Netsh Commands for Internet Protocol Security (IPsec)

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Important

The ipsec context of the netsh command-line tool is provided for backwards-compatibility with Windows 2000, Windows XP, and Windows Server 2003. The ipsec context works on computers that are running Windows® 7, Windows Server® 2008 R2, Windows Vista® and Windows Server® 2008, but it does not allow you to manage or interact with any of the IPsec features that are new to those later versions of Windows. You can use this context when you are working remotely with computers that are running Windows Server 2003, or when you need to configure policies that work on a combination of computers that are running both earlier and later versions of Windows.
To use the new IPsec features included with later versions of Windows, use the advfirewall context instead. For more information, see Netsh Commands for Windows Firewall with Advanced Security.

The Netsh commands for Internet Protocol security (IPsec) provide an alternative to the console-based management and diagnostic capabilities provided by the IP Security Policy Management and IP Security Monitor snap-ins available for the Microsoft Management Console (MMC). By using the Netsh commands for IPsec, you can configure and view static or dynamic IPsec Main Mode settings, Quick Mode settings, rules, currently established security associations, and configuration parameters.

Administering IPsec from the command line is especially useful when you want to:

  • Script IPsec configuration.

  • Extend the security and manageability of IPsec by configuring the following features, which are not available in the IP Security Policy Management snap-in: IPsec diagnostics, default traffic exemptions, strong certificate revocation list (CRL) checking, IKE (Oakley) logging, logging intervals, computer startup security, and computer startup traffic exemptions.

You can run these commands from within the netsh tool at the netsh ipsec> prompt.

For these commands to work at a standard Windows command prompt, you must preface each command with netsh ipsec, followed by the specific command and parameters as they appear in the syntax below.

Note

If User Account Control is enabled on your computer and you want to run a netsh ipsec command, you must run the command from a command prompt that was started with the Run as administrator option. If you run netsh ipsec commands without having administrator permissions available to the command-line tool, many of the commands fail with the message "The requested operation requires elevation."
The Netsh commands for IPsec can be used to configure IPsec policies on computers that are running Windows Server 2003 or later versions of Windows only.

Important

To use the netsh firewall commands remotely on another computer by using the netsh –r parameter, the Remote Registry service must be running on the remote computer. If it is not, then Windows displays a “Network Path Not Found” error message.

To use the Windows command line to configure IPsec policies on computers that are running Windows XP, use IPsecCmd.exe, which is provided on the Windows XP CD, in the \Support\Tools folder.

To use a command line to configure IPsec policies on computers that are running Windows 2000, use IPsecPol.exe, which is provided with the Windows 2000 Server Resource Kit.

For information on how to interpret netsh command syntax, see Formatting Legend.

For general information about netsh, see Netsh Overview and Enter a Netsh Context.

Netsh IPsec static-mode commands

You can use the netsh ipsec static commands to perform the same management and monitoring tasks that you can perform by using the IP Security Policy Management console. By using these commands, you can create and modify IPsec policies without immediately affecting the configuration of the active IPsec policy. Policies affect the operational state of computer when you use the assign=Yes parameter on an add policy or set policy command. If you make changes to an assigned policy, they will take affect immediately. A Group Policy assigned to the computer will override a local policy, even when the assign=yes option is part of the local policy command.

Netsh IPsec dynamic-mode commands

You can use the netsh ipsec dynamic commands to display the active state of IPsec and to immediately affect the configuration of the active IPsec policy. These commands directly configure the security policy database (SPD). Changes that you make to an IPsec policy while using these commands take effect only while the IPsec service is running. If the IPsec service is stopped, the dynamic policy settings are discarded. Although most of these commands take effect immediately, several configuration commands still require you to restart the IPsec service or restart the computer before they take effect. For more information about these commands, see the syntax descriptions for the netsh ipsec dynamic set config commands.

Warning

Because the IPsec Policy Agent does not interpret the netsh ipsec dynamic commands, you must be knowledgeable in the application of IKE Main Mode and Quick Mode policies to use these commands effectively. Exercise caution when using these commands, because it is possible to create IPsec policy configurations that are not valid without warning.

Netsh IPsec

The following commands are available at the IPsec> prompt, which is rooted within the netsh environment.

While the netsh ipsec dynamic commands modify the currently active configuration without storing the change anywhere, the netsh ipsec static commands modify a store which contains an IPsec configuration which allows the changes to persist, be saved, and recalled later.

Note

Although the dump command is available at the IPsec> prompt, it is not functional in Windows Vista or later versions of Windows.

To view the command syntax, click a command:

  • static

  • dynamic

static

Switches to the IPsec static context. In static mode you configure an IPsec policy which can be assigned to a computer at a later time. Changes made in this mode do not immediately affect the current IPsec state of the computer on which they are made, unless the policy being modified has the assign=yes property currently set and a Group Policy assigned IPsec policy is not currently overriding the local policy.

Commands that can be used at the netsh ipsec static command prompt can be found in the section Netsh IPsec static.

Syntax

static

Parameters

none

dynamic

Switches to the IPsec dynamic context. In dynamic mode, you are making changes to active IPsec state of the computer on which you run the command. The changes are not saved to a policy that can then be deployed to another computer.

Commands that can be used at the netsh ipsec dynamic command prompt can be found in the section Netsh IPsec dynamic.

Syntax

dynamic

Parameters

none

Netsh IPsec static

The following commands are available at the ipsec static> prompt, which is rooted within the netsh environment.

To view the command syntax, click a command:

Add commands

  • add filter

  • add filteraction

  • add filterlist

  • add policy

  • add rule

Delete commands

  • delete all

  • delete filter

  • delete filteraction

  • delete filterlist

  • delete policy

  • delete rule

Import and Export commands

  • exportpolicy

  • importpolicy

Set commands

  • set batch

  • set defaultrule

  • set filteraction

  • set filterlist

  • set policy

  • set rule

  • set store

Show commands

  • show all

  • show filteraction

  • show filterlist

  • show gpoassignedpolicy

  • show policy

  • show rule

  • show store

add filter

Adds a filter to the specified filter list.

Syntax

add filterfilterlist = ] FilterListNamesrcaddr = ] { me | any | IPAddr | IPAddr-*IPAddr ServerType } [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr *| ServerType } [ [ description = ] string ] [ [ protocol = ] { any | icmp | tcp | udp | raw | *Integer *} ] [ [ mirrored = ] { yes | no } ] [ [ srcmask = ] { Mask | *Prefix *} ] [ [ dstmask = ] { Mask | Prefix } ] [ [ srcport = ] Port ] [ [ dstport = ] Port ]

Parameters

  • [ filterlist = ] FilterListName
    Required. Specifies the name of the filter list to which the filter is added. Each filter defines a set of inbound or outbound network traffic to be secured.
  • [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}
    Required. Specifies the source IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, Domain Name System (DNS) name, or server type for the IP traffic. For ServerType, you can use wins, dns, dhcp, or gateway to match the locally configured IP addresses of the computers providing those services. The me keyword matches the IP address(es) assigned to the local computer, even when they change. Any matches any IP address.
  • [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}
    Required. Specifies the destination IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, DNS name, or server type for the IP traffic. For ServerType, you can use wins, dns, dhcp, or gateway to match the locally configured IP addresses of the computers providing those services. The me keyword matches the IP address(es) assigned to the local computer, even when they change. Any matches any IP address.
  • [ [ description = ] String ]
    Provides information about the filter.
  • [ [ protocol = ] { any | icmp | tcp | udp | raw | Integer } ]
    Specifies the IP protocol if, in addition to addressing information, you want to filter a specific IP protocol. The default value is any.
  • [ [ mirrored= ] { yes | no } ]
    Specifies whether to create a mirrored filter. Use yes to create two filters based on the filter settings--one for traffic to the destination and one for traffic from the destination. Both source and destination addresses and ports are mirrored. The default value is yes.
  • [ [ srcmask = ] {Mask|Prefix} ]
    Specifies the source address subnet mask or the prefix of the packets to be filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255.
  • [ [ dstmask = ] {Mask|Prefix} ]
    Specifies the destination address subnet mask or the prefix value of the packets to be filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255.
  • [ [ srcport = ] Port ]
    Specifies the source port number of the packets to be filtered. This option only applies if you are filtering TCP or UDP packets. If 0 is specified, packets sent from any port are filtered. The default is any.
  • [ [ dstport = ] Port ]
    Specifies the destination port number of the packets to be filtered. This option only applies if you are filtering TCP or UDP packets. If 0 is specified, packets sent to any port are filtered. The default is any.

Remarks

  • If a filter list does not exist, it is created.

  • Do not create a filter list with the name all. Doing this creates a conflict with the netsh ipsec option to select all IPsec filter lists (for example, delete filterlist all).

  • An address range must consist of two specific address of the same type, either IPv4 or IPv6.

  • To filter any packets sent from or to the computer, you can use srcaddr=me or dstaddr=me.

  • To filter packets sent from or to any computer, you can use srcaddr=any or dstaddr=any.

  • All string parameters are case-sensitive.

add filteraction

Creates a filter action with the specified Quick Mode security methods.

Syntax

add filteractionname = ] FilterActionName [ [ description = ] string ] [ [ qmpfs = ] { yes | no }] [ [ inpass = ] { yes | no } ] [ [ soft = ] { yes | no } ] [ [ action = ] { permit | block | negotiate } ] [ [ qmsecmethods = ] "SecMethodsString" ]

Parameters

  • [ name= ] FilterActionName
    Required. Specifies the name of the filter action to be created.
  • [ [ description= ] string ]
    Provides information about the filter action.
  • [ [ qmpfs= ] { yes | no } ]
    Specifies whether to enable session key perfect forward secrecy (PFS). If yes is specified, new main mode key material is renegotiated each time a new session key is required. The default value is no.
  • [ [ inpass= ] { yes | no } ]
    Specifies whether to allow an incoming packet that matches the configured filter list to be unsecured, but require IPsec-secured communication when replying. The default value is no.
  • [ [ soft= ] { yes | no } ]
    Specifies whether to fall back to unsecured communication with other computers that do not support IPsec, or when IPsec negotiations with an IPsec-capable computer fail. The default value is no.
  • [ [ action= ] {permit | block | negotiate } ]
    Specifies the action to take on the traffic that matches the rule containing this filter action. If permit is specified, traffic is transmitted or received without requiring IPsec protection. If block is specified, traffic is blocked. If negotiate is specified, IPsec is used with the specified list of security methods. The default value is negotiate.
  • [ [ qmsecmethods = ] "SecMethodsString" ]
    Specifies one or more security methods. Each method is described by one of the following formats, separated by spaces:

    • ESP[EncAlg,AuthAlg]:numk/nums

    • AH[HashAlg]: numk/nums

    • AH[HashAlg]+ESP[EncAlg,AuthAlg]:numk/nums

    Where:

    • EncAlg
      Specifies the encryption algorithm. EncAlg can be DES, 3DES, or none.
    • AuthAlg
      Specifies the integrity algorithm. AuthAlg can be MD5, SHA1, or none.
    • HashAlg
      Specifies the hash function. HashAlg can be MD5 or SHA1.
    • numk****
      Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is transferred, a new session key for the Quick Mode SA is generated. The default value is 100000 kilobytes.
    • nums****
      Specifies the session key lifetime in seconds. The default value is 3600 seconds.

Remarks

  • Do not create a filter action with the name all. Doing this creates a conflict with the netsh ipsec option to select all IPsec filter actions (for example, delete filteraction all).

  • If action=permit or action=block are specified, then any parameters for the options qmsecmethods, qmpfs, inpass, or soft are ignored and not used.

  • Session key regeneration will start based on whichever interval, seconds or kilobytes, is reached first. If you do not configure new intervals, the default intervals are used.

  • If you do not specify qmsecmethods, the default is a string equivalent to "ESP[3DES, SHA1]:100000k/3600s".

  • We recommend that you do not use DES or MD5. These cryptographic algorithms are no longer considered secure, and are provided for backward compatibility only.

  • The preference order of each Quick Mode security method is determined by the order in which it was specified in the command.

  • All string parameters are case-sensitive.

add filterlist

Creates an empty filter list with the specified name.

Syntax

add filterlistname = ] FilterListName [ [ description = ] string ]

Parameters

  • [ name= ] FilterListName
    Required. Specifies the name of the filter list to be created.
  • [ [ description= ] string ]
    Provides information about the filter list.

Remarks

  • Do not create a filter list with the name all. Doing this creates a conflict with the netsh ipsec option to select all IPsec filter lists (for example, delete filterlist all).

  • All string parameters are case-sensitive.

add policy

Creates an IPsec policy with the specified name.

