
POTF_VERSION
USAGE:
ipseccmd \\machinename -f FilterList -n NegotiationMethodList -t TunnelAddr
         -a AuthMethodList -1s SecurityMethodList -1k MMRekeyTime
         -1e SoftSAExpirationTime -soft -confirm [-dialup OR -lan]
         {-w Location -p PolicyName:PollInterval -r RuleName [-x OR -y] -o}
     Creates or modifies IPSec policy.

ipseccmd \\machinename show gpo filters policies auth stats sas all
     Displays current IPSec configuration.

ipseccmd \\machinename set [logike OR dontlogike]
     Turns on/off IKE logging.

ipseccmd \\machinename [import OR export] Location FileName
     Imports or exports a static policy file.

ipseccmd -file FileName
     Executes a file containing regular static or dynamic ipseccmd commands.


Ipseccmd has multiple mutually exclusive modes: dynamic, static, show, set
import, and export. The default mode is dynamic. 

Dynamic mode will set policy directly into the IPSec Services
Security Policies Database (SPD). The policy will not be persisted, and will
only exist during the current instance of the service.
Dynamic policy will be lost after a system or service restart.
The benefit of dynamic policy is that it can co-exist with DS based policy.
To delete all dynamic policies, execute "ipseccmd -u"

Static mode will create or modify stored policy in either the
Local or Persistent registry locations. Such policy will continue to be used
after a system or service restart, however policies stored in the Local store
will be overwritten by assigned DS policy while policies stored in the
Persistent store will be merged with assigned DS policy.
The syntax for creating policy in Static mode is almost identical to that of
Dynamic mode. The significant difference is the requirement of additional
information as indicated by the options listed in braces as well as a
change in syntax for creating Permit and Block filters.

Show mode will query SPD and display information about currently active policy.

Set mode will change IPSec configuration parameters for the lifetime of the
current instance of the service.

Import and export mode will import or export a .ipsec policy file to/from the
local or persistent storage location.


--------------
 DYNAMIC MODE 
--------------
Each execution of ipseccmd sets an IPSec rule, an IKE policy, or both.

OPTIONS:

  \\machinename sets policies on a remote computer.  If not included,
  the local machine is assumed.
  NOTE: If you use this option, it must be the first argument AND
  you MUST have administrative privileges on the remote computer.

  The following parameters are used to create an IPSec policy.
  If omitted, a default value is used when applicable.

  -f FilterList 
      A list of one or more space separated filter specifications
      in the following format:
       A.B.C.D/mask:port=A.B.C.D/mask:port:protocol
      Optionally, you can specify the keyword DEFAULT to set the
      Default Response rule

      The Source address is always on the left of the '=',
      and the Destination address is always on the right.

      Mask: Optional subnet mask. If omitted, 255.255.255.255 will be used.
      If subnets lie along octet boundaries, then you can use the following
      wildcard notation:
       144.92.*.* is the same as 144.92.0.0/255.255.0.0
       128.*.*.* is same as 128.0.0.0/255.0.0.0
       128.*.* is the same as above
       128.* is the same as above

      You can replace A.B.C.D/mask with the following for special meaning:
       0 means My address(es)
       * means Any address
       a DNS name (NOTE: only the first name resolution will be set)
       DNS, WINS, DHCP, or GATEWAY can be specified. SPD will dynamically
      replace such settings with the associated addresses set on the computer.

      Port and Protocol are optional. If omitted, the values are set to ANY
      If you indicate a protocol, a port value or '::' must precede it.
      You can use also use these protocol symbols: ICMP TCP UDP RAW
      Examples:
       M1+M2::6 will filter TCP traffic between addresses M1 and M2 on any port
       172.31.0.0/255.255.0.0:80+157.0.0.0/255.0.0.0:80:TCP will filter
      all TCP traffic from the first subnet and the second subnet on port 80.

      MIRRORING: If you replace the '=' with a '+',
      two filters will be created, one in each direction.

      PASS and BLOCK filters: By surrounding a filter specification with (),
      the filter will be a Pass (or Permit) filter. If you surround the
      specification with [], it will be a Block filter.
      Example: (0+128.2.1.1) will create 2 filters that will be exempted
      from policy.
      NOTE: This syntax is available only in Dynamic mode. Static mode
      requires setting options in the negotiation method.

