Shulou(Shulou.com)06/03 Report--

Editor to share with you about the use of the security tool netsh IPSec, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

How to use netsh ipsec

From the command line, configure the IPSEC security policy through netsh ipsec static. The premise is that the IPSEC service is turned on.

An IPSEC consists of one or more rules; a rule consists of a list of IP filters and a corresponding filter action; this filter list and filter may not exist in the system itself, and if not, it needs to be created on its own, and a filter consists of one or more filters, so the configuration of IPSEC must be done step by step. A rule consists of a filter list and a filter action. And the policy is stored in the policy, and the policy is stored by the policy list, which determines one step: create an empty security policy, create a filter list, and establish a filter operation. These three steps do not require a specific order. The filter needs to be established after the empty filter list is established; the rules are established after the above three steps are completed. Let's start to configure the policy to add, modify, delete and, most importantly, activate.

For more detailed information, please refer to Microsoft's technical resource library:

Netsh Commands for Internet Protocol Security (IPsec)

The connection is as follows: http://technet.microsoft.com/zh-cn/cc725926

Note: pay attention to the Netsh Commands for Windows Firewall with Advanced Security in the connection. Connect, he will give you more help.

Export IPsec security policy: Netsh ipsec static exportpolicy file = d:\ ExportSecurity.ipsec

Import IPsec security policy: Netsh ipsec static importpolicy file = d:\ ImportSecurity.ipsec

1. Establish a new strategy

1.1 first create an empty security policy [Michael's security policy]

Netsh ipsec static add policy name = Michael's security policy

1.2 create a filter action "block"

Netsh ipsec static add filteraction name = block action = block

1.3 create a filter list "accessible terminal list"

Netsh ipsec static add filterlist name = list of accessible terminals

Netsh ipsec static add filter filterlist = list of accessible terminals

Srcaddr=203.86.32.248

Dstaddr = me dstport = 3389

Description = Department 1 visit protocol = TCP mirrored = yes

Netsh ipsec static add filter filterlist = list of accessible terminals

Srcaddr = 203.86.31.0 srcmask=255.255.255.0

Dstaddr = 60.190.145.9 dstport = 0

Description = Department 2 visit protocol = any mirrored = yes

1.4 establish policy rules

Netsh ipsec static add rule name = accessible terminal policy rules

Policy = Michael's security policy

Filterlist = list of accessible terminals

Filteraction = block

2. Modify the policy

Netsh ipsec static set filter filterlist = list of accessible terminals

Srcaddr = 220.207.31.249

Dstaddr = Me dstport=3389 protocol=TCP

3. Delete policy

Netsh ipsec static delete rule name = accessible terminal policy rules policy = Michael's security policy

Netsh ipsec static delete filterlist name = list of accessible terminals

4. The most important step is to activate

Netsh ipsec static set policy name = Michael's Security Policy assign = y

Here is an example that I wrote by myself:

The code is as follows:

Echo creates a security policy

Netsh IPsec static add policy name = APU security policy

Echo create filter is a blocked operation

Netsh IPsec static add filteraction name = block action = block

Echo is allowed to create a filter

Netsh IPsec static add filteraction name = allow action = permit

Echo creates a list of terminals that the filter can access

Netsh IPsec static add filterlist name = list of accessible terminals

Netsh IPsec static add filter filterlist = list of accessible terminals srcaddr = 203.86.32.248 dstaddr = me dstport = 3389 description = Department 1 access protocol = TCP mirrored = yes

Echo creates a list of terminals that the filter can access

Netsh ipsec static add filter filterlist = accessible terminal list Srcaddr = 203.86.31.0 srcmask=255.255.255.0 dstaddr = 60.190.145.9 dstport = 0 description = Department 2 access protocol = any mirrored = yes

Echo establishes policy rules

Netsh ipsec static add rule name = accessible terminal policy rules Policy = APU security policy filterlist = accessible terminal list filteraction = blocking

Echo Activation Policy

Netsh ipsec static set policy name = APU Security Policy assign = y

Pause

Or

The code is as follows:

Netsh ipsec static add policy name = default policy name

Pause

Netsh ipsec static add filteraction name = block operation action = block

Pause

Netsh ipsec static add filteraction name = allow operation action = permit

Pause

Netsh ipsec static add filterlist name = access list

Pause

Netsh ipsec static add filterlist name = Block list

Pause

Netsh ipsec static add filter filterlist = access list 1 srcaddr = 203.86.32.248 dstaddr = me dstport = 3389 description = Department 1 access protocol = TCP mirrored = yes

Pause

Netsh ipsec static add filter filterlist = access list 2 srcaddr = 203.86.31.0 srcmask = 255.255.255.0 dstaddr = 60.190.145.9 dstport = 0 description = Department 2 access protocol = any mirrored = yes

Pause

Netsh ipsec static add rule name = accessible terminal policy rules Policy = default policy name filterlist = access list 1 filteraction = block action

Pause

Netsh ipsec static add rule name = accessible terminal policy rules Policy = default policy name filterlist = access list 2 filteraction = block action

Pause

Netsh ipsec static set policy name = default policy name assign = y

Pause

[the following is reproduced untested and can be found on Baidu.]