Syntax

add policyname = ] PolicyName [ [ description = ] string ] [ [ mmpfs = ] { yes | no } ] [ [ qmpermm = ] Integer ] [ [ mmlifetime = ] Integer ] [ [ activatedefaultrule = ] { yes | no } ] [ [ pollinginterval = ] Integer ] [ [ assign = ] { yes | no } ] [ [ mmsecmethods = ] "KeyExchMethods" ]

Parameters

  • [ name= ] PolicyName
    Required. Specifies the name of the IPsec policy to be created.
  • [ [ description= ] string ]
    Provides information about the IPsec policy.
  • [ [ mmpfs= ] { yes | no } ]
    Specifies whether to enable main mode key perfect forward secrecy (PFS). If yes is specified, Main Mode security SAs are reauthenticated and new main mode key keying material is negotiated each time session key material for a Quick Mode SA is required. The default value is no.
  • [ [ qmpermm= ] Integer ]
    Specifies the number of times that main mode keying material can be used to derive the session key. The default value is 0, meaning an unlimited number of Quick Mode SAs can be derived from the Main Mode SA.
  • [ [ mmlifetime= ] Integer ]
    Specifies the number of minutes after which a new main mode key will be generated. The default value is 480 minutes.
  • [ [ activatedefaultrule= ] { yes | no } ]
    Specifies whether to activate the default response rule for this IPsec policy. The default value is no. This setting applies to computers that are running Windows XP or Windows Server 2003 only, and is not valid on later versions of Windows. When set through a Group Policy that is shared with earlier versions of Windows, computers running Windows Vista or a later version of Windows ignore the value. If you are running the command locally on a computer running Windows Vista or a later version of Windows, it generates an error.
  • [ [ pollinginterval= ] Integer ]
    Specifies how often IPsec polls for changes to this policy. The default value is 180 minutes.
  • [ [ assign= ] { yes | no } ]
    Specifies whether to assign this IPsec policy (only one IPsec policy can be assigned) The default value is no.
  • [ [ mmsecmethods= ] "KeyExchMethods" ]
    Specifies one or more key exchange security methods, separated by spaces. Each method is described by a string of the following format:

    EncAlg-HashAlg-GroupNumb

    Where:

    • EncAlg
      Specifies the encryption algorithm. EncAlg can be DES or 3DES.
    • HashAlg
      Specifies the hashing algorithm. HashAlg can be MD5 or SHA1.
    • GroupNum
      Specifies the Diffie-Hellman group to be used for the base keying material. GroupNumb can be: 1 (low, protects with 768 bits of keying material), 2 (medium, protects with 1024 bits), and 3 (high, protects with 2048 bits).

Remarks

  • Do not create a policy with the name all. Doing this creates a conflict with the netsh ipsec option to select all IPsec policies (for example, delete policy all).

  • Because only one IPsec policy can be assigned, if a policy is currently assigned and you assign a new policy, the currently assigned policy is automatically unassigned.

  • If set store=domain is specified (when the IPsec policy is stored in Active Directory®), assign has no effect. To assign a policy to a Group Policy object (GPO), you must first create a policy by using the add policy command, and then use the set store command.

  • If mmpfs=yes is specified (main mode key PFS is enabled) then qmpermm is set to 1 and is not configurable, because each new session will cause the main mode key keying material to be renegotiated.

  • If you do not specify mmsecmethods (key exchange security methods), the default is a string equivalent to the following:

    "3DES-SHA1-2 3DES-SHA1-3"

  • We recommend that you do not use DES or MD5. These cryptographic algorithms are no longer considered secure, and are provided for backward compatibility only.

  • IPsec peers must have at least one key exchange security method in common (one that uses the same settings) or negotiations will fail.

  • All string parameters are case-sensitive.

add rule

Creates a rule that links a specified IPsec policy, filter list, and filter action with specified authentication methods.

Syntax

add rulename = ] RuleNamepolicy = ] PolicyNamefilterlist = ] FilterListNamefilteraction = ] FilterActionName [ [ tunnel = ] { IPAddress | DNSName } ] [ [ conntype = ] { lan | dialup | all } ] [ [ activate = ] { yes | no } ] [ [ description = ] string ] [ [ kerberos = ] { yes | no } ] [ [ psk = ] PreSharedKey ] [ [ rootca = ] "String certmap:{ yes | no } excludecaname:{** yes** | no }" ]

Parameters

  • [ name= ] RuleName
    Required. Specifies the name of the IPsec rule to be created.
  • [ policy= ] PolicyName
    Required. Specifies the name of the IPsec policy that contains this rule.
  • [ filterlist= ] FilterListName
    Required. Specifies the name of the IP filter list for this rule.
  • [ filteraction= ] FilterActionName
    Required. Specifies the name of the filter action for this rule.
  • [ [ tunnel= ] {IPAddress | DNSName} ]
    Specifies the IP address (IPv4 or IPv6) or DNS name of the tunnel endpoint for tunnel mode. By default, this option is not specified and transport mode is used.
  • [ [ conntype= ] { lan | dialup | all }]
    Specifies whether the rule applies only to dial-up connections, only to local area network (LAN) connections, or to all connections. The default value is all.
  • [ [ activate= ]{ yes | no } ]
    Specifies whether to enable this rule in the specified IPsec policy. The default value is yes.
  • [ [ description= ] string]
    Provides information about the rule.
  • [ [ kerberos= ]{ yes | no } ]
    Specifies whether to use the Kerberos V5 protocol as an authentication method.
  • [ [ psk= ] PreSharedKey]
    Specifies the string of characters to use for the preshared key, if a preshared key is used as an authentication method.
  • [ [ rootca= ] "CertNamecertmap:{ yes** | no } excludecaname:{** yes** | no } "]**
    Specifies certificate authentication options. The argument is a string in quotes that contains the following elements:

    • CertName
      Specifies the distinguished name of the certificate, if a certificate is used as an authentication method.
    • certmap:{ yes | no }
      Specifies whether to enable certificate-to-account mapping. You can enable certificate-to-account mapping to verify that the certificate is being used by a trusted computer.
    • excludecaname:{ yes | no }
      Specifies whether to exclude from the certificate request the list of trusted root CA names from which a certificate is accepted.

Remarks

  • Do not create a rule with the name all. Doing this creates a conflict with the netsh ipsec option to select all IPsec rules (for example, delete rule all).

  • You can only use Kerberos V5 authentication or certificate-to-account mapping for computers that are members of an Active Directory domain.

  • Although you can use only one preshared key for authentication, you can use multiple certificates by specifying the rootca parameter multiple times, once for each certificate you want to use.

  • All certificate authentication parameters must be contained within a pair of quotation marks. To embed a quotation mark within the parameter, use a backslash followed by an apostrophe (\').

  • All string parameters are case-sensitive.

  • The preference order of each authentication method is determined by the order in which it was specified in the command.

  • If no authentication methods are specified, dynamic defaults are used. By default, IPsec policies use Kerberos V5 authentication. If the computer has a computer certificate, any root CA to which the computer certificate chains is also used for authentication.

  • If excludecaname:yes is specified, the list of trusted root CAs is not sent as part of the certificate request, which prevents the potential disclosure of sensitive information about the trust relationships of a computer. To enhance security for computers connected to the Internet, specify this option.

  • The use of preshared key authentication is not recommended because it is a relatively weak authentication method. In addition, preshared keys are stored in plaintext.

  • IPsec peers must have at least one key exchange security method in common (one that uses the same settings) or negotiations will fail.

delete all

Deletes all IPsec policies, filter lists, and filter actions.

Warning

Running this command deletes all currently configured IPsec policies, filter lists, and filter actions with no confirmation requested before the command is executed.

Syntax

delete all

Parameters

None.

delete filter

Deletes a filter from a filter list that matches the specified parameters.

Syntax

deletefilterfilterlist = ] FilterListNamesrcaddr = ] { me | any | IPAddr | IPAddr-*IPAddr *| *ServerType } [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr *| ServerType } [ [ protocol = ] { any | icmp | tcp | udp | raw | Integer } ] [ [ srcmask = ] { *Mask *| *Prefix *} ] [ [ dstmask = ] { *Mask *| *Prefix *} ] [ [ srcport = ] *Port *] [ [ dstport = ] Port ] [ [ mirrored = ] { yes | no } ]

Parameters

  • [ filterlist= ] FilterListName
    Required. Specifies the name of the filter list to which the filter was added.
  • [ srcaddr= ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}
    Required. Specifies the source IP address or range, DNS name, or server type for the IP traffic being matched. For ServerType you can use WINS, DNS, DHCP, or gateway.
  • [ dstaddr= ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}
    Required. Specifies the destination IP address or range, DNS name, or server type for the IP traffic being matched. For ServerType you can use WINS, DNS, DHCP, or gateway.
  • [ [ protocol= ] {ANY|ICMP|TCP|UDP|RAW|Integer} ]
    Specifies the IP protocol if, in addition to addressing information, a specific IP protocol is filtered. A value of ANY matches filters with a protocol setting of any.
  • [ [ srcmask= ] {Mask|Prefix} ]
    Specifies the source address subnet mask or the prefix of the packets being filtered. You can specify a prefix value in the range of 0 through 32. The default value is the mask of 255.255.255.255, equivalent to the prefix value of 32.
  • [ [ dstmask= ] {Mask|Prefix} ]
    Specifies the destination address subnet mask or the prefix of the packets being filtered. You can specify a prefix value in the range of 0 through 32. The default value is the mask of 255.255.255.255, equivalent to the prefix value of 32.
  • [ [ srcport= ] Port ]
    Specifies the source port number of the packets being filtered. This option only applies if you are filtering TCP or UDP packets. The default is to match any port number.
  • [ [ dstport= ] Port ]
    Specifies the destination port number of the packets being filtered. This option only applies if you are filtering TCP or UDP packets. The default is to match any port number.
  • [ [ mirrored= ] { yes | no } ]
    Specifies whether a mirrored filter was created.

Remarks

  • This command only deletes a filter that matches the exact parameters specified.

  • If no optional parameters are specified, all filters that match the specified required parameters are deleted.

  • To delete a filter that filtered any packets sent from or to the local computer use srcaddr=me or dstaddr=me.

  • To delete a filter that filtered packets sent from or to any remote computer use srcaddr=any or dstaddr=any.

  • All string parameters are case-sensitive.

delete filteraction

Deletes the specified filter action, or all filter actions.

Syntax

delete filteraction { [ name = ] FilterActionName | all }

Parameters

  • { [ name= ] FilterActionName | all}
    Required. Specifies the name of the filter action to delete. Or, if all is specified, all filter actions are deleted.

Remarks

  • All string parameters are case-sensitive.

delete filterlist

Deletes the specified filter list, or all filter lists.

Syntax

delete filterlist { [ name = ] FilterListName | all }

Parameters

  • { [ name= ] FilterListName | all }
    Required. Specifies the name of the filter list to delete. Or, if all is specified, all filter lists are deleted.

Remarks

  • All string parameters are case-sensitive.

delete policy

Deletes the specified IPsec policy and all associated rules, or all IPsec policies.

Syntax

delete policy { [ name = ] PolicyName | all }

Parameters

  • { [ name= ] PolicyName | all }
    Required. Specifies the name of the IPsec policy to delete. Or, if all is specified, all IPsec policies are deleted.

Remarks

  • All string parameters are case-sensitive.

delete rule

Deletes a specified rule, or all rules from the specified IPsec policy.

Syntax

delete rule { [ name = ] RuleName | [ ID = ] Integer | all } [ policy = ] PolicyName

Parameters

  • { [ name= ] RuleName | [ ID= ] Integer | all }
    Required. Specifies the rule to delete. If either the rule name or the rule ID (the number identifying the position of the rule in the policy rule list) is specified, the corresponding rule is deleted. If all is specified, all rules are deleted.
  • [ policy= ] PolicyName
    Required. Specifies the name of the policy from which one or more rules are deleted.

Remarks

  • The default response rule cannot be deleted.

  • After a rule is deleted, all IDs for the remaining rules change accordingly.

  • All string parameters are case-sensitive.

exportpolicy

Exports IPsec policy information to the specified file. You can export all policies, or a specified policy.

Syntax

Exportpolicyfile = ] FilePathAndNamename = ] PolicyName

Parameters

  • ****file=FilePathAndName
    Required. Specifies the folder path and name of the file into which the IPsec policy information is exported.
  • [ [ name = ] PolicyName ]
    Specifies the policy to export. If no value is provided, then all polices are exported.

Remarks

  • By default, if no file name extension is specified as part of the filename then .IPsec is added to the file name.

  • If no path is provided, then the file is placed in the current default folder. This is the folder displayed by the command prompt before you start netsh.

  • To enhance interoperablity in a mixed environment with computers running Windows 2000, limit the name of the file to which you want the policy information saved to 60 characters or less.

  • All string parameters are case-sensitive.

importpolicy

Imports IPsec policy information from the specified IPsec file.

Syntax

Importpolicyfile = ] FilePathAndName

Parameters

  • [ file= ] FilePathAndName
    Required. Specifies the folder path and name of the file from which the IPsec policy information is imported.

Remarks

  • All string parameters are case-sensitive.

  • By default, if no file name extension is specified as part of the filename then .IPsec is added to the file name.

  • If no path is provided, then the file is expected to be in the current default folder. This is the folder displayed by the command prompt before you start netsh.

set batch

Sets batch mode. When batch mode is enabled, netsh caches information used during the processing of commands. When other commands reference that same information, the command can typically be processed much more quickly since it is in the cache memory. This can significantly improve performance of scripts that run a sequence of netsh commands.

Syntax

set batchmode = ] { enable | disable }

Parameters

  • [ mode = ] { enable | disable }
    Required. Turns batch mode with its associated caching of information on or off. Use enable to turn it on before running a sequence of commands.

Remarks

  • The set batch command is a per session command. If you start a new netsh session, batch mode is disabled, even if it was enabled when you last used netsh.

set defaultrule

Modifies the default response rule for the specified policy. This option is applicable to computers running Windows XP or Windows Server 2003 only, and does not apply to later versions of Windows.