      DEFAULT: There is no default, -f is required for all Dynamic commands.

  -n NegotiationMethodList 
      A list of one or more space separated negotiation methods in the
      following format:

      ESP[ConfAlg,AuthAlg]RekeyPFS<Group>
      AH[HashAlg]RekeyPFS<Group>
      AH[HashAlg]+ESP[ConfAlg,AuthAlg]RekeyPFS<Group>

      where ConfAlg can be NONE, DES, or 3DES
      and AuthAlg can be NONE, MD5, or SHA
      and HashAlg is MD5 or SHA

      NOTE: ESP[NONE,NONE] is not a supported configuration.
      DEFAULT: ESP[3DES,SHA] ESP[3DES,MD5] ESP[DES,SHA] ESP[DES,MD5]

      Rekey: Optional setting to specify the number of KBytes and/or seconds
      after which IKE should rekey a Quick Mode security association.
      Add a value and 'k' or 's' after the negotiation method to indicate
      KBytes or seconds. To use both, separate them with a slash.
      Example: ESP[DES,SHA]5120k/3600s will rekey after 5MB or 1 hour
      DEFAULT: 100000k/3600s

      PFS: Optional setting to enable Quick Mode perfect forward secrecy.
      Add 'PFS' with an optional group value after the negotiation method:
       1, 2, or 3, corresponding to the following Diffie-Hellman groups:
       DH1-  (Low,   768 bit)
       DH2-  (Med,  1024 bit)
       DH14- (High, 2048 bit)
      If no group number is specified, the Main Mode group will be used.
      Example: ESP[DES,SHA]P2 will set perfect forward secrecy to use DH2
      DEFAULT: PFS is not enabled by default.

  -t TunnelAddr
  	A tunnel mode endpoint in one of the following formats:
      A.B.C.D
      DNS name

      NOTE: If you need to set up a tunnel policy, you will need to execute
      ipseccmd twice-- once for the outbound filters and outgoing tunnel
      endpoint, and once for the inbound filters and incoming tunnel endpoint.
      DEFAULT: Omission of tunnel address assumes transport mode.

  -a AuthMethodList 
      A list of space separated authentication methods in the following format:
       KERBEROS
       CERT:"<CA info>", e.g. CERT:"CN=CA1,OU=O,O=MEME,C=DE,E=ME@here"
       PRESHARE:"<preshared key>"

      The strings provided as the preshared key or CA info are case sensitive
      and can not include quotation marks.
      You can abbreviate a method with its first letter, i.e. P, K, or C.

      DEFAULT: KERBEROS

  -soft
      Optional parameter to allow 'soft' security associations.
      DEFAULT: Option is not set.

  -confirm
      Optional parameter to ask for confirmation before setting policy.
      NOTE: Option can only be used in Dynamic mode.
      DEFAULT: Option is not set.

  -lan
      Optional parameter to set policy only on addresses of LAN adapters.
  -dialup
      Optional parameter to set policy only on addresses of dial-up adapters.
      DEFAULT: If neither parameter is specified, all local adapters are used.

  The following deal with Main Mode (phase 1) policy.
  If no IKE options are specified, the current IKE policy will be used.
  If there is no current IKE policy, the defaults will be set.

  -1s SecurityMethodList
      A list of one or more space separated security methods in the
      following format:
      ConfAlg-HashAlg-GroupNum
      where ConfAlg can be DES or 3DES
      and HashAlg can be MD5 or SHA
      and GroupNum can be 1, 2, or 3, corresponding to the following DH groups:
       DH1-  (Low,   768 bit)
       DH2-  (Med,  1024 bit)
       DH14- (High, 2048 bit)
      Example: DES-SHA-1
      DEFAULT: 3DES-SHA-2 3DES-MD5-2 DES-SHA-1 DES-MD5-1

  -1k MMRekeyTime
      The number of Quick Modes and/or seconds after which IKE should rekey a
      Main Mode security association. Add a value with 'Q' or 'S' to indicate
      a limit on Quick Modes or seconds.
      To use both, separate them with a slash.
      Example: 10Q/3600S will rekey after 10 quick modes or every hour.
      DEFAULT: No Quick Mode limit, 480 min lifetime.

