Vista + Ipsec - how to script like ipseccmd.exe in XP - Network

This is a discussion on Vista + Ipsec - how to script like ipseccmd.exe in XP - Network ; Hi, I currently have XP SP2 laptops who connect to a host firewall via an ipsec vpn tunnel. As the laptops are constantly changing their public ip address I use a little scripting to remove existing ipsec policies and re-setup ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Vista + Ipsec - how to script like ipseccmd.exe in XP

  1. Vista + Ipsec - how to script like ipseccmd.exe in XP

    Hi,

    I currently have XP SP2 laptops who connect to a host firewall via an ipsec
    vpn tunnel. As the laptops are constantly changing their public ip address I
    use a little scripting to remove existing ipsec policies and re-setup using
    whatever the current public ip address is. Essentially it goes as follows;
    Get current public IP - remove existing policy by name, read config file to
    get target ip and private network, add new ipsec policy by name, activate
    the policy. This is all done using the "ipseccmd.exe" command line tool from
    the XP support tools. Easy and just requires the end user to double-click on
    the script after connecting to the internet.

    Now, one of the users laptops suffered a fatal accident and was replaced
    with a new one running Vista and my utility nolonger works as Vista does not
    have an equivalent command line tool such as "ipseccmd.exe". After a lot of
    Google and Technet it seems that "ipseccmd.exe" does not exist in Vista and
    maybe "netsh" is the way to go. I can't find a command reference for "netsh"
    on Vista to see if I can map the old ipseccmd format to the new netsh
    format.

    Am I mistaken? Is there an ipseccmd.exe command line tool for Vista?
    Is there a command reference for "netsh" in Vista?
    Can Ipsec policies be scripted using netsh in Vista?
    Is this even the right newsgroup for this post?

    This is a big pain and is a timewaster for me. I spent enough time getting
    the scripting working previously on XP and don't see why this has to be
    sacrificed on the Vista alter. I am looking at just sending the laptop back
    to the vendor and getting one with XP instead.

    PGC



  2. Re: Vista + Ipsec - how to script like ipseccmd.exe in XP

    Correct, ipseccmd does not exist on Vista.
    Vista has two in-box netsh contexts:

    ipsec -- this context is most equivalent to policy creation on XP. this
    context was first introduced in WS03.

    advfirewall -- this context was introduced in Vista to map to the
    Windows Firewall with Advanced Security snap-in

    documentation for these commands are available through the /? option for
    each command as well as on support.microsoft.com

    --
    David
    Microsoft Windows Networking
    This posting is provided "AS IS" with no warranties, and confers no rights.


    "PGC" wrote in message
    news:uvVd$UzCIHA.4476@TK2MSFTNGP06.phx.gbl...
    > Hi,
    >
    > I currently have XP SP2 laptops who connect to a host firewall via an
    > ipsec vpn tunnel. As the laptops are constantly changing their public ip
    > address I use a little scripting to remove existing ipsec policies and
    > re-setup using whatever the current public ip address is. Essentially it
    > goes as follows; Get current public IP - remove existing policy by name,
    > read config file to get target ip and private network, add new ipsec
    > policy by name, activate the policy. This is all done using the
    > "ipseccmd.exe" command line tool from the XP support tools. Easy and just
    > requires the end user to double-click on the script after connecting to
    > the internet.
    >
    > Now, one of the users laptops suffered a fatal accident and was replaced
    > with a new one running Vista and my utility nolonger works as Vista does
    > not have an equivalent command line tool such as "ipseccmd.exe". After a
    > lot of Google and Technet it seems that "ipseccmd.exe" does not exist in
    > Vista and maybe "netsh" is the way to go. I can't find a command reference
    > for "netsh" on Vista to see if I can map the old ipseccmd format to the
    > new netsh format.
    >
    > Am I mistaken? Is there an ipseccmd.exe command line tool for Vista?
    > Is there a command reference for "netsh" in Vista?
    > Can Ipsec policies be scripted using netsh in Vista?
    > Is this even the right newsgroup for this post?
    >
    > This is a big pain and is a timewaster for me. I spent enough time getting
    > the scripting working previously on XP and don't see why this has to be
    > sacrificed on the Vista alter. I am looking at just sending the laptop
    > back to the vendor and getting one with XP instead.
    >
    > PGC
    >




  3. Re: Vista + Ipsec - how to script like ipseccmd.exe in XP

    Thanks for the input David. I've now spent about 5 hours trying to translate
    my old ipseccmd command into it's netsh equivalent with little success.
    Perhaps you can help?