Syntax

set defaultrulepolicy = ] PolicyName [ [ qmpfs = ] { yes | no } ] [ [ activate = ] { yes | no } ] [ [ qmsecmethods = ] "SecMethodsString" ] [ [ kerberos = ] { yes | no } ] [ [ psk = ] PreSharedKey ] [ [ rootca = ] "CertNamecertmap:{** yes** | no } excludecaname:yes | no }"]

Parameters

  • [ policy= ] PolicyName
    Required. Specifies the name of the IPsec policy for which the default response rule is to be modified.
  • [ [ qmpfs= ]{ yes | no } ]
    Specifies whether to enable session key perfect forward secrecy (PFS). If yes is specified, new main mode key material is renegotiated each time a new session key is required. The default value is no.
  • [ [ activate= ]{ yes | no } ]
    Specifies whether to activate this rule for the specified IPsec policy. The default value is yes.
  • [ [ qmsecmethods = ] "SecMethodsString" ]
    Specifies one or more security methods, separated by spaces and defined by the following format:

    {ESP [EncAlg**,AuthAlg]:k/s | AH [HashAlg]:k/s | AH [HashAlg]+ESP**[EncAlg**,AuthAlg]:k/**s}]

    Where:

    • EncAlg
      Specifies the encryption algorithm. ConfigAlg can be DES (Data Encryption Standard), 3DES, or none.
    • AuthAlg
      Specifies the integrity algorithm. AuthAlg can be MD5 (Message Digest 5), SHA1 (Secure Hash Algorithm 1), or none.
    • HashAlg
      Specifies the hash function. HashAlg can be MD5 (Message Digest 5) or SHA1.
    • k
      Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is transferred, a new session key for the Quick Mode SA is generated. The default value is 100,000 kilobytes.
    • s
      Specifies the session key lifetime in seconds. The default value is 3600 seconds.
  • [ [ kerberos= ]{ yes | no } ]
    Specifies whether to use the Kerberos V5 protocol as an authentication method.
  • [ [ psk= ] PreSharedKey ]
    Specifies the string of characters to use for the preshared key, if a preshared key is used as an authentication method.
  • [ [ rootca= ] "CertNamecertmap:yes | no } excludecaname:yes | no }"]
    Specifies certificate authentication options. The argument is a string in quotes that contains the following elements:

    • String
      Specifies the distinguished name of the certificate, if a certificate is used as an authentication method.
    • ****certmap:yes | no }
      Specifies whether to enable certificate-to-account mapping. You can enable certificate-to-account mapping to verify that the certificate is being used by a trusted computer.
    • ****excludecaname:yes | no }
      Specifies whether to exclude from the certificate request the list of trusted root CA names from which a certificate is accepted.

Remarks

  • This option is applicable to computers running Windows XP or Windows Server 2003 only, and is ignored on computers running later versions of Windows.

  • We recommend that you do not use DES or MD5. These cryptographic algorithms are no longer considered secure, and are provided for backwards-compatibility only.

  • You can only use Kerberos V5 authentication or certificate-to-account mapping for computers that are members of an Active Directory domain.

  • Although you can use only one preshared key for authentication, you can use multiple certificates by specifying the rootca parameter multiple times, once for each certificate you want to use.

  • All certificate authentication parameters must be contained within a pair of quotation marks. To embed a quotation mark within the parameter, use a backslash followed by an apostrophe (\').

  • The preference order of each authentication method is determined by the order in which it was specified in the command.

  • If no authentication methods are specified, dynamic defaults are used. By default, IPsec policies use Kerberos V5 authentication. If the computer has a computer certificate, any root CA to which the computer certificate chains is also used for authentication.

  • If excludecaname:yes is specified, the list of trusted root CAs is not sent as part of the certificate request, which prevents the potential disclosure of sensitive information about the trust relationships of a computer. To enhance security for computers connected to the Internet, specify this option.

  • The use of preshared key authentication is not recommended because it is a relatively weak authentication method. In addition, preshared keys are stored in plaintext.

  • IPsec peers must have at least one key exchange security method in common (one that uses the same settings) or negotiations will fail.

  • Modifying authentication methods will overwrite all previous authentication methods, even if the previous authentication methods were different. For example, if kerberos=yes and **psk=**PresharedKey were previously specified, and then you specify kerberos=no, the psk parameter will also be overwritten by the default value of no preshared key, and preshared key authentication will no longer be used.

  • EncAlg and AuthAlg cannot both be set to none.

  • All string parameters are case-sensitive.

set filteraction

Modifies a filter action.

Syntax

set filteraction { [ name = ] FilterActionName | [ guid = ] FilterActionGUID } [ [ newname = ] NewFilterActionName ] [ [ description = ] String ] [ [ qmpfs = ] { yes | no } ] [ [ inpass = ] { yes | no } ] [ [ soft = ] { yes | no } ] [ [ action = ] { permit | block | negotiate } ] [ [ qmsecmethods = ] "SecMethodsString" ]

Parameters

  • **{ [ **name=FilterActionName | [ guid = ] FilterActionGUID }
    Required. Specifies the name or global unique identifier (GUID) of the filter action to modify.
  • [ [ newname= ] NewFilterActionName ]
    Changes the name of the filter action to the specified value. If a value is not specified, then the name is not changed.
  • [ [ description= ] String ]
    Changes the information about the filter action. If a value is not specified, then description is not changed.
  • [ [ qmpfs= ] { yes | no } ]
    Changes the value that specifies whether to enable session key perfect forward secrecy (PFS). If yes is specified, new main mode key material is renegotiated each time a new session key is required. If a value is not specified, then qmpfs is not changed.
  • [ [ inpass= ] { yes | no } ]
    Changes the value that specifies whether to allow an incoming packet that matches the configured filter list to be unsecured, but require IPsec-secured communication when replying. If a value is not specified, then inpass is not changed.
  • [ [ soft= ] { yes | no } ]
    Changes the value that specifies whether to fall back to unsecured communications with other computers that do not support IPsec, or when IPsec negotiations with an IPsec-capable computer fail. If a value is not specified, then soft is not changed.
  • [ [ action= ] { permit | block | negotiate } ]
    Changes the value that specifies whether to permit traffic without negotiating IPsec. If permit is specified, traffic is transmitted or received without negotiating or applying IP security. If block is specified, traffic is blocked. If negotiate is specified, IP security is used, with the specified list of security methods. If a value is not specified, then action is not changed.
  • [ [ qmsecmethods = ] "SecMethodsString" ]
    Changes the string that specifies one or more security methods. Each method is described by one of the following formats, separated by spaces:

    • ESP[EncAlg,AuthAlg]:numk/nums

    • AH[HashAlg]: numk/nums

    • AH[HashAlg]+ESP[EncAlg,AuthAlg]:numk/nums

    Where:

    • EncAlg
      Specifies the encryption algorithm. EncAlg can be DES, 3DES, or none.
    • AuthAlg
      Specifies the integrity algorithm. AuthAlg can be MD5, SHA1, or none.
    • HashAlg
      Specifies the hash function. HashAlg can be MD5 or SHA1.
    • numk****
      Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is transferred, a new session key for the Quick Mode SA is generated. The default value is 100000 kilobytes.
    • nums****
      Specifies the session key lifetime in seconds. The default value is 3600 seconds.

    If a value is not specified, then qmsecmethods is not changed.

Remarks

  • If you rename the filter action, do not use the name all. Doing this creates a conflict with the netsh ipsec option to select all IPsec filter actions (for example, delete filteraction all).

  • We recommend that you do not use DES or MD5. These cryptographic algorithms are no longer considered secure, and are provided for backward compatibility only.

  • If action=permit or action=block are specified, then do not set qmpfs=yes, inpass=yes, or soft=yes.

  • Session key regeneration will start based on whichever interval, seconds or kilobytes, is reached first. If you do not configure new intervals, the default intervals are used.

  • The preference order of each Quick Mode security method is determined by the order in which it was specified in the command.

  • All string parameters are case-sensitive.

set filterlist

Modifies a filter list.

Syntax

set filterlist { [ name = FilterListName | [ guid = ] FilterListGUID } [ [ newname = ] NewFilterActionName ] [ [ description = ] String ]

Parameters

  • **{ [ **name=FilterListName | [ guid = ] FilterListGUID }
    Required. Specifies the name or globally unique identifier (GUID) of the filter list to modify.
  • [ [ newname= ] NewFilterActionName ]
    Changes the name of the filter list to the specified value. If a value is not specified, then the name is not changed.
  • [ [ description= ] String ]
    Changes the information about the filter list. If a value is not specified, then description is not changed.

Remarks

  • If you specify a new name for the filter list, do not use the name all. Doing this creates a conflict with the netsh ipsec option to select all IPsec filter lists (for example, delete filterlist all).

  • All string parameters are case-sensitive.

set policy

Modifies an IPsec policy.

Syntax

set policy { [ name = PolicyName | [ guid = ] PolicyGUID } [ [ newname = ] NewPolicyName ] [ [ description = ] String ] [ [ mmpfs = ] { yes | no } ] [ [ qmpermm = ] Integer ] [ [ mmlifetime = ] Integer ] [ [ activatedefaultrule = ] { yes | no } ] [ [ pollinginterval = ] Integer ] [ [ assign = ] { yes | no } ] [ [ gponame = ] NameOfGPO ] [ [ mmsecmethods = ] **"KeyExchMethods" **]

Parameters

  • **name= String| **guid=guid
    Required. Specifies the name or GUID of the IPsec policy to modify.
  • [ [ newname = ] String ]
    Changes the name of the IPsec policy to the specified value. If a value is not specified, then the name is not changed.
  • [ [ description = ] String ]
    Changes the information about the IPsec policy. If a value is not specified, then description is not changed.
  • [ [ mmpfs= ] { yes | no } ]
    Changes the value that specifies whether to enable main mode key perfect forward secrecy (PFS). If yes is specified, Main Mode security SAs are reauthenticated and new main mode key keying material is negotiated each time session key material for a Quick Mode SA is required. If a value is not specified, then mmpfs is not changed.
  • [ [ qmpermm= ] Integer ]
    Changes the value that specifies the number of times that main mode keying material can be used to derive the session key. If a value is not specified, then qmpermm is not changed.
  • [ [ mmlifetime= ] Integer ]
    Changes the value that specifies the number of minutes after which a new main mode key will be generated. If a value is not specified, then mmlifetime is not changed.
  • [ [ activatedefaultrule= ] { yes | no } ]
    Changes the value that specifies whether to activate the default response rule for this IPsec policy. This setting applies to computers that are running Windows XP or Windows Server 2003 only, and is not valid on later versions of Windows. When set through a Group Policy that is shared with earlier versions of Windows, computers running Windows Vista or later versions of Windows ignore the value. If you are running the command locally on a computer running Windows Vista or a later version of Windows, it generates an error. If a value is not specified, then activatedefaultrule is not changed.
  • [ [ pollinginterval= ] Integer ]
    Changes the value that specifies how often IPsec polls for changes to this policy. If a value is not specified, then pollinginterval is not changed.
  • [ [ assign={ yes| no}] ]
    Changes the value that specifies whether to assign this IPsec policy (only one IPsec policy can be assigned) If a value is not specified, then assign is not changed.
  • [ [ gponame= ] NameOfGPO ]
    Changes the value that specifies the name of the Group Policy object to which the IPsec policy is assigned. This parameter is only applicable if you are configuring policy for a computer that is an Active Directory domain member. If a value is not specified, then gponame is not changed.
  • [ [ mmsecmethods= ] "KeyExchMethods" ]
    Changes the string that specifies one or more key exchange security methods, separated by spaces. Each method is described by a string of the following format:

    EncAlg-HashAlg-GroupNumb

    Where:

    • EncAlg
      Specifies the encryption algorithm. EncAlg can be DES or 3DES.
    • HashAlg
      Specifies the hashing algorithm. HashAlg can be MD5 or SHA1.
    • GroupNum
      Specifies the Diffie-Hellman group to be used for the base keying material. GroupNumb can be: 1 (low, protects with 768 bits of keying material), 2 (medium, protects with 1024 bits), and 3 (high, protects with 2048 bits).

    If a value is not specified, then mmsecmethods is not changed.

Remarks

  • If you specify a new name for the policy, do not use the name all. Doing this creates a conflict with the netsh ipsec option to select all IPsec policies (for example, delete policy all).

  • We recommend that you do not use DES or MD5. These cryptographic algorithms are no longer considered secure, and are provided for backwards-compatibility only.

  • If set store=domain is specified (when the IPsec policy is stored in Active Directory), then assign has no effect.

  • If mmpfs=yes is specified (main mode key PFS is enabled), then qmpermm is set to 1 and not configurable, because each new session will cause the main mode key keying material to be renegotiated.

  • IPsec peers must have at least one common key exchange security method (one that uses the same settings) or negotiations will fail.

  • You can only specify a Group Policy object name if set store=domain.

  • All string parameters are case-sensitive.

set rule

Modifies a rule in an IPsec policy.

Syntax

set rule { [ name = ] RuleName | [ ID = ] Integer } [ policy = ] PolicyName [ [ newname = ] NewRuleName ] [ [ description = ] String ] [ [ filterlist = ] FilterListName ] [ [ filteraction = ] FilterActionName ] [ [ tunnel = ] { IPAddress | DNSName } ] [ [ conntype = ] { lan | dialup | all } ] [ [ activate = ] { yes | no } ] [ [ kerberos = ] { yes | no } ] [ [ psk = ] PreSharedKey ] [ [ rootca = ] "Stringcertmap:{** yes** | no } excludecaname:{** yes** | no }**" **]

Parameters

  • { [ name= ] RuleName | [ ID= ] Integer }
    Required. Specifies the name or ID (the number identifying the position of the rule in the policy rule list) of the rule to modify.
  • [ policy= ] PolicyName
    Required. Specifies the name of the IPsec policy that contains the rule to modify.
  • [ [ newname= ] NewRuleName ]
    Changes the name of the rule to the specified value. If a value is not specified, then the name is not changed.
  • [ [ description= ] String ]
    Changes the information about the rule. If a value is not specified, then description is not changed.
  • [ [ filterlist= ] FilterListName ]
    Changes the IP filter list associated with this rule. If a value is not specified, then filterlist is not changed.
  • [ [ filteraction= ] FilterActionName ]
    Changes the filter action associated with this rule. If a value is not specified, then filteraction is not changed.
  • [ [ tunnel= ] {IPAddress|DNSName} ]
    Changes the value that specifies the IP address or DNS name of the tunnel endpoint for tunnel mode. If a value is not specified, then tunnel is not changed.
  • [ [ conntype= ] { lan | dialup | all }]
    Changes the value that specifies whether the rule applies only to dial-up connections or to local area network (LAN) connections, or to all connections. If a value is not specified, then conntype is not changed.
  • [ [ activate= ] { yes | no } ]
    Changes the value that specifies whether to enable this rule for the specified IPsec policy. If a value is not specified, then activate is not changed.
  • [ [ kerberos= ] { yes | no } ]
    Changes the value that specifies whether to use the Kerberos V5 protocol as an authentication method.
  • [ [ psk= ] PreSharedKey]
    Changes the string of characters to use for the preshared key, if a preshared key is used as an authentication method. If a value is not specified, then psk is not changed.
  • [ [ rootca= ] "Stringcertmap:{ yes** | no } excludecaname:{** yes** | no } "]**
    Changes the value that specifies certificate authentication options. The argument is a string in quotes that contains the following elements:

    • String
      Specifies the distinguished name of the certificate, if a certificate is used as an authentication method.
    • ****certmap:yes | no }
      Specifies whether to enable certificate-to-account mapping. You can enable certificate-to-account mapping to verify that the certificate is being used by a trusted computer.
    • ****excludecaname:yes | no }
      Specifies whether to exclude from the certificate request the list of trusted root CA names from which a certificate is accepted.

