Ipseccmd



Ŀ¼򱾵أԶ̣ע Internet Э鰲ȫ (IPSec) ԡIpseccmd  IP ȫ Microsoft ̨ (MMC) Ԫͬһйߣģʽ̬ģʽ (dynamic mode)̬ģʽ (static mode) Ͳѯģʽ (query mode)


Ҫ鿴﷨뵥

ipseccmd dynamic mode 


 Ipseccmd ̬ģʽӵе IPSec УǽЩӵ IPSec ȫݿ⡣ʹ IPSEC ӵĹҲڡʹö̬ģʽĺôӵĹеĲԹ档̬ģʽ Ipseccmd Ĭģʽ


﷨


Ҫӹ򣬿ʹ﷨

ipseccmd [\\ComputerName] -f FilterList [-n NegotiationPolicyList] [-t TunnelAddr] [-a AuthMethodList] [-1s SecurityMethodList] [-1k MainModeRekeySettings] [-1p] [-1f MMFilterList] [-1e SoftSAExpirationTime] [-soft] [-confirm] [{-dialup | -lan}]

Ҫɾж̬ԣʹ﷨

ipseccmd -u







	\\computername

	ָҪӹԶ̼ơ

	-f FilterList

	һ﷨ҪΪģʽȫ (SAs) ָһɿոָɸѡÿɸѡ񶼶һܸùӰ

	-n NegotiationPolicyList

	ָɸѡбİȫһȫɿոָ

	-t TunnelAddr

	ָģʽΪ IP ַ DNS ս㡣

	-a AuthMethodList

	ָһ֤ɿոָ

	-1s SecurityMethodList

	ָһԿȫɿոָ

	-1k MainModeRekeySettings

	ָģʽ SA rekeyá

	-1p

	Կȫǰܡ

	-1f MMFilterList

	ָһģʽ Sas ɸѡɿոָ

	-1e SoftSAExpirationTime

	ָ SAs Ĺʱ䣨λΪ룩

	-soft

	 SAs

	-confirm

	ָӹ֮ǰʾȷʾ

	{-dialup | -lan}

	ָǷӦԶ̷ʻ򲦺ӣǷӦھ (LAN) ӡ

	-u

	ڶ﷨ҪָɾеĶ̬

	/?ʾʾ



ע


 Ipseccmd  Windows 2000 Ĺ

	 ָ ComputerName ùӵؼ
	
	 ʹ ComputerName ˲в֮ǰʹãұӹļĹԱȨޡ
	
	  -f һɸѡɿոָ¸ʽһɸѡ


SourceAddress/SourceMask:SourcePort=DestAddress/DestMask:DestPort:Protocol


 SourceMaskSourcePortDestMask  DestPort ǿѡЩɸѡʹ 255.255.255.255 ж˿ڡ

 Protocol ǿѡʡɸѡʹЭ顣ָһЭ飬ָ˿ڻЭǰʹð (::)μ̬ģʽĵһЭɸѡһʹЭţICMPUDPRAW  TCP

 ͨʹüӺ (+) Ⱥ (=) ɸѡ

 Խ SourceAddress/SourceMask  DestAddress/DestMask 滻Ϊ±еֵ


ֵ
˵


0
ҵĵַַ


*
ַ


DNSName
DNS  DNS ƽַ


GUID
ӿڵȫһʶ (GUID)ʽΪ {12345678-1234-1234-1234-123456789ABC}ھ̬ģʽʹ -n ʱָ GUID



 ָͨĬϡɸѡ񣬿ĬϵӦ
 ɸѡԲпָɸѡɸѡ ([ ]) пָ赲ɸѡ

 ʹõ Internet ַǷ루԰λֽΪ߽綨룩ʹָͨ롣磬10.*.*.*  10.0.0.0/255.0.0.0 ͬ10.92.*.*  10.92.0.0/255.255.0.0 ͬ




ɸѡ


Ҫɸѡ Computer1  Computer2 ֮ TCP ľɸѡ룺

Computer1+Computer2::TCP

ҪΧΪ 172.31.0.0/255.255.0.0  10.0.0.0/255.0.0.0˿ 80֮ TCP ɸѡ룺


172.31.0.0/255.255.0.0:80=10.0.0.0/255.0.0.0:80:TCP

 Ҫ IP ַ IP ַΪ 10.2.1.1 ֮ľɸѡ룺


(0+10.2.1.1)