    Given the following ...
    Local NIC IP = 192.168.1.2/24
    G/W = 192.168.1.254

    Remote Public IP = 88.88.88.88
    Remote LAN = 10.1.11.0/24

    Remote VPN is handled by FreeSwan and uses 3DES and MD5 with a preshared key
    = "letmein" (note this works fine on XP)

    For the above I would issue a series of ipseccmds as follows;

    First
    ipseccmd -w REG -p FreeSWan -r Me-Office -t 88.88.88.88 -f
    192.168.1.2/255.255.255.0=10.1.11.0/255.255.255.0 -n
    ESP[MD5,3DES]3600S/50000KPFS -a PRESHARE:"letmein" -lan -1p

    Second
    ipseccmd -w REG -p FreeSwan -r Office-Me -t 192.168.1.2 -f
    10.1.11.0/255.255.255.0=192.168.1.2/255.255.255.255 -n
    ESP[MD5,3DES]3600S/50000KPFS -a PRESHARE:"letmein" -lan -1p

    Third
    ipseccmd -w REG -p FreeSwan -x

    ping 10.1.11.1
    Negotiating .....
    Reply .....

    All works!!

    Now in attempting to translate my neat ipseccmd commands to netsh for Vista
    I have so far ended up with 9 different netsh commands;
    in summary ...

    netsh ipsec static set store location=local
    netsh ipsec static add policy FreeSwan mmpfs=yes mmlifetime=60 assign=yes
    mmsecmethods="3DES-MD5-2"
    netsh ipsec static add filter filterlist="Me-Office" srcaddr=192.168.1.2
    dstaddr=10.1.11.0 protocol=any srcmask=32 dstmask=24
    netsh ipsec static add filter filterlist="Office-Me" srcaddr=10.1.11.0
    dstaddr=192.168.1.2 protocol=any srcmask=24 dstmask=32
    netsh ipsec static add filteraction name="FreeSwanQM" qmpfs=yes
    action=permit qmsecmethods=ESP[3DES,MD5]:50000k/3600s
    netsh ipsec static add rule name="FreeSwanOut" policy="FreeSwan"
    filterlist=Me-Office filteraction=FreeSwanQM tunnel=88.88.88.88 conntype=lan
    kerberos=no psk="letmein"
    netsh ipsec static add rule name="FreeSwanIn" policy="FreeSwan"
    filterlist=Office-Me filteraction=FreeSwanQM tunnel=192.168.1.2 conntype=lan
    kerberos=no psk="letmein"
    netsh advfirewall firewall add rule name=FreeSwanIn action=allow enable=yes
    profile=any localip=any remoteip=88.88.88.88 localport=any protocol=any
    interfacetype=lan security=authenticate dir=in
    netsh advfirewall firewall add rule name=FreeSwanIn action=allow enable=yes
    profile=any localip=any remoteip=88.88.88.88 localport=any protocol=any
    interfacetype=lan security=authenticate dir=out

    Needless to say this doesn't work. Unfortunately I don't know why. Would
    anyone be able to translate my above ipseccmd commands into the verbose
    equivalent for netsh?