    If a value is not specified, then rootca is not changed.

Remarks

  • You can only use Kerberos V5 authentication or certificate-to-account mapping for computers that are members of an Active Directory domain.

  • Although you can use only one preshared key for authentication, you can use multiple certificates by specifying the rootca parameter multiple times, once for each certificate you want to use.

  • All certificate authentication parameters must be contained within a pair of quotation marks. To embed a quotation mark within the parameter, use a backslash followed by an apostrophe (\').

  • All string parameters are case-sensitive.

  • The preference order of each authentication method is determined by the order in which it was specified in the command.

  • If no authentication methods are specified, dynamic defaults are used. By default, IPsec policies use Kerberos V5 authentication. If the computer has a computer certificate, any root CA to which the computer certificate chains is also used for authentication.

  • If excludecaname:yes is specified, the list of trusted root CAs is not sent as part of the certificate request, which prevents the potential disclosure of sensitive information about the trust relationships of a computer. To enhance security for computers connected to the Internet, specify this option.

  • The use of preshared key authentication is not recommended because it is a relatively weak authentication method. In addition, preshared keys are stored in plaintext.

  • IPsec peers must have at least one common key exchange security method (one that uses the same settings) or negotiations will fail.

  • Modifying authentication methods will overwrite all previous authentication methods, even if the previous authentication methods were different. For example, if kerberos=yes and **psk=**PreSharedKey were previously specified, and then you specify kerberos=no, then the psk parameter will also be overwritten with the default value of not using a preshared key, and preshared key authentication will no longer be used.

set store

Sets the current IPsec policy storage location.

Syntax

set storelocation = ] { local | domain } [ [ domain = ] DomainName ]

Parameters

  • [ location= ] { local | domain }
    Required. Specifies the storage location for the IPsec policy.
  • [ [ domain= ] DomainName ]
    Specifies the name of the domain where the IPsec policy is stored, if the policy is stored in Active Directory (when location=domain is specified).

Remarks

  • The set store command only works from within the netsh environment, that is:

    • If you run this command from the command prompt for the netsh ipsec context).

    • If you run a batch file by using the netsh.exe command.

  • The local store contains IPsec policies that can be assigned to secure this computer. If a domain policy is available, the domain policy is applied instead of the local policy.

  • The domain store contains IPsec policies that can be assigned to secure groups of computers in a domain.

  • Use the set machine command to configure a remote computer.

  • All string parameters are case-sensitive.

show all

Displays configuration information for all IPsec policies, rules, filter lists, and filter actions.

Syntax

show all [ [ format = ] { list | table } ] [ [ wide = ] { yes | no } ]

Parameters

  • [ [ format = ] { list | table} ]
    Specifies whether to display IPsec configuration information in screen or tab-delimited format. The default value is list, meaning that output is displayed in screen format.
  • [ [ wide= ] { yes | no } ]
    Specifies whether to allow the display of IPsec configuration information to exceed the screen width of 80 characters. The default value is no, meaning that the display of configuration information is limited to the screen width.

Remarks

  • Because the show all command can result in lengthy, rapidly scrolling output, consider saving the output in a text file, unless you only need to view limited portions.

    To save output in a text file for the show all command, do either of the following:

    If you are in the netsh environment (netsh>)

    1. At the netsh prompt, type:

      set file open FileName.txt

    2. Then type:

      IPsec static show all

    3. To stop sending output and close the file, type:

      set file close

    If you are not in the netsh environment

    • At the command prompt, type:

      **netsh ipsec static show all >**FileName.txt

  • To stop the output of IPsec configuration information, you must exit Netsh by doing one of the following:

    • Close the Netsh window by clicking the X icon in the upper-right corner of the window.

    • Use Task Manager to end the Netsh program.

show filteraction

Displays configuration information for one or more filter actions.

Syntax

show filteraction { [ name = ] FilterActionName | [ rule = ] RuleName | all } [ [ level = ] { verbose | normal } ] [ [ format = ] { list | table } ] [ [ wide = ] { yes | no } ]

Parameters

  • { [ name= ] FilterActionName | [ rule= ] RuleName | all }
    Required. Specifies one or more filter actions for which configuration information is to be displayed.

    • If name is specified, then the filter action with the specified name is displayed.

    • If rule is specified, then the filter action associated with the specified rule is displayed.

    • If all is specified, all filter actions are displayed.

  • [ [ level= ] { verbose | normal } ]
    Specifies the level of information to display. If verbose is specified, information about the security methods, policy storage location, and whether session key perfect forward secrecy (PFS) is enabled is displayed, in addition to basic filter action information. The default value is normal.
  • [ [ format= ] { list | table } ]
    Specifies whether to display IPsec configuration information in screen or tab-delimited format. The default value is list, meaning that output is displayed in screen format.
  • [ [ wide= ] { yes | no } ]
    Specifies whether to allow the display of IPsec configuration information to exceed the screen width of 80 characters. The default value is no, meaning that the display of configuration information is limited to the screen width.

Remarks

  • All string parameters are case-sensitive.

  • Because the show filteraction command can result in lengthy, rapidly scrolling output, consider saving the output in a text file, unless you only need to view limited portions.

    To save output in a text file for the show filteraction command, do either of the following:

    If you are in the netsh environment (netsh>)

    1. At the netsh prompt, type:

      set file open FileName.txt

    2. Then type (as an example that displays all filter actions):

      show filteraction all verbose table yes

    3. To stop sending output and close the file, type:

      set file close

    If you are not in the netsh environment

    • At the command prompt, type:

      netsh ipsec static show filteraction allverbose table yes>FileName.txt

  • To stop the output of IPsec configuration information, you must exit Netsh by doing one of the following:

    • Close the Netsh window by clicking the X icon in the upper-right corner of the window.

    • Use Task Manager to end the Netsh program.

show filterlist

Displays configuration information for one or more filter lists.

Syntax

show filterlist { [ name = ] FilterListName | [ rule = ] RuleName | all } [ [ level = ] { verbose | normal } ] [ [ format = ] { list | table } ] [ [ resolvedns = ] { yes | no } ] [ [ wide = ] { yes | no } ]

Parameters

  • { [ name= ] FilterListName | [ rule= ] RuleName | all }
    Required. Specifies one or more filter lists to display. If name is specified, the filter list with the specified name is displayed. If rule is specified, all filter lists associated with the specified rule are displayed. If all is specified, all filter lists are displayed.
  • [ [ level= ] { verbose | normal } ]
    Specifies the level of information to display. If verbose is specified, information about the security methods, policy storage location, and whether session key perfect forward secrecy (PFS) is enabled is displayed, in addition to basic filter action information. The default value is normal.
  • [ [ format= ] { list | table } ]
    Specifies whether to display IPsec configuration information in screen or tab-delimited format. The default value is list, meaning that output is displayed in screen format.
  • [ [ resolvedns= ] { yes | no } ]
    Specifies whether to resolve the DNS or NetBIOS computer name associated with an IP address when displaying sources or destinations. If yes is specified, level must also be set to verbose, or the DNS names are not displayed. The default value is no.
  • [ [ wide= ] { yes | no } ]
    Specifies whether to allow the display of IPsec configuration information to exceed the screen width of 80 characters. The default value is no, meaning that the display of configuration information is limited to the screen width.

Remarks

  • All string parameters are case-sensitive.

  • Because the show filterlist command can result in lengthy, rapidly scrolling output, consider saving the output in a text file, unless you only need to view limited portions.

    To save output in a text file for the show all command, do either of the following:

    If you are in the netsh environment (netsh>)

    1. At the netsh prompt, type:

      set file open FileName.txt

    2. Then type (as an example that displays all filter lists):

      IPsec static show filterlist all verboseyes yes

    3. To stop sending output and close the file, type:

      set file close

    If you are not in the netsh environment

    • At the command prompt, type:

      netsh ipsec static show filterlist all verboseyes yes >FileName.txt

  • To stop the output of IPsec configuration information, you must exit Netsh by doing one of the following:

    • Close the Netsh window by clicking the X icon in the upper-right corner of the window.

    • Use Task Manager to end the Netsh program.

show gpoassignedpolicy

Displays configuration information for the active IPsec policy assigned to the specified Group Policy object.

Syntax

show gpoassignedpolicy [ [ name = ] GPOName ]

Parameters

  • [ [ name= ] GPOName ]
    Specifies the name of the Group Policy object to which the active IPsec policy is assigned. If no name is specified, the local IPsec policy is displayed.

Remarks

  • You can only specify a Group Policy object name if set store=domain.

  • All string parameters are case-sensitive.

    To save output in a text file for the show gpossignedpolicy command, do either of the following:

    If you are in the netsh environment (netsh>)

    1. At the netsh prompt, type:

      set file open FileName.txt

    2. Then type:

      IPsec static show gpoassignedpolicy [GPOName]

    3. To stop sending output and close the file, type:

      set file close

    If you are not in the netsh environment

    • At the command prompt, type:

      netsh ipsec static show gpoassignedpolicy [GPOName] >FileName.txt

show policy

Displays configuration information for the specified IPsec policy, or for all IPsec policies.

Syntax

show policy { [ name = ] PolicyName | all } [ [ level = ] { verbose | normal } ] [ [ format = ] { list | table } ] [ [ wide = ] { yes | no } ]

Parameters

  • { [ name= ] PolicyName | all }
    Required. Specifies the name of the IPsec policy to display or, if all is specified, that all IPsec policies are displayed.
  • [ [ level= ] { verbose | normal } ]
    Specifies the level of information to display. If verbose is specified, the security methods and authentication method are displayed, in addition to information about filter actions and rules. The default value is normal.
  • [ [ format= ] { list | table } ]
    Specifies whether to display IPsec configuration information in screen or tab-delimited format. The default value is list, meaning that output is displayed in screen format.
  • [ [ wide= ] { yes | no } ]
    Specifies whether to allow the display of IPsec configuration information to exceed the screen width of 80 characters. The default value is no, meaning that the display of configuration information is limited to the screen width.

Remarks

  • All string parameters are case-sensitive.

  • Because the show policy command can result in lengthy, rapidly scrolling output, consider saving the output in a text file, unless you only need to view limited portions.

    To save output in a text file for the show policy command, do either of the following:

    If you are in the netsh environment (netsh>)

    1. At the netsh prompt, type:

      set file open FileName.txt

    2. Then type:

      IPsec static show policy PolicyName | all >FileName.txt

    3. To stop sending output and close the file, type:

      set file close

    If you are not in the netsh environment

    • At the command prompt, type:

      netsh ipsec static show policy PolicyName | all >FileName**.txt**

  • To stop the output of IPsec configuration information, you must exit Netsh by doing one of the following:

    • Close the Netsh window by clicking the X icon in the upper-right corner of the window.

    • Use Task Manager to end the Netsh program.

show rule

Displays configuration information for a rule for a specified policy, or for all rules for a specified policy.

Syntax

show rule { [ name = ] RuleName | [ id = ] Integer | all | default } [ policy = ] PolicyName [ [ type = ] { transport | tunnel } ] [ [ level = ] { verbose | normal } ] [ [ format = ] { list | table } ] [ [ wide = ] { yes | no } ]

Parameters

  • { [ name= ] RuleName | [ id= ] Integer | all | default }
    Required. Specifies one or more rules to display. If either the rule name or the rule ID (the number identifying the position of the rule in the policy rule list) is specified, the corresponding rule is displayed. If all is specified, all rules for the specified policy are displayed. If default is specified, the default response rule is displayed.
  • [ policy= ] PolicyName
    Required. Specifies the name of the policy for which the specified rule, or all rules, are displayed.
  • [ [ type= ] { transport | tunnel } ]
    Specifies whether to display all transport rules or all tunnel rules. The default value is to display all rules.
  • [ [ level= ] { verbose | normal } ]
    Specifies the level of information to display. If verbose is specified, the security methods and authentication method are displayed, in addition to information about filter actions and rules. The default value is normal.
  • [ [ format= ] { list | table } ]
    Specifies whether to display IPsec configuration information in screen or tab-delimited format. The default value is list, meaning that output is displayed in screen format.
  • [ [ wide= ] { yes | no } ]
    Specifies whether to allow the display of IPsec configuration information to exceed the screen width of 80 characters. The default value is no, meaning that the display of configuration information is limited to the screen width.

Remarks

  • If you use the type parameter, you must also use the all parameter (you must specify show rule all).

  • All string parameters are case-sensitive.

  • Because the show rule command can result in lengthy, rapidly scrolling output, consider saving the output in a text file, unless you only need to view limited portions.