The code is as follows:

REM = start =

Netsh ipsec static ^

Add policy name=bim

REM adds 2 actions, block and permit

Netsh ipsec static ^

Add filteraction name=Permit action=permit

Netsh ipsec static ^

Add filteraction name=Block action=block

REM first forbids all access

Netsh ipsec static ^

Add filterlist name=AllAccess

Netsh ipsec static ^

Add filter filterlist=AllAccess srcaddr=Me dstaddr=Any

Netsh ipsec static ^

Add rule name=BlockAllAccess policy=bim filterlist=AllAccess filteraction=Block

REM opens unrestricted access to some IP

Netsh ipsec static ^

Add filterlist name=UnLimitedIP

Netsh ipsec static ^

Add filter filterlist=UnLimitedIP srcaddr=61.128.128.67 dstaddr=Me

Netsh ipsec static ^

Add rule name=AllowUnLimitedIP policy=bim filterlist=UnLimitedIP filteraction=Permit

REM opens some ports

Netsh ipsec static ^

Add filterlist name=OpenSomePort

Netsh ipsec static ^

Add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=20 protocol=TCP

Netsh ipsec static ^

Add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=21 protocol=TCP

Netsh ipsec static ^

Add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=80 protocol=TCP

Netsh ipsec static ^

Add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=3389 protocol=TCP

Netsh ipsec static ^

Add rule name=AllowOpenSomePort policy=bim filterlist=OpenSomePort filteraction=Permit

REM opens certain ip to access certain ports

Netsh ipsec static ^

Add filterlist name=SomeIPSomePort

Netsh ipsec static ^

Add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any dstport=80 protocol=TCP

Netsh ipsec static ^

Add filter filterlist=SomeIPSomePort srcaddr=61.128.128.68 dstaddr=Me dstport=1433 protocol=TCP

Netsh ipsec static ^

Add rule name=AllowSomeIPSomePort policy=bim filterlist=SomeIPSomePort filteraction=Permit

Foreword:

The full name of IPSec is Internet Protocol Security, and its translation into Chinese means Internet protocol security. It has two main functions: one is to protect the contents of IP packets, and the other is to defend against network attacks by packet filtering and implementing trusted communication. This is good news for us when there is some important data that needs to be protected or prevented from snooping during transmission, because Windows 2000 has built-in this feature, and we no longer need to use other tools to achieve this.

Because the data is symmetrically encrypted at the IP layer, encapsulating the entire IP packet, there is no need to set separate security for each protocol in the TCP/IP protocol group, because the application uses TCP/IP to pass the data to the IP protocol layer, where it is protected. The corresponding IPSec configuration is relatively complex, but transparent to the application, so the application is not required to support it. The following parts describe the concept, working process and practical application of IPSec.

1. The process of IPSec's work:

When the two computers are communicating, if the IPSec policy has been set, the host will check this policy when communicating. When the policy is applied to the host, there will be a negotiation process, which is realized through Security Association. After negotiation, according to the configuration of Policy, an encrypted connection is established between the two computers, and the data is encrypted and transmitted. The driver transmits the decrypted packet to the driver of TCP/IP, and then to the application on the receiving side.

Enter the IPSec control interface:

There are two ways to open it, and the function is exactly the same:

 start-run-Administrative tools-Local Security Policy

 MMC- add / remove snap-in-add-IP Security Management Policy-OK

3. Predefined policies:

IPSec is not enabled by default and needs to be assigned. We can find that the system has defined three strategies for us. Let's not introduce them below.

 security server: must use IPSec, if the other party does not use IPSec, the communication cannot be completed. For computers that always need secure communication.

 client: the function is that IPSec is not used by default in the communication process, and it can also use IPSec if the other party requests IPSec. For computers that cannot guarantee communication most of the time.

 server: the function is to use IPSec by default, but if the other party does not support IPSec, it may not use IPSec. A computer that ensures communication most of the time.

Policies can be assigned on a single computer or in bulk on Group Policy. It is worth noting that in order to communicate through negotiation, both sides of the communication need to set the same policy and assign it.

