Since there are only 6 pages on the net (according to
Google) that talk about this command, there isn't much
help for me to configure a rather complicated IPsec setup.

I need to configure a security policy that consists of
two rules- one filter list for outgoing traffic with a
set endpoint, and one for incoming traffic with a
different set endpoint, both using a preshared key for
authentication. The filter lists each have a separate
filter listing a specific IP subnet (for source) and a
specific IP address (for destination) - the other filter
list has the filter configured in a reverse fashion to
the previous one.

The rules also make use of a filter action, which
encrypts the traffic and sets the key lifetime values.

This actually looks relatively straightforward using
the "netsh ipsec" command on 2003 server to create the
filters, filter actions, filter lists and then bind them
together into a rule - it seems a lot more obscure with
ipseccmd - any suggestions?

You have no doubt read and reread the output from=20
ipseccmd /?

This command has syntax that is closely related to the syntax=20
for the older W2k reskit tool ipsecpol so docs for it may be=20
of some use to you.

Finally, as you seem to have noticed, these two tools are now=20
considered "old" and are being replaced by use of the ipsec=20
context in netsh.

--=20
Roger=20

"Trix" > wrote in message =
...
> Since there are only 6 pages on the net (according to=20
> Google) that talk about this command, there isn't much=20
> help for me to configure a rather complicated IPsec setup.
>=20
> I need to configure a security policy that consists of=20
> two rules- one filter list for outgoing traffic with a=20
> set endpoint, and one for incoming traffic with a=20
> different set endpoint, both using a preshared key for=20
> authentication. The filter lists each have a separate=20
> filter listing a specific IP subnet (for source) and a=20
> specific IP address (for destination) - the other filter=20
> list has the filter configured in a reverse fashion to=20
> the previous one.
>=20
> The rules also make use of a filter action, which=20
> encrypts the traffic and sets the key lifetime values.
>=20
> This actually looks relatively straightforward using=20
> the "netsh ipsec" command on 2003 server to create the=20
> filters, filter actions, filter lists and then bind them=20
> together into a rule - it seems a lot more obscure with=20
> ipseccmd - any suggestions?

It wasn't too clear the exact scenario you want to set up. I will assume a
Client-to-Gateway Tunnel scenario because that seems to fit the best. Where
a client is tunneling to a Gateway router to reach the subnet behind it. I
will also assume you want this policy in the local registry on both
machines. The same set of commands is actually run on both the client and
the gateway router.

16.1.1.1 is the client
17.1.1.1 is the gateway router.

Generic form:
ipseccmd -f <srcIP>=<dstIP> -t <TunnelEndpointIP> -n <Security Methods> -a
<Authentication Method(s)> -w REG -p "Policy Name" -r "Rule Name"

ipseccmd -f 15.0.0.0/255.0.0.0=16.1.1.1 -t 16.1.1.1 -n ESP[3DES,SHA] -a
PRESHARED:"Test" -w REG -p "Corpnet Tunnel" -r "15 to 16.1.1.1 tunnel to
16.1.1.1"
ipseccmd -f 16.1.1.1=15.0.0.0/255.0.0.0 -t 17.1.1.1 -n ESP[3DES,SHA] -a
PRESHARED:"Test" -w REG -p "Corpnet Tunnel" -r "16.1.1.1 to 15 tunnel to
17.1.1.1"


--
Mark Swift
Microsoft/Windows/Networking/Secure Network Services/IP Security
Software Test Engineer

----------------------------------------------------------------------------
---------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm"
----------------------------------------------------------------------------
---------------------------------------



"Trix" > wrote in message
...
> Since there are only 6 pages on the net (according to
> Google) that talk about this command, there isn't much
> help for me to configure a rather complicated IPsec setup.
>
> I need to configure a security policy that consists of
> two rules- one filter list for outgoing traffic with a
> set endpoint, and one for incoming traffic with a
> different set endpoint, both using a preshared key for
> authentication. The filter lists each have a separate
> filter listing a specific IP subnet (for source) and a
> specific IP address (for destination) - the other filter
> list has the filter configured in a reverse fashion to
> the previous one.
>
> The rules also make use of a filter action, which
> encrypts the traffic and sets the key lifetime values.
>
> This actually looks relatively straightforward using
> the "netsh ipsec" command on 2003 server to create the
> filters, filter actions, filter lists and then bind them
> together into a rule - it seems a lot more obscure with
> ipseccmd - any suggestions?