ipsec policy in winxp SP2

TheMSsForum.com: The Microsoft Software Forum

I have a question about ipsec policy. here's what I did:

1) ran secpol.msc to open the Local security settings snap-in

2) created a policy called "block_subnet" that blocks all traffic from
the specified subnet (why I did this is not relevant)

3) assigned the policy, and tested it by trying to ping, connect to,
etc. other PCs on the subnet. I was unable to, so I know my policy
works.

4) unassigned the policy.

My question is this: Is there a way I can assign or unassign a policy
via the command prompt, or script? It's tedious if I always have to
open the snap-in, right click the policy, select enable, etc.

Thanks,

Al
Top

Re: ipsec policy in winxp SP2 by Al

Al
Tue May 29 14:14:46 CDT 2007

OK... made some headway. First of all, I deleted the "block_subnet"
policy, it wasn't needed. I found a better way to dynamically create
firewall rules for inbound or outbound traffic.

There is a tool called IPsecCMD.exe that is part of the support
tools included with XP which allows you to create rules that specify a
source or destination host, network, mask, and port. This rule can be
made to block or allow the traffic. It does a lot more than this, but
for quick creation firewall rules... it rocks.

The only limitation I can see is that you can't remove a specific rule
once created; you can olny remove all of them at once (or maybe I
haven't figured how yet).

Another thing that would be nice (and again, maybe this exists and I
just haven't found it yet), would be the ability to list all rules
currently in action.

One more thing: The IPsecCMD.exe that comes with SP1 support tools
does not work on an SP2 machine. If you have SP2, you need the SP2
support tools - WindowsXP-KB838079-SupportTools-ENU.exe, available on
microsoft.com.

Al

Top

Re: ipsec policy in winxp SP2 by MowGreen

MowGreen
Tue May 29 14:28:42 CDT 2007

Have a look here for useful info:

Ipseccmd
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ipsecmd.mspx?mfr=true

MowGreen [MVP 2003-2007]
===============
*-343-* FDNY
Never Forgotten
===============


Al wrote:

> OK... made some headway. First of all, I deleted the "block_subnet"
> policy, it wasn't needed. I found a better way to dynamically create
> firewall rules for inbound or outbound traffic.
>
> There is a tool called IPsecCMD.exe that is part of the support
> tools included with XP which allows you to create rules that specify a
> source or destination host, network, mask, and port. This rule can be
> made to block or allow the traffic. It does a lot more than this, but
> for quick creation firewall rules... it rocks.
>
> The only limitation I can see is that you can't remove a specific rule
> once created; you can olny remove all of them at once (or maybe I
> haven't figured how yet).
>
> Another thing that would be nice (and again, maybe this exists and I
> just haven't found it yet), would be the ability to list all rules
> currently in action.
>
> One more thing: The IPsecCMD.exe that comes with SP1 support tools
> does not work on an SP2 machine. If you have SP2, you need the SP2
> support tools - WindowsXP-KB838079-SupportTools-ENU.exe, available on
> microsoft.com.
>
> Al
>
Top

Re: ipsec policy in winxp SP2 by Al

Al
Thu May 31 13:18:07 CDT 2007

Thanks!

Top