4. The way IPSec works:

 transfer mode (security configuration between computers): protects communication between two hosts and is the default IPSec mode. Transport mode only supports the Windows2000 operating system, providing point-to-point security.

 tunnel mode (security configuration between networks): the encapsulation, sending, and unpacking process is called a "tunnel". The general implementation method is done on two routers. Configure the use of IPSec on both ends of the router to protect communication between the two routers. It is mainly used in the wide area network and does not provide internal security of each network.

5. The authentication method of IPSec:

 Kerberos V5: (default) if you are a member of a domain and a client of the Kerberos V5 protocol, select this option. For example, a Windows 2000 computer in a domain.

 certificate: a trusted CA needs to be configured together.

 pre-shared key: both parties use a mutually negotiated key when setting the policy.

The above three methods can be used as authentication methods, generally in the daily work, if the domain of Windows 2000 between the computers on the use of Kerberos authentication, because the domestic CA is really not much, generally other cases can be used in the third way, the two sides to negotiate a key, which will be involved in the following example II.

6. Encryption mode of IPSec:

 authentication encryption technology:

 SNA

 MD5

 packet encryption technology:

 40-bit DES

 56-bit DES

 3DES: the most secure encryption method, which in turn consumes more system resources.

You can consult the relevant information about the above conceptual things, so I won't talk much about it here.

7. Application:

The above conceptual things have been said a lot, the following officially into the actual combat, through two examples to illustrate the two aspects of the function of IPSec.

1. Protect the content of IP packets: in order to protect the security of the communication information between the two hosts, we will use IPsec to establish a secure connection between the two computers. Pre-shared secret key is adopted, and IPSec is forced to encrypt the communication. In the example, there are two computers, the first computer IP is 192.168.0.1, the second computer IP is 192.168.0.2, unless otherwise specified, the operation is carried out on the first computer.

(1) enter the IPSec control interface, right-click "Security Server", and select the properties (the system has three built-in rules, you can take a detailed look at the role, we use our own way to demonstrate the process of adding policies). Click the add button.

Enter the Security rules Wizard and click the "next" button.

(3) according to the actual situation, we realize the secure communication between the two hosts, not between the network, so we choose "this rule does not specify a tunnel", so we will adopt the transmission mode. Click the next button.

(4) after entering the interface of selecting network type, there are three ways to choose, the concept should be easy to understand, we choose "all network connections" and click the "next" button.

(5) enter the interface of the authentication method, the three authentication methods have been introduced above, we choose the third "this string is used to protect key exchange (pre-shared key)", and then enter the key we have agreed upon in the dialog box, such as "hello". Click the next button.

(6) enter the "IP filter list" interface, because we want to protect all communications, all select "all IP communications", of course, you can also add your own new filter list, which will be mentioned in the second example, click the "next" button.

(7) enter the "filter actions" interface, and according to the requirements we mentioned earlier, we choose to require security settings. The filter actions here can also be added by ourselves. As mentioned in example 2, click the "next" button.

(8) when the security rules are created, we click "finish".

(9) when we arrive at the starting port, we will find that our new security rules have been added. In addition to selecting the rules we created ourselves, we set none of the check points of the other default rules.

(10) finally, and very important, we need to assign the policy we created, otherwise the policy will not take effect on its own, right-click "Security Server" and click "assign".

At this point we open a window and start using the Ping command to check our communication status. The IP address of the second computer in the example is 192.168.0.2. If we execute Ping 192.168.0.2-t, we will find that we have been "negotiating IP security". What is the reason for this? Because at this time we only set the IPsec policy on the first computer, the other side did not make the corresponding settings, the negotiation could not be successful, so at this time we must go to the other side of the computer to make the same settings and assign.

(12), after setting up and assigning on the computer of 192.168.0.2, we found that the information changed, negotiated IP security passed, and we received a response from 192.168.0.2.

(13) if we open the IP security monitor, that is, IPSecmon, before that, we will find that there will be a corresponding record in the window. "IP security settings have been enabled on this computer" will also be displayed in the lower right corner.

So far, the goal required by example 1 has been achieved. We have successfully created IPSec to ensure the security of data. At this time, other computers that do not enable IPsec will not get a response if they issue Ping commands to this computer, as shown in the following figure (my method is not to assign the IPSec policy set by computer 192.168.0.1):

2, packet filtering: this function is also very useful for us. I remember that many netizens are asking how to close a port of the computer or how to prevent others from Ping my computer and so on. Firewall is a solution, but it requires additional fees and resources. You can do some filtering with the advanced options in the TCP/IP property, but you can only set which ports are open, not which ports are closed. In fact, this requirement can completely rely on IPSec to achieve, some friends may want to ask, then also the firewall to do? As mentioned earlier, compared with professional firewalls, using Ipsec configuration is relatively troublesome and is not suitable for ordinary users. In addition, the current firewall has integrated many other functions, and the hardware firewall will consume less system resources.

