipsec static importpolicy thecsafe.ipsec
netsh ipsec static set policy name= "Regular network-specific security policy" assign=y