IPSECCMD DYNAMIC/STATIC MODE

You can use dynamic mode to add anonymous rules to the existing IPSec policy by adding them to the IPSec security policies database. The rules added will be present even after the IPSEC Services service is restarted. The benefit of using dynamic mode is that the rules you add coexist with domain-based IPSec policy. Dynamic mode is the default mode.

You can use static mode to create named policies and named rules. You can also use static mode to modify existing policies and rules, provided they were originally created with Ipseccmd. The syntax for static mode combines the syntax for dynamic mode with parameters that enable it to work at a policy level.

IPSECCMD /?

IPSECCMD [\\computer_name] -f filterlist [-n negotiation_policy_list] [-t tunnel_address] [-a authorized_method_list] [-1s security_method_list] [-1k mainmode_rekey_settings] [-1p] [-1f mm_filterlist] [-1e softsa_expiration_time] [-soft] [-confirm] [-dialup | -lan] -w type[:location] -p policy[:interval] -r rule [-x | -y] [-o]

Delete all dynamic policies:

IPSECCMD -u

\\computer_name (NTXP)

Specifies the computer name of a remote computer to which you want to add a rule. The default is the local computer.

/? (NTXP)

Displays help.

-1e softsa_expiration_time (NTXP)

Specifies the expiration time for soft SAs in seconds.

-1f mm_filterlist (NTXP)

Specifies one or more filter specifications for main mode SAs, separated by spaces.

-1k mainmode_rekey_settings (NTXP)

Specifies main mode SA rekey settings.

-1p (NTXP)

Enables master key perfect forward secrecy.

-1s security_method_list (NTXP)

Specifies one or more key exchange security methods, separated by spaces.

-a authorized_method_list (NTXP)

Specifies one or more authentication methods, separated by spaces.

-confirm (NTXP)

Specifies that a confirmation prompt appears before the rule or policy is added.

-dialup (NTXP)

-lan (NTXP)

Specifies whether the rule applies only to remote access or dial-up connections or whether the rule applies only to local area network (LAN) connections.

-f filterlist (NTXP)

Specifies one or more filter specifications, separated by spaces, for quick mode security associations (SAs). Each filter specification defines a set of network traffic affected by this rule.

-n negotiation_policy_list (NTXP)

Specifies one or more security methods, separated by spaces, for securing traffic defined by the filter list.

-o (NTXP)

Static Specifies that the rule or policy should be deleted.

-p policy[:interval] (NTXP)

Static Specifies the name of the policy and how often, in minutes, the policy is checked for changes. If policy contains any spaces, use quotation marks around the text (ie. "po licy").

-r rule (NTXP)

Static Specifies the name of the rule. If rule contains any spaces, use quotation marks around the text (ie. "ru le").

-soft (NTXP)

Enables soft SAs.

-t tunnel_address (NTXP)

Specifies the tunnel endpoint for tunnel mode as either an IP address or a DNS domain name.

-u (NTXP)

Specifies that all dynamic rules are deleted.

-w type[:location] (NTXP)

Static Specifies that the policies and rules are written to the local registry, to the registry of a remote computer, or to an Active Directory domain.

-x (NTXP)

-y (NTXP)

Static Specifies whether the local registry policy is assigned. -x specifies that the local registry policy is assigned. -y specifies that the local registry policy is unassigned.

IPSECCMD QUERY MODE

Cannot be used to configure rules on computers running Windows 2000.

none.

none.

External

DOS

none

Windows

none

Windows NT

NTXP