    Thanks,

    PGC

    "David Beder [MSFT]" wrote in message
    news:eJyRzg%23CIHA.5976@TK2MSFTNGP02.phx.gbl...
    > Correct, ipseccmd does not exist on Vista.
    > Vista has two in-box netsh contexts:
    >
    > ipsec -- this context is most equivalent to policy creation on XP. this
    > context was first introduced in WS03.
    >
    > advfirewall -- this context was introduced in Vista to map to the
    > Windows Firewall with Advanced Security snap-in
    >
    > documentation for these commands are available through the /? option for
    > each command as well as on support.microsoft.com
    >
    > --
    > David
    > Microsoft Windows Networking
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    >
    >
    > "PGC" wrote in message
    > news:uvVd$UzCIHA.4476@TK2MSFTNGP06.phx.gbl...
    >> Hi,
    >>
    >> I currently have XP SP2 laptops who connect to a host firewall via an
    >> ipsec vpn tunnel. As the laptops are constantly changing their public ip
    >> address I use a little scripting to remove existing ipsec policies and
    >> re-setup using whatever the current public ip address is. Essentially it
    >> goes as follows; Get current public IP - remove existing policy by name,
    >> read config file to get target ip and private network, add new ipsec
    >> policy by name, activate the policy. This is all done using the
    >> "ipseccmd.exe" command line tool from the XP support tools. Easy and just
    >> requires the end user to double-click on the script after connecting to
    >> the internet.
    >>
    >> Now, one of the users laptops suffered a fatal accident and was replaced
    >> with a new one running Vista and my utility nolonger works as Vista does
    >> not have an equivalent command line tool such as "ipseccmd.exe". After a
    >> lot of Google and Technet it seems that "ipseccmd.exe" does not exist in
    >> Vista and maybe "netsh" is the way to go. I can't find a command
    >> reference for "netsh" on Vista to see if I can map the old ipseccmd
    >> format to the new netsh format.
    >>
    >> Am I mistaken? Is there an ipseccmd.exe command line tool for Vista?
    >> Is there a command reference for "netsh" in Vista?
    >> Can Ipsec policies be scripted using netsh in Vista?
    >> Is this even the right newsgroup for this post?
    >>
    >> This is a big pain and is a timewaster for me. I spent enough time
    >> getting the scripting working previously on XP and don't see why this has
    >> to be sacrificed on the Vista alter. I am looking at just sending the
    >> laptop back to the vendor and getting one with XP instead.
    >>
    >> PGC
    >>

    >
    >




  4. Re: Vista + Ipsec - how to script like ipseccmd.exe in XP

    unfortunately, I'm a few years rusty on this so I'm going to need more time
    to mull things over.
    but, here are some items that pop out at me. hopefully they can lead you
    down the right road faster.

    1) I see a lot of policy being created but I don't see the command that
    applied the policy

    2) the first line is irrelevant as the default store is local. since each
    netsh command is being run on its own, you will lose any state defined by an
    earlier command and revert to the default. since you're using the default
    anyway, you're good to go. if you'd wanted this to be in a different store,
    it wouldn't work. you'd instead want to create a netsh script that contains
    ipsec commands, then have it run using some of the netsh command line flags
    (eg -f, -c, -r)

    --
    David
    Microsoft Windows Networking
    This posting is provided "AS IS" with no warranties, and confers no rights.