  -1e SoftSAExpirationTime
      The time in seconds to maintain a 'soft' security association.
      DEFAULT: Value is not set if -Soft is not specified.
               Value is set to the Main Mode lifetime if -Soft is specified.


-------------
 STATIC MODE 
-------------
Static mode uses most of the dynamic mode syntax, but adds a few options
that enable policy storage in the same format as the IPSec Management snap-in.
While Dynamic mode only lets you add anonymous rules to SPD, Static mode
allows you to create named policies and named rules.  It also has some
functionality to modify existing policies and rules, provided they were
originally created with ipseccmd. Policies can be set as either Assigned or
Unassigned. Only Assigned policies will be added to SPD.

In addition to the new parameters listed in braces, a change in syntax must be
made to signify filters as Pass (or permit) and Block. In Static mode, these
options are set in the NegotiationMethodList specified by -n.  There are three
values you can pass in the NegotiationMethodList that have special meaning:

BLOCK will ignore any methods in the NegotiationMethodsList and
      will make all of the filters in the FilterList Block filters.

PASS  will ignore any methods in NegotiationMethodList and 
      will make all of the filters in the FilterList Pass filters.

INPASS will set any inbound filters in the FilterList as Pass filters while
       setting outbound filters to use the security methods provided.
       This is the same as checking the "Allow unsecured communication,
       but always respond using IPSEC" check box in the snap-in.


Static Mode Parameters:
All parameters are REQUIRED unless otherwise indicated.

 -w Location.
   Location to write policy changes. The value can be either REG for Local,
   or PERS for Persistent storage. If \\machinename was specified,
   the policy will be written to the remote computer's registry.
   NOTE: Persistent policy will not be used by SPD until after the next system
   or PolicyAgent service restart.

 -p PolicyName:PollInterval
   Name of the policy to modify. If a policy with this name is
   already in storage, the rule will be added to the policy; otherwise a new
   policy with this name will be created.

   POLLINTERVAL: Optional setting, in minutes, to specify when IPSec should
   query for policy updates; e.g. changes in assigned DNS servers.
   If not specified, a default polling interval of 480 minutes will be used.

 -r RuleName
   Name of the rule to modify. If a rule with that name already exists
   in the policy, it is modified to reflect the new information supplied.
   For example, if only -f is specified and the rule exists, only the filters
   of that rule will be replaced.
   If the rule does not exist, a new rule will be created with this name.

 -x Optional parameter to Assign the given policy. Requires the -p option.
 -y Optional parameter to Unassign the currently Assigned policy.

 -o Optional parameter to delete the policy and all associated rules.
   NOTE: this will delete all aspects of the specified policy. Do not use this
   option if you have other policies referencing the same objects.


-----------
 SHOW MODE 
-----------
Ipseccmd displays requested data from the IPSec Security Policies Database
Multiple parameters can be used in a single command.
Parameters:
 gpo        - shows static policy assignment information
 filters    - shows main mode and quick mode filters
 policies   - shows main mode and quick mode policies
 auth       - shows main mode authentication methods
 stats      - shows Internet Key Exchange(IKE) and IPSec statistics
 sas        - shows main mode and quick mode Security Associations
 all        - shows all of the above

Example: ipseccmd show filters policies


----------
 SET MODE 
----------
Ipseccmd sets configuration parameters for IPSec.
Parameters:
 logike     - turns on IKE logging
 dontlogike - turns off IKE logging

Example: ipseccmd set logike


--------------------
 Import/Export MODE 
--------------------
Ipseccmd imports or exports a .ipsec file.
Parameters:
 Location:
   Location to write/read policy data. The value can be either REG for Local,
   or PERS for Persistent storage. If \\machinename was specified,
   the policy will be written to/from the remote computer's registry.
      DEFAULT: REG.
      NOTE: Persistent policy will not be used by SPD until after the next
      system or PolicyAgent service restart.

 Filename:
   Name of file to import/export from/to. If an export file name does not
   specify the .ipsec file extension, this extension will be appended.

Example: ipseccmd export PERS persistent.ipsec

The command completed successfully.