    To save output in a text file for the show rule command, do either of the following:

    If you are in the netsh environment (netsh>)

    1. At the netsh prompt, type:

      set file open FileName.txt

    2. Then type (as an example that displays all transport rules in a policy):

      IPsec static show rule all Policytransport

    3. To stop sending output and close the file, type:

      set file close

    If you are not in the netsh environment

    • At the command prompt, type:

      netsh ipsec static show rule all Policytransport >FileName.txt

  • To stop the output of IPsec configuration information, you must exit Netsh by doing one of the following:

    • Close the Netsh window by clicking the X icon in the upper-right corner of the window.

    • Use Task Manager to end the Netsh program.

show store

Displays the current IPsec policy storage location. Commands that you enter to change the state of the IPsec configuration apply to the displayed location unless you use the set store command to change the location first.

Syntax

show store

Parameters

None.

Remarks

  • The local store contains IPsec policies that can be assigned to secure this computer. If a domain policy is available, the domain policy is applied instead of the local policy.

  • The domain store contains IPsec policies that can be assigned to secure groups of computers in a domain.

Netsh IPsec dynamic

The following commands are available at the ipsec dynamic > prompt, which is rooted within the netsh environment.

While the netsh ipsec static commands modify a store which contains an IPsec configuration, the netsh ipsec dynamic commands modify the currently active configuration, without storing the change anywhere. If you restart the computer or the IPsec services, the change is lost. To make a change persistent, use the Netsh IPsec static commands to modify a store containing an IPsec configuration, and then ensure that configuration is the currently active configuration.

To view the command syntax, click a command:

Add commands

  • add mmpolicy

  • add qmpolicy

  • add rule

Delete commands

  • delete all

  • delete mmpolicy

  • delete qmpolicy

  • delete rule

  • delete sa

Set commands

  • set config

  • set mmpolicy

  • set qmpolicy

  • set rule

Show commands

  • show all

  • show config

  • show mmfilter

  • show mmpolicy

  • show mmsas

  • show qmfilter

  • show qmpolicy

  • show qmsas

  • show rule

  • show stats

add mmpolicy

Creates an IPsec Main Mode policy with the specified name and adds it to the security policy database (SPD).

Syntax

add mmpolicyname = PolicyNameqmpermm = Integer ] [ mmlifetime = Integer ] [ softsaexpirationtime = Integer ] [ mmsecmethods = "KeyExchMethods" ]

Parameters

  • ****name=PolicyName
    Required. Specifies the name of the IPsec policy to be created.
  • **[ **qmpermm=Integer ]
    Specifies the number of times that main mode keying material can be used to derive the session key. The default value is 0, meaning an unlimited number of Quick Mode SAs can be derived from the Main Mode SA.
  • **[ **mmlifetime=Integer ]
    Specifies the number of minutes after which a new main mode key is generated. If a new main mode key is generated sooner because of the qmpermm parameter, then this timer is reset and begins counting again. A value of 0 specifies that the main mode key is never regenerated because of time. The default value is 480 minutes.
  • **[ **softsaexpirationtime=Integer ]
    Specifies the number of minutes after which an unprotected security association (a soft SA) expires. A value of 0 specifies that soft SAs do not expire. The default value is 480 minutes.
  • [ mmsecmethods="KeyExchMethods" ]
    Specifies one or more key exchange security methods, separated by spaces. Each method is described by a string of the following format:

    EncAlg-HashAlg-GroupNumb

    Where:

    • EncAlg
      Specifies the encryption algorithm. EncAlg can be DES or 3DES.
    • HashAlg
      Specifies the hashing algorithm. HashAlg can be MD5 or SHA1.
    • GroupNum
      Specifies the Diffie-Hellman group to be used for the base keying material. GroupNumb can be: 1 (low, protects with 768 bits of keying material), 2 (medium, protects with 1024 bits), and 3 (high, protects with 2048 bits).

Remarks

  • Do not create a Main Mode policy with the name all. Doing this creates a conflict with the netsh ipsec option to select all IPsec Main Mode policies (for example, delete mmpolicy all).

  • If the number of Quick Mode negotiations exceeds the value set for the number of Quick Mode negotiations per Main Mode negotiation (qmpermm) during the Main Mode lifetime, a new Main Mode negotiation occurs.

  • If you do not specify mmsecmethods (key exchange security methods), the default is a string equivalent to the following:

    "3DES-SHA1-2 3DES-SHA1-3"

  • We recommend that you do not use DES or MD5. These cryptographic algorithms are no longer considered secure, and are provided for backwards-compatibility only.

  • IPsec peers must have at least one common key exchange security method (one that uses the same settings) or negotiations will fail.

  • Unlike most netsh commands, both the add mmpolicy and the set mmpolicy commands require that the parameter name and equal sign be included before the value for each parameter that you use.

  • All string parameters are case-sensitive.

add qmpolicy

Creates an IPsec Quick Mode policy with the specified name and adds it to the SPD.

Syntax

**add qmpolicyname=**PolicyNamesoft = { yes | no } ] [ pfsgroup = { grp1 | grp2 | grp3 | grpmm | nopfs } ] [ qmsecmethods = "SecMethodsString" ]

Parameters

  • name= String
    Required. Specifies the name of the IPsec Quick Mode policy to be created.
  • [ soft={ yes| no}]
    Specifies whether to fall back to unsecured communications with other computers that do not support IPsec, or when IPsec negotiations with an IPsec-capable computer fail. The default value is no.
  • [ pfsgroup=grp1 | grp2 | grp3 | grpmm | nopfs } ]
    Specifies the Diffie-Hellman group to use for session key PFS. If grp1 is specified, Group 1 (low, with 768 bits of keying material) is used. If grp2 is specified, Group 2 (medium, with 1024 bits of keying material) is used. If grp3 is specified, Group 3 (high, with 2048 bits of keying material) is used. If grpmm is specified, the group value is taken from the current Main Mode settings. The default value is nopfs, meaning session key PFS is disabled.
  • [ qmsecmethods ="SecMethodsString" ]
    Specifies one or more security methods. Each method is described by one of the following formats, separated by spaces:

    • ESP[EncAlg,AuthAlg]:numk/nums

    • AH[HashAlg]: numk/nums

    • AH[HashAlg]+ESP[EncAlg,AuthAlg]:numk/nums

    Where:

    • EncAlg
      Specifies the encryption algorithm. ConfigAlg can be DES (Data Encryption Standard), 3DES, or none.
    • AuthAlg
      Specifies the integrity algorithm. AuthAlg can be MD5 (Message Digest 5), SHA1 (Secure Hash Algorithm 1), or none.
    • HashAlg
      Specifies the hash function. HashAlg can be MD5 (Message Digest 5) or SHA1.
    • k
      Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is transferred, a new session key for the Quick Mode SA is generated. The default value is 100,000 kilobytes.
    • s
      Specifies the session key lifetime in seconds. The default value is 3600 seconds.

Remarks

  • Do not create a Quick Mode policy with the name all. Doing this creates a conflict with the netsh ipsec option to select all IPsec Quick Mode policies (for example, delete qmpolicy all).

  • If you do not specify qmsecmethods, the default is a string equivalent to "ESP[3DES, SHA1]:100000k/3600s".

  • We recommend that you do not use DES or MD5. These cryptographic algorithms are no longer considered secure, and are provided for backwards-compatibility only.

  • EncAlg and AuthAlg cannot both be set to none.

  • IPsec peers must have the same pfsgroup enabled (that is, both peers must use the same Diffie-Hellman group for session key PFS), or communication will fail.

  • For enhanced security, do not use Diffie-Hellman Group 1. For maximum security, use Group 3 whenever possible. Use Group 2 when required for interoperability with Windows 2000 and Windows XP.

  • All string parameters are case-sensitive.

  • Unlike most netsh commands, both the add qmpolicy and the set qmpolicy commands require that the parameter name and equal sign be included before the value for each parameter that you use.

add rule

Creates an IPsec rule with the specified Main Mode policy and Quick Mode policy and adds it to the security policy database.

Syntax

add rulesrcaddr = ]{ Me | Any | IPAddress | IPRange | ServerType } [ dstaddr = ]{ Me | Any | IPAddress | IPRange | ServerType } [ mmpolicy = ] MMPolicyName [ [ qmpolicy = ] QMPolicyName ] [ [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer } ] [ [ srcport = ] Integer ] [ [ dstport = ] Integer ] [ [ mirrored = ] { yes | no } ] [ [ conntype = ]{ lan | dialup | all } ] [ [ actioninbound = ]{ permit | block | negotiate } ] [ [ actionoutbound = ] { permit | block | negotiate } ] [ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ]{ Mask | Prefix } ] [ [ tunneldstaddress = ]{ IPAddress | DNSName } ] [ [ kerberos = ]{ yes | no } ] [ [ psk = ] PreSharedKey ] [ [ rootca = ] "CertNamecertmap:{ yes | no } excludecaname:{** yes** | no }"]

Parameters

  • [ srcaddr= ] { Me | Any | IPAddress | IPRange | dns | server }
    Required. Specifies the source IPv4 or IPv6 address, an IP address range, a DNS name, or a server type for the IP traffic. For ServerType you can use WINS, DNS, DHCP, or gateway.
  • [ dstaddr= ] { Me | Any | IPAddress | IPRange | dns | server }
    Required. Specifies the source IPv4 or IPv6 address, an IP address range, a DNS name, or a server type for the IP traffic. For ServerType you can use WINS, DNS, DHCP, or gateway.
  • [ mmpolicy= ] MMPolicyName
    Required. Specifies the name of the Main Mode policy.
  • [ [ qmpolicy= ] QMPolicyName ]
    Specifies the name of the Quick Mode policy. Required if actioninbound=negotiate or actionoutbound=negotiate are specified.
  • [ [ protocol= ] { ANY | ICMP | TCP | UDP | RAW | Integer } ]
    Specifies the IP protocol if, in addition to address information, you want to filter a specific IP protocol. The default value is ANY, meaning all protocols are used for the filter.
  • [ [ srcport= ] Integer ]
    Specifies the source port number of the packets to be filtered. This option only applies if you are filtering TCP or UDP packets. If 0 is specified, packets sent from any port are filtered. The default is 0.
  • [ [ dstport= ] Integer ]
    Specifies the destination port number of the packets to be filtered. This option only applies if you are filtering TCP or UDP packets. If 0 is specified, packets sent to any port are filtered. The default is 0.
  • [ [ mirrored= ]{ yes | no } ]
    Specifies whether to create a mirrored filter. Use yes to create two filters based on the filter settings, one for traffic to the destination and one for traffic from the destination. The default value is yes.
  • [ [ conntype=] = ] { lan | dialup | all } ]
    Specifies whether the rule applies only to remote access/dial-up connections, to local area network (LAN) connections, or to all connections. The default value is all.
  • [ [ actioninbound= ] { permit | block | negotiate } ]
    Specifies the action that IPsec is required to take for inbound traffic. If permit is specified, traffic is received without negotiating or applying IP security. If block is specified, traffic is blocked. If negotiate is specified, IPsec is used, with the list of security methods specified in the Main Mode and Quick Mode policies. The default value is negotiate.
  • [ [ actionoutbound= ] { permit | block | negotiate } ]
    Specifies the action that IPsec is required to take for outbound traffic. If permit is specified, traffic is sent without negotiating or applying IP security. If block is specified, traffic is blocked. If negotiate is specified, IP security is used, with the list of security methods specified in the Main Mode and Quick Mode policies. The default value is negotiate.
  • [ [ srcmask= ] { Mask | Prefix } ]
    Specifies the source address subnet mask or the prefix of the packets to be filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255.
  • [ [ dstmask= ] { Mask | Prefix } ]
    Specifies the destination address subnet mask or the prefix value of the packets to be filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255.
  • [ [ tunneldstaddress= ] { IPAddress | DNSName } ]
    Specifies whether the traffic is tunneled and, if it is, the IP address or DNS name of the tunnel destination (the computer or gateway on the other side of the tunnel). The default is to not create a tunnel, but to use IPsec in Transport mode.
  • [ [ kerberos= ] { yes | no } ]
    Specifies whether to use the Kerberos V5 protocol as an authentication method.
  • [ [ psk= ] PreSharedKey ]
    Specifies the string of characters to use for the preshared key, if a preshared key is used as an authentication method.
  • [ [ rootca= ] "CertNamecertmap:{ yes** | no } excludecaname:{** yes** | no } "]**
    Specifies certificate authentication options. The argument is a string in quotes that contains the following elements:

    • CertName
      Specifies the distinguished name of the certificate, if a certificate is used as an authentication method.
    • certmap:{ yes | no }
      Specifies whether to enable certificate-to-account mapping. You can enable certificate-to-account mapping to verify that the certificate is being used by a trusted computer.
    • excludecaname:{ yes | no }
      Specifies whether to exclude from the certificate request the list of trusted root CA names from which a certificate is accepted.

Remarks

  • Do not create a rule with the name all. Doing this creates a conflict with the netsh ipsec option to select all IPsec rules (for example, delete rule all).

  • If the filter action for both inbound and outbound traffic (actioninbound and actionoutbound) are set to Permit or Block, a Quick Mode filter is not required. If either action is set to Negotiate, then a Quick Mode filter is required.

  • If a tunnel rule is specified, mirror should be set to no (by default, mirror is set to yes). For IPsec tunnels, you must create two rules--one rule describes the traffic to be sent through the tunnel (outbound traffic) and the other describes the traffic to be received through the tunnel (inbound). Next, create two rules that use the inbound and outbound filter lists in your policy.

  • To filter any packets sent from or to your local computer, you can use srcaddr=Me or dstaddr=Me.

  • To filter packets sent from or to any other computer, you can use srcaddr=Any or dstaddr=Any.

  • You can only use Kerberos V5 authentication or certificate-to-account mapping for computers that are members of an Active Directory domain.