The following example will introduce how to use IPSec for packet filtering and turn off ICMP, that is, we are very concerned about how to turn off the response information of Ping, which is practical to ICMP (8L0). Here we will not introduce ICMP in detail and officially enter the practical operation (for example, there are two computers, the first computer IP is 192.168.0.1, and the second computer IP is 192.168.0.2, if there is no special instructions. The operation is carried out on the second computer. ):

(1) enter the IPSec control interface, because the filtering policies and operations we need are not suitable in the built-in system, so let's add them ourselves. First right-click IP Security Policy and select manage IP filter tables and filter actions.

(2) Select the list of administrative IP filters, and click the add button.

(3) give our IP filter list a name, such as "ICMP", or enter the corresponding description information in the "description" information. Click the add button.

(4) enter the IP filter Wizard and click the next button.

(5) Select the "source address" information, we choose "my IP address", that is, the representative of the native, 192.168.0.2. Click the next button.

(6), select "destination address" information, we select "any IP address", if you have configured the firewall, you will find that this step and the firewall configuration is exactly the same. Click the next button.

(7) Select "protocol type", and we select "ICMP". At this time, you will find that there are many types of protocols for you to choose from, including TCP, UDP and so on. Click next.

(8) at this time, the establishment of the IP filter is completed, you can click the "finish" button. At this time, it is worth noting that because I choose ICMP, but if I choose TCP at this time, there will be a choice of ports, setting inbound and outbound ports.

(9) the next thing to do is to add a filter operation that meets our needs, here we need to establish a blocking operation. First, let's click the "add" button:

(10) enter the IP Security filter Operation Wizard and click the next button.

(11) Let's give this operation a name. Here I call it "Deny". You can also add some description information to the description. Click the next button.

(12), select the behavior of the operation, we choose to "prevent". Click the next button.

(13) this completes the addition of the IP Security filter Action, click finish.

(14) the following work is to create a new IP security policy that uses the filter list and actions we created above. Back to our first step, click "create IP Security Policy" this time. At this point, we enter the IP Security Policy Wizard and click the "next" button.

(15) Let's give this IP security policy a name, which I call "blocking ICMP", or we can add description information as appropriate. Click the next button.

Select "activate default response rule" and click the "next" button.

(17) Select the default value and click the "next" button.

(18) Click finish.

(19). Let's start to configure this policy. Click the add button.

(20) enter the create IP Security Rule Wizard and click the next button.

(21), similar to example 1, we choose "this rule does not specify a tunnel" according to our requirements. Click the next button.

(22) Select "all Network connections" and click the "next" button.

Select "default" and click the "next" button.

Select our newly created filter "ICMP" and click the "next" button.

(25) Select our newly created operation "deny" and click the "next" button.

(26) so far, we have completed the whole setup process. Click finish.

(27) finally, we need to remind you that our newly established strategy needs to be assigned.

The figure below shows the change before and after assigning this policy to us. After the 192.168.0.2 computer assigned this rule, we will not get a response from the 192.168.0.1 computer's ICMP from the 192.168.0.2 computer.

Above, we have completed the packet filtering operation through three parts, namely, the creation of IP filter list and IP filter action, and the creation of IP security policy. However, not every rule requires so many actions, such as the IP filter action, which can be used directly the next time a port operation is blocked.

VIII. Concluding remarks

Through the above introduction, you can find that you can really do a lot of things with IPSec. If we know the ports of other services, such as terminal services, FTP services, etc., we can use IPSec to protect data communications. Now you might as well do this as soon as possible. Who knows if you are listening to your information now?

If you encounter problems in use, you might as well try to troubleshoot from the following aspects. Check whether both sides have made IPSec policy settings accordingly; check whether the policy has been assigned; check the relevant records of the system and security logs; and use the monitor, that is, IPSecmon in the command line mode. Finally, I wish you all a smooth use and give full play to the function of this good tool of Windows 2000!

-

KUKA:ipsec is a very useful thing, many server hosting friends often worry about security problems, in fact, as long as the good use of IPSEC,NTFS permissions can solve most of the security problems to a certain extent

In practice, we all export the rules to the ipsec extension, and then import them.

The code is as follows:

:: import the security policy of IP dedicated to frequent network

Netsh ipsec static importpolicy ThecSafe.ipsec

Netsh ipsec static set policy name= "frequent Network Special Security Policy" assign=y

The above is all the contents of this article entitled "what are the ways to use Security tools netsh IPSec?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.