	 -n ɿոָһЭ̲Բµʽ
	

 esp[EncrypAlg,AuthAlg]RekeyPFS[Group]

 ah[HashAlg]

 ah[HashAlg]+esp[EncrypAlg,AuthAlg]





УEncrypAlg  nonedes  3desAuthAlg  nonemd5  shaHashAlg  md5  sha


 ֧ esp[none,none] á

 sha ָ SHA1 ɢ㷨

 Rekey ǿѡָǧֽڵֺͨ K ʾֺͨ S ʾЩֵָλڿģʽ SA  rekey ֮ǰҪָ rekey Ĳʹб (/) ֿ磬Ҫÿ 1 Сʱÿ 5   rekey һοģʽ SA룺


3600S/5000K
  PFS ǿѡòûỰԿȫǰܡĬ£ỰԿȫǰǽõġ

 Group ǿѡòָỰԿȫǰܵ Diffie-Hellman 顣 Low(1) Diffie-Hellman 飬ָ PFS1  P1 Medium(2) Diffie-Hellman 飬ָ PFS2  P2Ĭ£ỰԿȫǰֵܵԵǰģʽֵ

 ָЭ̲ԣĬϵЭ̲£


 esp[3des,sha]

 esp[3des,md5]

 esp[des,sha]

 esp[des,md5]






	  -t ʹ IPSec ģʽ
	
	 -a ɿոָһֻ֤ʽʹĳʽ
	


 preshare:"PresharedKeyString"

 kerberos

 cert:"CAInfo"




 PresharedKeyString ָԤԿַCAInfo ָ IP ȫԹԪʾ֤ʱ֤鱻ѡΪĳ֤ʽPresharedKeyString  CAInfo ִСдʹĸ򻯴˷p, k  c -a Ĭϵ֤ʽΪ Kerberos

	 -1s ԿȫʽɿոָҶĸʽ


EncrypAlg-HashAlg-GroupNum


УEncrypAlg  des  3desHashAlg  md5  shaGroupNum  1 Low(1) Diffie-Hellman 飩 2 Medium(2) Diffie-Hellman 飩 -1s ĬϵԿȫʽ 3des-sha-23des-md5-2des-sha-1  des-md5-1
	 -1k ָģʽ SAs ֺͨ Q ʾֺͨ S ʾ rekey ģʽ SAҪָ rekey Ĳʹб (/) ֿ磬Ҫÿ 10 ģʽ SAs ÿ 1 Сʱ rekey ģʽ룺

10Q/3600S

 -1k ģʽ rekey ĬֵΪ޸ģʽ SAs  480 ӡ
	 ԿȫǰĬǽõġ
	
	 -1f ָģʽɸѡ﷨ -1f ͬڲָɸѡ赲ɸѡ˿ڻЭ顣 -1f ݿģʽɸѡԶģʽɸѡ
	 -1e  SAs ĹʱΪ 300 롣Ȼ SAs δʹ -soft ʱǽõġ
	
	 ֻж̬ģʽſʹȷϡ
	
	 δָ -dialup  -lanӦ
	







Ҫؼʹ MD5 ɢ֤ͷ (AH) Ĺ룺


ipseccmd -f 0+* -n ah[md5]



Ҫ 10.2.1.1  10.2.1.13սΪ 10.2.1.13򣨸ù SHA1 ɢ㷨 AH ģʽԿȫǰܺڴ֮ǰйȷʾ룺


ipseccmd -f 10.2.1.1=10.2.1.13 -t 10.2.1.13 -n ah[sha] -1p -c


ҪΪ corpsrv1 ļϴΪ corpsrv1  corpsrv2 ļ֮Ĺ򣨸ùͬʱ AH ͼܰȫ (ESP)ԼԤԿ֤룺


ipseccmd \\corpsrv1 -f corpsrv2+corpsrv1 -n ah[md5]+esp[des,sha]  -a p:"corpauth" 


ipseccmd static mode 


ʹ Ipseccmd ̬ģʽԺҲʹþ̬ģʽ޸ Ipseccmd вԺ͹򡣾̬ģʽ﷨˴Ķ̬ģʽ﷨òʹڲԼˮƽ


﷨



ipseccmd DynamicModeParameters -w Type[:Location] -p PolicyName[:PollInterval] -r RuleName [{-x | -y}] [-o]