  • Although you can use only one preshared key for authentication, you can use multiple certificates by specifying the rootca parameter multiple times, once for each certificate you want to use.

  • All certificate authentication parameters must be contained within a pair of quotation marks. To embed a quotation mark within the parameter, use a backslash followed by an apostrophe (\').

  • All string parameters are case-sensitive.

  • The preference order of each authentication method is determined by the order in which it was specified in the command.

  • If no authentication methods are specified, dynamic defaults are used. By default, IPsec policies use Kerberos V5 authentication. If the computer has a computer certificate, any root CA to which the computer certificate chains to is also used for authentication.

  • If excludecaname:yes is specified, the list of trusted root CAs is not sent as part of the certificate request, which prevents the potential disclosure of sensitive information about the trust relationships of a computer. To enhance security for computers connected to the Internet, specify this option.

  • The use of preshared key authentication is not recommended because it is a relatively weak authentication method. In addition, preshared keys are stored in plaintext.

  • IPsec peers must have at least one key exchange security method in common (one that uses the same settings) or negotiations will fail.

delete all

Deletes all IPsec policies, filters, and authentication methods, if possible, from the Security Policy Database (SPD).

Syntax

delete all

Parameters

None.

delete mmpolicy

Deletes the specified IPsec Main Mode policy, or all IPsec Main Mode policies, from the SPD.

Syntax

delete mmpolicyname = ]{ MMPolicyName | all }

Parameters

  • [ name= ] { MMPolicyName | all }
    Required. Specifies the name of the IPsec Main Mode policy to delete. Or, if all is specified, all IPsec Main Mode policies are deleted.

Remarks

  • If a rule is associated with the Main Mode policy, you must delete the rule before you can delete the policy.

  • All string parameters are case-sensitive.

delete qmpolicy

Deletes the specified IPsec Quick Mode policy, or all IPsec Quick Mode policies, from the SPD.

Syntax

delete qmpolicyname = ]{ QMPolicyName | all }

Parameters

  • [ name= ] { QMPolicyName | all }
    Required. Specifies the name of the IPsec Quick Mode policy to delete. Or, if all is specified, all IPsec Quick Mode policies are deleted.

Remarks

  • If a rule is associated with the Quick Mode policy, you must delete the rule before you can delete the policy.

  • All string parameters are case-sensitive.

delete rule

Deletes an IPsec rule from the security policy database.

Syntax

delete rulesrcaddr = ]{ Me | Any | IPAddress | IPRange | ServerType } [ dstaddr = ]{ Me | Any | *IPAddress *| IPRange | ServerType } [ protocol = ]{ ANY | ICMP | TCP | UDP | RAW | Integer } [ srcport = ] Integerdstport = ] Integermirrored = ]{ yes | no } [ conntype = ]{ lan | dialup | all } [ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ]{ Mask | Prefix } ] [ [ tunneldstaddress = ]{ IPAddress | DNSName } ]

Parameters

  • [ srcaddr= ] { Me | Any | IPAddress | IPRange | ServerType }
    Required. Specifies the source IP address, DNS name, or server type for the IP traffic. You can use WINS, DNS, DHCP, or gateway for ServerType.
  • [ dstaddr= ] { Me | Any | IPAddress | IPRange | ServerType }
    Required. Specifies the destination IP address, DNS name, or server type for the IP traffic. You can use WINS, DNS, DHCP, or gateway for ServerType.
  • [ protocol= ] { ANY | ICMP | TCP | UDP | RAW | Integer }
    Required. Specifies the IP protocol used for the filter.
  • [ srcport= ] Integer
    Required. Specifies the source port number of the packets being filtered. This option only applies if you are filtering TCP or UDP packets.
  • [ dstport= ] Integer
    Required. Specifies the destination port number of the packets being filtered. This option only applies if you are filtering TCP or UDP packets.
  • [ mirrored= ]{ yes | no }
    Required. Specifies whether the rule was created with mirrored filters.
  • [ conntype=] = ] { lan | dialup | all }
    Required. Specifies whether the rule to be deleted applies only to remote access/dial-up connections, to local area network (LAN) connections, or to all connections.
  • [ [ srcmask= ] { Mask | Prefix } ]
    Specifies the source address subnet mask or the prefix of the packets being filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255.
  • [ [ dstmask= ] { Mask | Prefix } ]
    Specifies the destination address subnet mask or the prefix value of the packets being filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255.
  • [ [ tunneldstaddress= ] { IPAddress | DNSName } ]
    Specifies whether the traffic is tunneled and, if it is, the IP address or DNS name of the tunnel destination (the computer or gateway on the other side of the tunnel).

delete sa

Deletes Main Mode security associations.

Syntax

delete sa [ [ srcaddr = ]{ IPv4Address } ] [ [ dstaddr = ]{ IPv4Address } ]

Parameters

  • [ [ srcaddr= ] { IPv4Address } ]
    Specifies the source IPv4 address to match against existing SAs.
  • [ [ dstaddr= ] { IPv4Address } ]
    Specifies the destination IPv4 address to match against existing SAs.

Remarks

  • If no parameters are supplied the command deletes all Main Mode associations. Any currently active network connections that require IPsec protection immediately renegotiate with the remote host.

set config

Creates or modifies the following IPsec settings: IPsec diagnostics, default traffic exemptions, strong certificate revocation list (CRL) checking, IKE (Oakley) logging, logging intervals, computer startup security, and computer startup traffic exemptions.

Syntax

set configproperty = ]{ *PropertyToSet *} [ value = ] ValueToAssign

Parameters

The property must be specified, and can be any of the options shown here:

  • IPsecdiagnostics0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 }

Note

This option is included only for backwards compatibility. It is not valid on Windows Vista or later versions of Windows.

Specifies whether to enable IPsec diagnostic logging and, if so, which level of logging to provide. The default value is **0**, meaning that logging is disabled. If you change the value for this setting, you must restart the computer for the new value to take effect.

You can specify other values as follows, to enable different levels of logging:

  - **1**: Bad SPI packets (the total number of packets for which the Security Parameters Index or SPI was incorrect), IKE negotiation failures, IPsec processing failures, packets received with packet syntax that is not valid, and other errors are recorded in the System log. Unauthenticated hashes (with the exception of the "Clear text received when should have been secured" event) are logged as well.  
      
  - **2**: Inbound per-packet drop events are recorded in the System log.  
      
  - **3**: Level 1 and level 2 logging are performed. In addition, unexpected clear text events (packets that are sent or received in plaintext) are also recorded.  
      
  - **4**: Outbound per-packet drop events are recorded in the System log.  
      
  - **5**: Level 1 and level 4 logging are performed.  
      
  - **6**: Level 2 and level 4 logging are performed.  
      
  - **7**: All levels of logging are performed.  
      
  • ikelogging0 | 1 }

Note

This option is included only for backwards compatibility. It is not valid on Windows Vista or later versions of Windows.

Specifies whether to enable IKE (Oakley) logging, to generate details about the SA establishment process. The default value is **0**, meaning that IKE logging is disabled.
  • strongcrlcheck0 | 1 | 2 }
    Specifies the level of CRL checking to use. The default value is 1.

    • 0: CRL checking is disabled.

    • 1: Standard CRL checking is used, and certificate validation fails only if the certificate is determined to be revoked.

    • 2: Strong CRL checking is used, and certificate validation fails if any CRL check error occurs.

  • IPsecloginterval {Integer}

Note

This option is included only for backwards compatibility. It is not valid on Windows Vista or later versions of Windows.

Specifies the interval, in seconds, after which IPsec event logs are sent to the System log. For *Integer*, valid values range from **60** through **86400**. The default value is **3600**. If you change the value for this setting, you must restart the computer for the new value to take effect.
  • IPsecexempt0 | 1 | 2 | 3 }
    Specifies whether to modify the default IPsec traffic exemption (traffic that is not matched against IPsec filters but is still permitted). The default value is 3. If you change the value for this setting, you must restart the computer for the new value to take effect.

    You can specify other values as follows:

    • 0: Multicast, broadcast, RSVP, Kerberos, and IKE traffic is exempted from IPsec filtering.

    • 1: Only multicast, broadcast, and IKE traffic is exempted from IPsec filtering (Kerberos and RSVP traffic is not exempted).

    • 2: Only RSVP, Kerberos, and IKE is exempted from IPsec filtering (multicast and broadcast traffic is not exempted).

    • 3: Only IKE traffic is exempted.

  • bootmodestateful | block | permit }

Note

This option is included only for backwards compatibility. It is not valid on Windows Vista or later versions of Windows.

Specifies the action that IPsec is required to take when the computer starts.

  - **stateful**: Only the following traffic is permitted during computer startup: outbound traffic initiated by the computer during startup, inbound traffic that is sent in response to the outbound traffic, and DHCP traffic.  
      
  - **block**: All inbound and outbound traffic is blocked until a local IPsec policy or a domain-based IPsec policy is applied.  
      
  - **permit**: All traffic is transmitted and received.  
      

The default value is **stateful**. If you use either of the values **stateful** or **block**, you can use the **bootexemptions** parameter to specify traffic types that you want to exempt from IPsec filtering during computer startup.

If you change the value for this setting, you must restart the computer for the new value to take effect.
  • bootexemptions { none | "Exempt1Exempt2 …" }

Note

This option is included only for backwards compatibility. It is not valid on Windows Vista or later versions of Windows.

Specifies one or more IPsec traffic exemptions from startup security, separated by spaces and defined by the following format for TCP and UDP traffic: *protocol*:*srcport*:*dstport*:*direction* and the following format for non-TCP/UDP traffic: *protocol:direction*, where:

  - ***protocol =*{ **ICMP**| **TCP**| **UDP**| **RAW**| *Integer* }**   
    Specifies the IP protocol type to exempt from IPsec filtering during computer startup.

<!-- end list -->

  - ***srcport = Port***  
    Specifies the source port number of the packets to exempt from IPsec filtering during computer startup. A value of 0 means that any source port is exempted.

<!-- end list -->

  - ***dstport = Port***  
    Specifies the destination port number of the packets to exempt from IPsec filtering during computer startup. A value of 0 means that any destination port is exempted.

<!-- end list -->

  - ***direction* **=**{ **inbound** | **outbound**}**   
    Specifies the direction of the traffic to exempt from IPsec filtering during computer startup.

Remarks

  • Use strong CRL checking (set property=strongcrlcheck value=2) if the CRL distribution point must be reachable on the network and certificates can only be validated if no CRL check error occurs.

  • IPsec can only negotiate security associations for Kerberos traffic if your IPsec policy does not use Kerberos as the authentication method. If Kerberos is required for authentication, you must exempt Kerberos traffic by using the IPsecexempt parameter.

  • By default, in Windows 2000, Windows XP, and Windows Server 2003, all broadcast, multicast, Internet Key Exchange (IKE), Kerberos, and Resource Reservation Protocol (RSVP) traffic was exempted from IPsec filtering. In Windows Vista and Windows Server 2008, only IKE traffic is exempted from IPsec filtering by default. All other traffic types are matched against IPsec filters, and you can configure block or permit filter actions specifically for multicast and broadcast traffic (IPsec does not negotiate security associations for multicast and broadcast traffic).

    As a result of this change in default behavior for IPsec, you should verify the behavior of IPsec policies designed for earlier versions of Windows to determine whether to configure explicit permit filters to permit specific traffic types. To restore the default behavior of IPsec policies in previous versions of Windows, edit the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec. Add a new DWORD value named NoDefaultExempt and assign to it a value of 0.

Warning

Modifying IPsec traffic exemptions from startup security (that is, modifying the bootexemptions= parameter) will overwrite all previous exemptions from startup security.

set mmpolicy

Modifies an IPsec Main Mode policy and writes the changes to the security policy database.

Syntax

set mmpolicy name = PolicyNameqmperm = Integer ] [ mmlifetime = Integer ] [ softsaexpirationtime = Integer ] [ mmsecmethods = "KeyExchMethods" ]

Parameters

  • ****name =PolicyName
    Required. Specifies the name of the IPsec Main Mode policy to modify.
  • **[ **qmperm =Integer ]
    Specifies the number of times that main mode keying material is used to derive the session key. A value of 0 means that an unlimited number of Quick Mode SAs can be derived from the Main Mode SA.
  • **[ **mmlifetime =Integer ]
    Specifies the number of minutes after which a new main mode key is generated.
  • **[ **softsaexpirationtime =Integer ]
    Specifies the number of minutes after which an unprotected security association expires.
  • [ mmsecmethods="KeyExchMethods" ]
    Specifies one or more key exchange security methods, separated by spaces. Each method is described by a string of the following format:

    EncAlg-HashAlg-GroupNumb

    Where:

    • EncAlg
      Specifies the encryption algorithm. EncAlg can be DES or 3DES.
    • HashAlg
      Specifies the hashing algorithm. HashAlg can be MD5 or SHA1.
    • GroupNum
      Specifies the Diffie-Hellman group to be used for the base keying material. GroupNumb can be: 1 (low, protects with 768 bits of keying material), 2 (medium, protects with 1024 bits), and 3 (high, protects with 2048 bits).

Remarks

  • IPsec peers must have at least one common key exchange security method (one that uses the same settings) or negotiations will fail.

  • We recommend that you do not use DES or MD5. These cryptographic algorithms are no longer considered secure, and are provided for backwards-compatibility only.

  • If the number of Quick Mode negotiations will exceed the value set for the number of Quick Mode negotiations per Main Mode negotiation during the Main Mode lifetime, a new Main Mode negotiation occurs.

  • Unlike most netsh commands, both the add mmpolicy and the set mmpolicy commands require that the parameter name and equal sign be included before the value for each parameter that you use.

  • All string parameters are case-sensitive.

set qmpolicy

Modifies an IPsec Quick Mode policy and writes the changes to the SPD.

