Using Netsh Scripts to Assign IPSec Policies

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In Windows Server 2003, the Netsh IPSec tool provides a scriptable command-line method of building an IPSec policy. This is useful in cases such as when a computer is not a domain member or is running an older version of Windows. Netsh IPSec can create a persistent policy or a local policy, both of which are stored in the local computer registry, or it can create a policy that is stored in Active Directory.

The IPSec context of the Netsh tool can also dynamically insert new IPSec rules into the run-time system. This "dynamic mode" IPSec policy is part of the run-time state and is not stored; therefore, it is lost when the IPSec service is stopped either administratively or during a restart.

The IPSec internal infrastructure components were significantly modified for Windows Server 2003 such that the Netdiag.exe, IPSecpol.exe, and IPSeccmd.exe tools from earlier Windows releases cannot run properly. You do not need to import policies created by these tools during an upgrade – policies in place before an upgrade to Windows Server 2003 continue to function after the upgrade has been completed. In all cases, the user or process that sets the IPSec policy must be running as a local or domain administrator.

For more information about importing IPSec policies, see "Creating, modifying, and assigning IPSec policies" in Help and Support Center for Windows Server 2003.

Windows 2000, Windows XP, and Windows Server 2003 do not have published programmatic APIs in the Microsoft Windows Platform Software Development Kit for IPSec policy. Command-line scripting using the Netsh IPSec tool is the only method of managing policy in an automated fashion.