    "PGC" wrote in message
    news:eFLceiMDIHA.6012@TK2MSFTNGP03.phx.gbl...
    > Thanks for the input David. I've now spent about 5 hours trying to
    > translate my old ipseccmd command into it's netsh equivalent with little
    > success. Perhaps you can help?
    >
    > Given the following ...
    > Local NIC IP = 192.168.1.2/24
    > G/W = 192.168.1.254
    >
    > Remote Public IP = 88.88.88.88
    > Remote LAN = 10.1.11.0/24
    >
    > Remote VPN is handled by FreeSwan and uses 3DES and MD5 with a preshared
    > key = "letmein" (note this works fine on XP)
    >
    > For the above I would issue a series of ipseccmds as follows;
    >
    > First
    > ipseccmd -w REG -p FreeSWan -r Me-Office -t 88.88.88.88 -f
    > 192.168.1.2/255.255.255.0=10.1.11.0/255.255.255.0 -n
    > ESP[MD5,3DES]3600S/50000KPFS -a PRESHARE:"letmein" -lan -1p
    >
    > Second
    > ipseccmd -w REG -p FreeSwan -r Office-Me -t 192.168.1.2 -f
    > 10.1.11.0/255.255.255.0=192.168.1.2/255.255.255.255 -n
    > ESP[MD5,3DES]3600S/50000KPFS -a PRESHARE:"letmein" -lan -1p
    >
    > Third
    > ipseccmd -w REG -p FreeSwan -x
    >
    > ping 10.1.11.1
    > Negotiating .....
    > Reply .....
    >
    > All works!!
    >
    > Now in attempting to translate my neat ipseccmd commands to netsh for
    > Vista I have so far ended up with 9 different netsh commands;
    > in summary ...
    >
    > netsh ipsec static set store location=local
    > netsh ipsec static add policy FreeSwan mmpfs=yes mmlifetime=60 assign=yes
    > mmsecmethods="3DES-MD5-2"
    > netsh ipsec static add filter filterlist="Me-Office" srcaddr=192.168.1.2
    > dstaddr=10.1.11.0 protocol=any srcmask=32 dstmask=24
    > netsh ipsec static add filter filterlist="Office-Me" srcaddr=10.1.11.0
    > dstaddr=192.168.1.2 protocol=any srcmask=24 dstmask=32
    > netsh ipsec static add filteraction name="FreeSwanQM" qmpfs=yes
    > action=permit qmsecmethods=ESP[3DES,MD5]:50000k/3600s
    > netsh ipsec static add rule name="FreeSwanOut" policy="FreeSwan"
    > filterlist=Me-Office filteraction=FreeSwanQM tunnel=88.88.88.88
    > conntype=lan kerberos=no psk="letmein"
    > netsh ipsec static add rule name="FreeSwanIn" policy="FreeSwan"
    > filterlist=Office-Me filteraction=FreeSwanQM tunnel=192.168.1.2
    > conntype=lan kerberos=no psk="letmein"
    > netsh advfirewall firewall add rule name=FreeSwanIn action=allow
    > enable=yes profile=any localip=any remoteip=88.88.88.88 localport=any
    > protocol=any interfacetype=lan security=authenticate dir=in
    > netsh advfirewall firewall add rule name=FreeSwanIn action=allow
    > enable=yes profile=any localip=any remoteip=88.88.88.88 localport=any
    > protocol=any interfacetype=lan security=authenticate dir=out
    >
    > Needless to say this doesn't work. Unfortunately I don't know why. Would
    > anyone be able to translate my above ipseccmd commands into the verbose
    > equivalent for netsh?
    >
    > Thanks,
    >
    > PGC
    >
    > "David Beder [MSFT]" wrote in message
    > news:eJyRzg%23CIHA.5976@TK2MSFTNGP02.phx.gbl...
    >> Correct, ipseccmd does not exist on Vista.
    >> Vista has two in-box netsh contexts:
    >>
    >> ipsec -- this context is most equivalent to policy creation on XP.
    >> this context was first introduced in WS03.
    >>
    >> advfirewall -- this context was introduced in Vista to map to the
    >> Windows Firewall with Advanced Security snap-in
    >>
    >> documentation for these commands are available through the /? option for
    >> each command as well as on support.microsoft.com
    >>
    >> --
    >> David
    >> Microsoft Windows Networking
    >> This posting is provided "AS IS" with no warranties, and confers no
    >> rights.
    >>
    >>
    >> "PGC" wrote in message
    >> news:uvVd$UzCIHA.4476@TK2MSFTNGP06.phx.gbl...
    >>> Hi,
    >>>
    >>> I currently have XP SP2 laptops who connect to a host firewall via an
    >>> ipsec vpn tunnel. As the laptops are constantly changing their public ip
    >>> address I use a little scripting to remove existing ipsec policies and
    >>> re-setup using whatever the current public ip address is. Essentially it
    >>> goes as follows; Get current public IP - remove existing policy by name,
    >>> read config file to get target ip and private network, add new ipsec
    >>> policy by name, activate the policy. This is all done using the
    >>> "ipseccmd.exe" command line tool from the XP support tools. Easy and
    >>> just requires the end user to double-click on the script after
    >>> connecting to the internet.
    >>>
    >>> Now, one of the users laptops suffered a fatal accident and was replaced
    >>> with a new one running Vista and my utility nolonger works as Vista does
    >>> not have an equivalent command line tool such as "ipseccmd.exe". After a
    >>> lot of Google and Technet it seems that "ipseccmd.exe" does not exist in
    >>> Vista and maybe "netsh" is the way to go. I can't find a command
    >>> reference for "netsh" on Vista to see if I can map the old ipseccmd
    >>> format to the new netsh format.
    >>>
    >>> Am I mistaken? Is there an ipseccmd.exe command line tool for Vista?
    >>> Is there a command reference for "netsh" in Vista?
    >>> Can Ipsec policies be scripted using netsh in Vista?
    >>> Is this even the right newsgroup for this post?
    >>>
    >>> This is a big pain and is a timewaster for me. I spent enough time
    >>> getting the scripting working previously on XP and don't see why this
    >>> has to be sacrificed on the Vista alter. I am looking at just sending
    >>> the laptop back to the vendor and getting one with XP instead.
    >>>
    >>> PGC
    >>>

    >>
    >>

    >
    >




+ Reply to Thread