Syntax

set qmpolicyname = PolicyNamesoft = { yes | no } ] [ pfsgroup = { grp1 | grp2 | grp3 | grpmm | nopfs } ] [ qmsecmethods = "SecMethodsString" ]

Parameters

  • ****name =PolicyName
    Required. Specifies the name of the IPsec Quick Mode policy to modify.
  • [ soft =yes | no } ]
    Specifies whether to fall back to unsecured communications with other computers that do not support IPsec, or when IPsec negotiations with an IPsec-capable computer fail.
  • [ pfsgroup =grp1 | grp2 | grp3 | grpmm | nopfs } ]
    Specifies the Diffie-Hellman group to use for session key PFS. If grp1 is specified, Group 1 (low, with 768 bits of keying material) is used. If grp2 is specified, Group 2 (medium, with 1024 bits of keying material) is used. If grp3 is specified, Group 3 (high, with 2048 bits of keying material) is used. If grpmm is specified, the group value is taken from the current Main Mode settings.
  • [ qmsecmethods ="SecMethodsString" ]
    Changes the string that specifies one or more security methods. Each method is described by one of the following formats, separated by spaces:

    • ESP[EncAlg,AuthAlg]:numk/nums

    • AH[HashAlg]: numk/nums

    • AH[HashAlg]+ESP[EncAlg,AuthAlg]:numk/nums

    Where:

    • EncAlg
      Specifies the encryption algorithm. ConfigAlg can be DES, 3DES, or none.
    • AuthAlg
      Specifies the integrity algorithm. AuthAlg can be MD5, SHA1, or none.
    • HashAlg
      Specifies the hash function. HashAlg can be MD5 or SHA1.
    • k
      Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is transferred, a new session key for the Quick Mode SA is generated. The default value is 100,000 kilobytes.
    • s
      Specifies the session key lifetime in seconds. The default value is 3600 seconds.

Remarks

  • The preference order of each Quick Mode security method is determined by the order in which it was specified in the command.

  • IPsec peers must have the same pfsgroup enabled (that is, both peers must use the same Diffie-Hellman group for session key PFS), or communication will fail.

  • We recommend that you do not use DES or MD5. These cryptographic algorithms are no longer considered secure, and are provided for backwards-compatibility only.

  • For enhanced security, do not use Diffie-Hellman Group 1. For maximum security, use Group 3 whenever possible. Use Group 2 when required for interoperability with earlier versions of Windows.

  • Unlike most netsh commands, both the add qmpolicy and the set qmpolicy commands require that the parameter name and equal sign be included before the value for each parameter that you use.

  • All string parameters are case-sensitive.

set rule

Modifies an IPsec rule that defines a set of filters and writes the changes to the SPD.

Syntax

set rulesrcaddr = ]{ me | any | IPAddr | IPAddr-*IPAddr *| *ServerType } [ dstaddr = ]{ me | any | IPAddr | IPAddr-IPAddr *| *ServerType *} [ protocol = ]{ ANY | ICMP | TCP | UDP | RAW | Integer } [ srcport = ] Integerdstport = ] Integermirrored = ]{ yes | no } [ conntype = ]{ lan | dialup | all } [ [ srcmask = ]{ Mask Prefix } ] [ [ dstmask = ]{ Mask Prefix } ] [ [ tunneldstaddress = ] { IPAddress | DNSName } ] [ [ mmpolicy = ] MainModePolicyName ] [ [ qmpolicy = ] QuickModePolicyName ] [ [ actioninbound = ]{ permit | block | negotiate } ] [ [ actioninbound = ]{ permit | block | negotiate } ] [ [ kerberos = ]{ yes | no } ] [ [ psk = ] PreSharedKey ] [ [ rootca = ] "Stringcertmap:{ yes | no } excludecaname:{ yes | no }" ]

Parameters

  • [ srcaddr= ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}
    Required. Specifies the source IP address or range, DNS name, or server type for the IP traffic being matched. For ServerType you can use WINS, DNS, DHCP, or gateway.
  • [ dstaddr= ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}
    Required. Specifies the destination IP address or range, DNS name, or server type for the IP traffic being matched. For ServerType you can use WINS, DNS, DHCP, or gateway.
  • [ protocol= ] { ANY | ICMP | TCP | UDP | RAW | Integer }
    Specifies the IP protocol if, in addition to addressing information, a specific IP protocol is filtered. A value of ANY matches filters with a protocol setting of any.
  • [ srcport= ] Integer
    Required. Specifies the source port number of the packets being filtered. This option only applies if you are filtering TCP or UDP packets.
  • [ dstport= ] Integer
    Required. Specifies the destination port number of the packets being filtered. This option only applies if you are filtering TCP or UDP packets.
  • [ mirrored= ] { yes | no }
    Required. Specifies whether the rule was created with mirrored filters.
  • [ conntype = ] { lan | dialup | all }
    Required. Specifies whether the rule applies only to remote access or dial-up connections or to local area network (LAN) connections, or to all connections.
  • [ [ srcmask= ] {Mask|Prefix} ]
    Specifies the source address subnet mask or the prefix of the packets being filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255.
  • [ [ dstmask= ] {Mask|Prefix} ]
    Specifies the destination address subnet mask or the prefix value of the packets being filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255.
  • [ [ tunneldstaddress= ] { IPAddress | DNSName } ]
    Specifies whether the traffic is tunneled and, if it is, the IP address or DNS name of the tunnel destination (the computer or gateway on the other side of the tunnel).
  • [ [ mmpolicy = ] MainModePolicyName ]
    Specifies the name of the Main Mode policy.
  • [ [ qmpolicy = ] QuickModePolicyName ]
    Specifies the name of the Quick Mode policy.
  • [ [ actioninbound = ] { permit | block | negotiate } ]
    Specifies the action that IPsec is required to take for inbound traffic. If permit is specified, traffic is received without negotiating or applying IP security. If block is specified, traffic is blocked. If negotiate is specified, IP security is used, with the list of security methods specified in the Main Mode and Quick Mode policies.
  • [ [ actioninbound = ] { permit | block | negotiate } ]
    Specifies the action that IPsec is required to take for outbound traffic. If permit is specified, traffic is sent without negotiating or applying IP security. If block is specified, traffic is blocked. If negotiate is specified, IP security is used, with the list of security methods specified in the Main Mode and Quick Mode policies.
  • [ [ kerberos= ]{ yes | no } ]
    Specifies whether to use the Kerberos V5 protocol as an authentication method.
  • [ [ psk= ] PreSharedKey ]
    Specifies the string of characters to use for the preshared key, if a preshared key is used as an authentication method.
  • [ [ rootca= ] "Stringcertmap:{ yes** | no } excludecaname:{** yes** | no } " ]**
    Specifies certificate authentication options. The argument is a string in quotes that contains the following elements:

    • String
      Specifies the distinguished name of the certificate, if a certificate is used as an authentication method.
    • ****certmap:yes | no }
      Specifies whether to enable certificate-to-account mapping. You can enable certificate-to-account mapping to verify that the certificate is being used by a trusted computer.
    • ****excludecaname:yes | no }
      Specifies whether to exclude from the certificate request the list of trusted root CA names from which a certificate is accepted.

Remarks

  • All parameters identified as required are used to identify the rule that you want to modify, and therefore they cannot be modified. You can modify any of the other parameters, and you must include at least one of the optional parameters to change.

  • If the filter action for both inbound and outbound traffic (actioninbound and actionoutbound) is set to Permit or Block, a Quick Mode filter is not required.

  • You can only use Kerberos V5 authentication or certificate-to-account mapping for computers that are members of an Active Directory domain.

  • Although you can use only one preshared key for authentication, you can use multiple certificates by specifying the rootca parameter multiple times, once for each certificate you want to use.

  • All certificate authentication parameters must be contained within a pair of quotation marks. To embed a quotation mark within the parameter, use a backslash followed by an apostrophe (\').

  • The preference order of each authentication method is determined by the order in which it was specified in the command.

  • If no authentication methods are specified, dynamic defaults are used. By default, IPsec policies use Kerberos V5 authentication. If the computer has a computer certificate, any root CA to which the computer certificate chains is also used for authentication.

  • If excludecaname:yes is specified, the list of trusted root CAs is not sent as part of the certificate request, which prevents the potential disclosure of sensitive information about the trust relationships of a computer. To enhance security for computers connected to the Internet, specify this option.

  • The use of preshared key authentication is not recommended because it is a relatively weak authentication method. In addition, preshared keys are stored in plaintext.

  • IPsec peers must have at least one key exchange security method in common (one that uses the same settings) or negotiations will fail.

  • Modifying authentication methods will overwrite all previous authentication methods, even if the previous authentication methods were different. For example, if kerberos=yes and a value for psk were previously specified, and then you specify kerberos=no, the psk parameter will also be overwritten, and preshared key authentication will no longer be used.

  • All string parameters are case-sensitive.

show all

Displays configuration information for all IPsec policies, filters, statistics, and security associations in the security policy database.

Syntax

show all [ [ resolvedns = ]{ yes | no } ]

Parameters

  • [ [ resolvedns = ] { yes | no } ]
    Specifies whether to resolve the Domain Name System (DNS) or NETBIOS computer name associated with an IP address when displaying sources or destinations.

Remarks

  • Because the show all command can result in lengthy, rapidly scrolling output, consider saving the output in a text file, unless you only need to view limited portions.

    To save output in a text file for the show all command, do either of the following:

    If you are in the netsh environment (netsh>)

    1. At the netsh prompt, type:

      set file open FileName.txt

    2. Then type:

      IPsec dynamic show all

    3. To stop sending output and close the file, type:

      set file close

    If you are not in the netsh environment

    • At the command prompt, type:

      **netsh ipsec dynamic show all >**FileName.txt

  • To stop the output of IPsec configuration information, you must exit Netsh by doing one of the following:

    • Close the Netsh window by clicking the X icon in the upper-right corner of the window.

    • Use Task Manager to end the Netsh program.

show config

Displays values for the following IPsec settings: IPsec diagnostics, default traffic exemptions, strong certificate revocation list (CRL) checking, IKE (Oakley) logging, logging intervals, computer startup security, and computer startup traffic exemptions.

Syntax

show config

Parameters

None.

Remarks

  • To save output in a text file for the show config command, do either of the following:

    If you are in the netsh environment (netsh>)

    1. At the netsh prompt, type:

      set file open FileName.txt

    2. Then type:

      IPsec dynamic show config

    3. To stop sending output and close the file, type:

      set file close

    If you are not in the netsh environment

    • At the command prompt, type:

      **netsh ipsec dynamic show config >**FileName.txt

show mmfilter

Displays configuration information for the specified IPsec Main Mode filter, or for all IPsec Main Mode filters, in the SPD.

Syntax

show mmfilter { [ name = ] FilterName | all } [ [ type = ]{ generic | specific } ] [ [ srcaddr = ]{ me | anyIPAddr | IPAddr-*IPAddr *| *ServerType } ] [ [ dstaddr = ]{ me | any | IPAddr | IPAddr-IPAddr *| *ServerType *} ] [ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ]{ Mask | Prefix } ] [ resolvedns = { yes | no } ]

Parameters

  • { [ name = ] FilterName | all }
    Required. Specifies the name of the IPsec Main Mode filter to display. If all is specified, all IPsec Main Mode filters are displayed.
  • [ [ type = ] { generic| specific} ]
    Specifies whether to display generic or specific Main Mode filters. The default value is generic.
  • [ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]
    Specifies the source IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, DNS name, or server type for the IP traffic. For ServerType, you can use WINS, DNS, DHCP, or GATEWAY.
  • [ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]
    Specifies the destination IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, DNS name, or server type for the IP traffic. For ServerType, you can use WINS, DNS, DHCP, or GATEWAY.
  • [ [ srcmask = ] { Mask | Prefix } ]
    Specifies the source address subnet mask or the prefix of the packets to be filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255.
  • [ [ dstmask = ] { Mask | Prefix } ]
    Specifies the destination address subnet mask or the prefix value of the packets to be filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255.
  • [ resolvedns={ yes | no}]
    Specifies whether to resolve the Domain Name System (DNS) or NETBIOS computer name associated with an IP address when displaying sources or destinations. The default value is no.

Remarks

  • All string parameters are case-sensitive.

  • Because the show mmfilter command can result in lengthy, rapidly scrolling output, consider saving the output in a text file, unless you only need to view limited portions.

    To save output in a text file for the show mmfilter command, do either of the following:

    If you are in the netsh environment (netsh>)

    1. At the netsh prompt, type:

      set file open FileName.txt

    2. Then type:

      IPsec dynamic show mmfilterparameters

    3. To stop sending output and close the file, type:

      set file close

    If you are not in the netsh environment

    • At the command prompt, type:

      IPsec dynamic show mmfilter parameters >= FileName.txt

  • To stop the output of IPsec configuration information, you must exit Netsh by doing one of the following:

    • Close the Netsh window by clicking the X icon in the upper-right corner of the window.

    • Use Task Manager to end the Netsh program.

show mmpolicy

Displays configuration information for the specified IPsec Main Mode policy, or for all IPsec Main Mode policies, in the SPD.

Syntax

show mmpolicy { [ name = ] PolicyName | all }

Parameters

  • { [ name = ] PolicyName | all }
    Required. Specifies the name of the IPsec Main Mode policy to display. Or, if all is specified, all IPsec Main Mode policies are displayed.

Remarks

  • All string parameters are case-sensitive.

  • Because the show mmpolicy command can result in lengthy, rapidly scrolling output, consider saving the output in a text file, unless you only need to view limited portions.