	DynamicModeParameters

	衣ĽΪ IPSec ָһ׶̬ģʽ

	-w Type[:Location]

	衣ָд뱾עԶ̼עĿ¼ĲԺ͹

	-p PolicyName[:PollInterval]

	衣ָƺͼԸĵƵʣԷӼƣ PolicyName ոʹŽı磬"PolicyName"



	-r rulename

	衣ָơ RuleName ոʹŽı磬"RuleName"

	[{-x | -y}]?

	ָǷ䱾עԡ-x ָ˱עԡ-y ָδ䱾עԡ

	-o

	ָӦɾԡ

	/?ʾʾ



ע


	  -w Type ȿָػԶ̼ע regҲָĿ¼ ds

ָ Type Ϊ regûʹ Location 򽫴ؼע
ָ Type Ϊ regָ Location Զ̼򽫴ָıؼע
ָ Type Ϊ dsûʹ Location 򽫴ؼڵĻĿ¼Ĺ
ָ Type Ϊ dsָ Location ĻĿ¼򽫴ָĹ
	

	 -p ѾڸƵĲԣָĹӵС򣬽ָƵĲԡָ PollInterval ֵΪòԵѯʱΪķ
	
	 -r ѾڸƵĹ򽫸ָĲ޸ĸù磬йʹ -f ֻ滻ùɸѡָƵĹ򽫴ƵĹ
	
	 -o ɾָԵз档ָҪɾĲжԣҪʹøò
	
	
	
̬ģʽʹһ붯̬ģʽͬʹö̬ģʽ FilterList ָɺ赲ɸѡ -f ʶЩɸѡʹþ̬ģʽ NegotiationPolicyrList ָɺ赲ɸѡ -n ʶЩɸѡ˶̬ģʽ½ NegotiationPolicyList ⣬Ҳھ̬ģʽʹ blockpass  inpass ±гЩԸΪ˵





˵


block
NegotiationPolicyList вԵಿֽԣɸѡΪ赲ɸѡ


pass
NegotiationPolicyList вԵಿֽԣɸѡΪɸѡ


inpass
ڴɸѡδӰȫĳʼͨѶӦͨ IPSec ǿ䰲ȫԡ


	








Ҫ Kerberos ԤԿ֤ʽΪ Default Domain Policy ڻĿ¼򣨱ؼڸԱо 30 ѯʱڱؼΪ SecuredServer1  SecuredServer2 ļ֮ĹΪ SevuredServer2 Ĳԣ룺


ipseccmd -f 0+SecuredServer1 0+SecuredServer2 -a k p:"corpauth" -w ds -p "Default Domain Policy":30 -r "Secured Servers" 


ҪñؼɸѡԼԤԿ֤Ϊ Secure My Traffic Ϊ Me to Anyone ıزԣ룺


ipseccmd -f 0+* -a p:"localauth" -w reg -p "Me to Anyone" -r "Secure My Traffic" -x 


ipseccmd query mode 

ʹ Ipseccmd ѯģʽʾ IPSec ȫݿеݡ



﷨



ipseccmd [\\ComputerName] show {{[filters] | [policies]  | [auth] | [stats] | [sas]} | all}






	\\computername

	ָͨҪʾݵԶ̼

	show

	衣ָԲѯģʽ Ipseccmd

	filters

	ʾģʽͿģʽɸѡ

	policies

	ʾģʽͿģʽԡ

	auth

	ʾģʽ֤ʽ

	stats

	ʾй Internet Կ (IKE)  IPSec ͳϡ

	sas

	ʾģʽͿģʽȫ (SAs)

	all

	ʾ͵ݡ

	/?ʾʾ



ע


 Ipseccmd ʾ Windows 2000  IPSec ݡ

	 ʹ ComputerName ʾڱؼϢ
	
	 ʹ ComputerName ˲λв֮ǰұʾϢļĹԱȨޡ
	







ҪʾģʽͿģʽɸѡԼؼĲԣ룺

ipseccmd show filters policies


ҪʾԶ̼ Server1  IPSec Ϣ

ipseccmd \\Server1 show all 

XOX