    For example, to save output in a text file for the show mmpolicy all command, do either of the following:

    If you are in the netsh environment (netsh>)

    1. At the netsh prompt, type:

      set file open FileName.txt

    2. Then type:

      IPsec dynamic show mmpolicy all

    3. To stop sending output and close the file, type:

      set file close

    If you are not in the netsh environment

    • At the command prompt, type:

      IPsec dynamic show mmpolicy all > FileName.txt

  • To stop the output of IPsec configuration information, you must exit Netsh by doing one of the following:

    • Close the Netsh window by clicking the X icon in the upper-right corner of the window.

    • Use Task Manager to end the Netsh program.

show mmsas

Displays the IPsec Main Mode security associations for the specified source and destination addresses, or all IPsec Main Mode security associations, in the SPD.

Syntax

show mmsa [ **all **] [ [ srcaddr = ]{ me | any | IPAddr | IPAddr-*IPAddr *| *ServerType } ] [ [ dstaddr = ]{ me | any | IPAddr | IPAddr-IPAddr *| *ServerType *} ] [ [ format = ]{ list | table } ] [ [ resolvedns = ]{ **yes **| no} ]

Parameters

  • [ all ]
    Specifies that all Main Mode security associations are displayed. This is the default option if no other parameters are specified.
  • [ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]
    Specifies the source IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, DNS name, or server type for the IP traffic. For ServerType, you can use WINS, DNS, DHCP, or GATEWAY.
  • [ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]
    Specifies the destination IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, DNS name, or server type for the IP traffic. For ServerType, you can use WINS, DNS, DHCP, or GATEWAY.
  • [ [ format= ] { list | table } ]
    Specifies whether to display IPsec configuration information in screen or tab-delimited format. The default value is list, meaning that output is displayed in screen format.
  • [ [ resolvedns={ yes | no} ] ]
    Specifies whether to resolve the DNS or NETBIOS computer name associated with an IP address when displaying sources or destinations. The default value is no.

Remarks

  • If no parameters are specified, all Main Mode security associations are displayed in list format.

  • All string parameters are case-sensitive.

  • Because the show mmsas command can result in lengthy, rapidly scrolling output, consider saving the output in a text file, unless you only need to view limited portions.

    To save output in a text file for the show mmsas command, do either of the following:

    If you are in the netsh environment (netsh>)

    1. At the netsh prompt, type:

      set file open FileName.txt

    2. Then type:

      IPsec dynamic show mmsas

    3. To stop sending output and close the file, type:

      set file close

    If you are not in the netsh environment

    • At the command prompt, type:

      **netsh ipsec dynamic show mmsas >**FileName.txt

  • To stop the output of IPsec configuration information, you must exit netsh by doing one of the following:

    • Close the Netsh window by clicking the X icon in the upper-right corner of the window.

    • Use Task Manager to end the Netsh program.

show qmfilter

Displays configuration information for the specified Quick Mode filter, or for all Quick Mode filters, in the SPD.

Syntax

show qmfilter { [ name = ] FilterName | all } [ [ type = ]{ generic | specific } ] [ [ srcaddr = ]{ me | any | IPAddr | IPAddr-*IPAddr *| *ServerType } ] [ [ dstaddr = ]{ me | any | IPAddr | IPAddr-IPAddr *| *ServerType *} ] [ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ]{ Mask | Prefix } ] [ [ protocol = ]{ ANY | ICMP | TCP | UDP | RAW | Integer } ] [ [ srcport = ] Integer ] [ [ dstport = ] Integer ] [ [ actioninbound = ]{ permit | block | negotiate } ] [ [ actionoutbound = ]{ permit | block | negotiate } ] [ [ resolvedns={ **yes **| no} ] ]

Parameters

  • { [ name= ] FilterName | all }
    Required. Specifies the name of the IPsec Quick Mode filter to display. If all is specified then all IPsec Quick Mode filters are displayed.
  • [ [ type = ] { generic | specific } ]
    Specifies whether to display generic or specific Quick Mode filters. The default value is generic.
  • [ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]
    Specifies that only filters matching the specified source IP address, DNS name, or server type are displayed. You can use WINS, DNS, DHCP, or gateway for ServerType.
  • [ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]
    Specifies that only filters matching the destination IP address, DNS name, or server type are displayed. You can use WINS, DNS, DHCP, or gateway for ServerType.
  • [ [ srcmask = ] { Mask | Prefix } ]
    Specifies the source address subnet mask or the prefix of the packets being filtered. You can specify a prefix value in the range of 1 through 32.
  • [ [ dstmask = ] { Mask | Prefix } ]
    Specifies the destination address subnet mask or the prefix value of the packets being filtered. You can specify a prefix value in the range of 1 through 32.
  • [ [ protocol= ] { ANY | ICMP | TCP | UDP | RAW | Integer } ]
    Specifies that only filters that match the IP protocol are displayed.
  • [ [ srcport= ] Integer ]
    Specifies that only filters that match the source port number are displayed.
  • [ [ dstport= ] Integer ]
    Specifies that only filters that match the destination port number are displayed.
  • [ [ actioninbound= ] { permit | block | negotiate } ]
    Specifies that only filters matching the action are displayed.
  • [ [ actionoutbound= ] { permit | block | negotiate } ]
    Specifies that only filters matching the action are displayed.

Remarks

  • All string parameters are case-sensitive.

  • Because the show qmfilter command can result in lengthy, rapidly scrolling output, consider saving the output in a text file, unless you only need to view limited portions.

    For example, to save output in a text file for the show qmfilter all command, do either of the following:

    If you are in the netsh environment (netsh>)

    1. At the netsh prompt, type:

      set file open FileName.txt

    2. Then type:

      IPsec dynamic show qmfilter all

    3. To stop sending output and close the file, type:

      set file close

    If you are not in the netsh environment

    • At the command prompt, type:

      netsh ipsec dynamic show qmfilter all >FileName.txt

  • To stop the output of IPsec configuration information, you must exit Netsh by doing one of the following:

    • Close the Netsh window by clicking the X icon in the upper-right corner of the window.

    • Use Task Manager to end the Netsh program.

show qmpolicy

Displays configuration information for the specified IPsec Quick Mode policy, or for all IPsec Quick Mode policies, in the SPD.

Syntax

show qmpolicy { [ name = ] FilterName | all }

Parameters

  • { [ name= ] FilterName | all }
    Required. Specifies the name of the IPsec Quick Mode policy to display. If all is specified then all IPsec Quick Mode policies are displayed.

Remarks

  • All string parameters are case-sensitive.

  • Because the show qmpolicy command can result in lengthy, rapidly scrolling output, consider saving the output in a text file, unless you only need to view limited portions.

    For example, to save output in a text file for the show qmpolicy all command, do either of the following:

    If you are in the netsh environment (netsh>)

    1. At the netsh prompt, type:

      set file open FileName.txt

    2. Then type:

      IPsec dynamic show qmpolicy all

    3. To stop sending output and close the file, type:

      set file close

    If you are not in the netsh environment

    • At the command prompt, type:

      netsh ipsec dynamic show qmpolicy all >FileName.txt

  • To stop the output of IPsec configuration information, you must exit Netsh by doing one of the following:

    • Close the Netsh window by clicking the X icon in the upper-right corner of the window.

    • Use Task Manager to end the Netsh program.

show qmsas

Displays the IPsec Quick Mode security associations for the specified source and destination addresses, or all IPsec Quick Mode security associations, in the SPD.

Syntax

show qmsas [ **all **] [ [ srcaddr = ] { me | any | IPAddr | IPAddr-*IPAddr ServerType} ] [ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr *| ServerType} ] [ [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer } ] [ [ format = ] { list | table } ] [ [ resolvedns={ **yes **| no} ] ]

Parameters

  • [ all]
    Specifies that all IPsec Quick Mode security associations are displayed. This is the default option if no other parameters are specified.
  • [ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType} ]
    Specifies that only SAs that match the source IPv4 or IPv6 address, address range, DNS name, or server type are displayed. You can use WINS, DNS, DHCP, or gateway for ServerType.
  • [ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType} ]
    Specifies that only SAs that match the destination IPv4 or IPv6 address, address range, DNS name, or server type are displayed. You can use WINS, DNS, DHCP, or gateway for ServerType.
  • [ [ protocol= ] { ANY | ICMP | TCP | UDP | RAW | Integer } ]
    Specifies that only SAs that match the IP protocol if, in addition to addressing information, a specific IP protocol is being used for the security association.
  • [ [ format= ] { list | table } ]
    Specifies whether to display the results in screen or tab-delimited format. The default value is list, meaning that output is displayed in screen format.
  • [ [ resolvedns={ yes | no} ] ]
    Specifies whether to resolve the Domain Name System (DNS) or NETBIOS computer name associated with an IP address when displaying sources or destinations. The default value is no.

Remarks

  • Because the show qmsas command can result in lengthy, rapidly scrolling output, consider saving the output in a text file, unless you only need to view limited portions.

    For example, to save output in a text file for the show qmsas all command, do either of the following:

    If you are in the netsh environment (netsh>)

    1. At the netsh prompt, type:

      set file open FileName.txt

    2. Then type:

      IPsec dynamic show qmsas all

    3. To stop sending output and close the file, type:

      set file close

    If you are not in the netsh environment

    • At the command prompt, type:

      **netsh ipsec dynamic show qmsas all >**FileName.txt

  • To stop the output of IPsec configuration information, you must exit Netsh by doing one of the following:

    • Close the Netsh window by clicking the X icon in the upper-right corner of the window.

    • Use Task Manager to end the Netsh program.

show rule

Displays configuration information for one or more IPsec rules in the SPD.

Syntax

show rule [ [ **type = **]{ transport | tunnel } ] [ [ srcaddr = ]{ me | any | IPAddr | IPAddr-*IPAddr |ServerType} ] [ [ dstaddr = ]{ me | any | IPAddr | IPAddr-IPAddr *|ServerType} ] [ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ] { Mask | Prefix } ] [ [ protocol = ]{ ANY | ICMP | TCP | UDP | RAW | Integer } ] [ [ srcport = ] Integer ] [ [ dstport = ] Integer ] [ [ actioninbound = ]{ permit | block | negotiate } ] [ [ actionoutbound = ]{ permit | block | negotiate } ] [ [ resolvedns = ]{ **yes **| no} ]

Parameters

  • [ [ type = ] { transport | tunnel } ]
    Specifies whether to display transport rules or tunnel rules. The default value is to display all rules.
  • [ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]
    Specifies that only rules matching the source IP address, DNS name, or server type are displayed. You can use WINS, DNS, DHCP, or gateway for ServerType.
  • [ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]
    Specifies that only rules matching the destination IP address, DNS name, or server type are displayed. You can use WINS, DNS, DHCP, or gateway for ServerType.
  • [ [ srcmask = ] { Mask | Prefix } ]
    Specifies that only rules matching the source address subnet mask or the prefix of the packets are displayed. You can specify a prefix value in the range of 1 through 32.
  • [ [ dstmask = ] { Mask | Prefix } ]
    Specifies that only rules matching the source address subnet mask or the prefix of the packets are displayed. You can specify a prefix value in the range of 1 through 32.
  • [ [ protocol= ] { ANY | ICMP | TCP | UDP | RAW | Integer } ]
    Specifies that only filters that match the IP protocol are displayed.
  • [ [ srcport= ] Integer ]
    Specifies that only filters that match the source port number are displayed.
  • [ [ dstport= ] Integer ]
    Specifies that only filters that match the destination port number are displayed.
  • [ [ actioninbound= ] { permit | block | negotiate } ]
    Specifies that only filters matching the action are displayed.
  • [ [ actionoutbound= ] { permit | block | negotiate } ]
    Specifies that only filters matching the action are displayed.
  • [ resolvedns={ yes | no}]
    Specifies whether to resolve the DNS or NETBIOS computer name associated with an IP address when displaying sources or destinations. The default value is no.

Remarks

  • All string parameters are case-sensitive.

  • Because the show rule command can result in lengthy, rapidly scrolling output, consider saving the output in a text file, unless you only need to view limited portions.

    For example, to save output in a text file for the show rule command, do either of the following:

    If you are in the netsh environment (netsh>)

    1. At the netsh prompt, type:

      set file open FileName.txt

    2. Then type:

      IPsec dynamic show rule

    3. To stop sending output and close the file, type:

      set file close

    If you are not in the netsh environment

    • At the command prompt, type:

      **netsh ipsec dynamic show rule >**FileName.txt

  • To stop the output of IPsec configuration information, you must exit Netsh by doing one of the following:

    • Close the Netsh window by clicking the X icon in the upper-right corner of the window.

    • Use Task Manager to end the Netsh program.

show stats

Displays Main Mode and Quick Mode statistics for IPsec.

Note

This command is included for backwards compatibility with earlier versions of Windows. Most of the statistics are only relevant on computers running those earlier versions of Windows.

Syntax

show stats [ [**type = **]{ all | ike | ipsec } ]

Parameters

  • [ [type=] { all | ike | ipsec } ]
    Specifies the IPsec statistics to display. If all is specified, IPsec Main Mode and Quick Mode statistics are displayed. If ike is specified, only IPsec Main Mode statistics are displayed. If ipsec is specified, only IPsec Quick Mode statistics are displayed.

Remarks

  • Because the show stats command can result in lengthy, rapidly scrolling output, consider saving the output in a text file, unless you only need to view limited portions.

    For example, to save output in a text file for the show stats command, do either of the following:

    If you are in the netsh environment (netsh>)

    1. At the netsh prompt, type:

      set file open FileName.txt

    2. Then type:

      IPsec dynamic show stats

    3. To stop sending output and close the file, type:

      set file close

    If you are not in the netsh environment

    • At the command prompt, type:

      **netsh ipsec dynamic show stats >**FileName.txt

  • To stop the output of IPsec configuration information, you must exit Netsh by doing one of the following:

    • Close the Netsh window by clicking the X icon in the upper-right corner of the window.

    • Use Task Manager to end the Netsh program.