Windows 11 netsh ipsec command

Microsoft Windows [Version 10.0.22621.2428]
(c) Microsoft Corporation. C:\Windows>netsh ipsec ? The following commands are available: Commands in this context: ? - Displays a list of commands. dump - Displays a configuration script. dynamic - Changes to the `netsh ipsec dynamic' context. help - Displays a list of commands. static - Changes to the `netsh ipsec static' context. The following sub-contexts are available: dynamic static To view help for a command, type the command, followed by a space, and then type ?.

Displays a configuration script.

netsh ipsec dump


C:\Windows>netsh ipsec dump ?

Usage: dump

Remarks: 
    Creates a script that contains the current configuration.  If saved to a
    file, this script can be used to restore altered configuration settings.

Changes to the `netsh ipsec dynamic' context.

netsh ipsec dynamic


C:\Windows>netsh ipsec dynamic ?

The following commands are available:

Commands in this context:
?              - Displays a list of commands.
add            - Adds policy, filter, and actions to SPD.
delete         - Deletes policy, filter, and actions from SPD.
dump           - Displays a configuration script.
help           - Displays a list of commands.
set            - Modifies policy, filter, and actions in SPD.
show           - Displays policy, filter, and actions from SPD.

To view help for a command, type the command, followed by a space, and then
 type ?.

Adds policy, filter, and actions to SPD.

netsh ipsec dynamic add


C:\Windows>netsh ipsec dynamic add ?

The following commands are available:

Commands in this context:
add mmpolicy   - Adds a main mode policy to SPD.
add qmpolicy   - Adds a quick mode policy to SPD.
add rule       - Adds a rule and associated filters to SPD.

Adds a main mode policy to SPD.

netsh ipsec dynamic add mmpolicy


C:\Windows>netsh ipsec dynamic add mmpolicy ?

Usage: 
  mmpolicy [ name = ] <string>
           [ [ qmpermm = ] <integer>  ]
           [ [ mmlifetime = ] <integer> ]
           [ [ softsaexpirationtime  = ] <integer> ]
           [ [ mmsecmethods = ] (sec#1 sec#2 ... sec#n) ]

  Adds a main mode policy to SPD.

Parameters: 

  Tag                     Value
  name                   -Name of the main mode policy.
  qmpermm                -Number of quick mode sessions per main mode session
                          of IKE.
  mmlifetime             -Time in minutes to rekey for main mode of IKE.
  softsaexpirationtime   -Time in minutes for an unprotected SA to expire.
  mmsecmethods           -List of one or more space separated security
                          methods in the form of ConfAlg-HashAlg-GroupNum.
                          where ConfAlg can be DES or 3DES
                          where HashAlg can be MD5 or SHA1
                          GroupNum can be 1 (Low) or 2 (Med) or 3 (DH2048).

Remarks: The use of DES and MD5 is not recommended. These cryptographic
          algorithms are provided for backward compatibility only.

Examples: add mmp name=mmp qmpermm=10 mmlifetime=300 softsa=20
          mmsec="3DES-SHA1-3 DES-SHA1-2 3DES-MD5-3"

Adds a quick mode policy to SPD.

netsh ipsec dynamic add qmpolicy


C:\Windows>netsh ipsec dynamic add qmpolicy ?

Usage: 
  qmpolicy [ name = ] <string>
           [ [ soft = ] (yes | no) ]
           [ [ pfsgroup = ] (GRP1 | GRP2 | GRP3 | GRPMM | NOPFS) ]
           [ [ qmsecmethods = ] (neg#1 neg#2 ... neg#n) ]

  Adds a quick mode policy to SPD.

Parameters: 

  Tag                     Value
  name                   -Name of the quick mode policy.
  soft                   -Allow unsecured communication with non-IPsec-aware
                          computers.
                          This takes a value of either 'yes' or 'no'.
  pfsgroup               -GRP1,GRP2,GRP3,GRPMM,NOPFS(default).
  qmsecmethods           -IPsec offer in one of the following formats:
                          ESP[ConfAlg,AuthAlg]:k/s
                          AH[HashAlg]:k/s
                          AH[HashAlg]+ESP[ConfAlg,AuthAlg]:k/s
                          where ConfAlg can be DES or 3DES or None.
                          where AuthAlg can be MD5 or SHA1 or None.
                          where HashAlg is MD5 or SHA1.
                          where k is lifetime in kilobytes.
                          where s is lifetime in seconds.

Remarks: The use of DES and MD5 is not recommended. These cryptographic
          algorithms are provided for backward compatibility only.

Examples: add qmpolicy name=qmp
          qmsec="AH[MD5]:10000k/24800s ESP[DES,SHA1]:30000k/300s"

Adds a rule and associated filters to SPD.

netsh ipsec dynamic add rule


C:\Windows>netsh ipsec dynamic add rule ?

Usage: 
  rule [ srcaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server)
       [ dstaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server)
       [ mmpolicy = ] <string>
       [ [ qmpolicy = ] <string> ]
       [ [ protocol = ] (ANY | ICMP | TCP | UDP | RAW | <integer>) ]
       [ [ srcport = ] <port> ]
       [ [ dstport = ] <port> ]
       [ [ mirrored = ] (yes | no) ]
       [ [ conntype = ] (lan | dialup | all) ]
       [ [ actioninbound = ] (permit | block | negotiate) ]
       [ [ actionoutbound = ] (permit | block | negotiate) ]
       [ [ srcmask = ] (mask | prefix) ]
       [ [ dstmask = ] (mask | prefix) ]
       [ [ tunneldstaddress = ] (ip | dns) ]
       [ [ kerberos = ] (yes | no) ]
       [ [ psk = ] <preshared key> ]
       [ [ rootca = ] "<certificate> certmap:(yes | no) excludecaname:(yes | no)" ]

  Adds a Rule.

Parameters: 

  Tag               Value
  srcaddr          - Source ip address (ipv4 or ipv6), address range, dns name, or server type.
  dstaddr          -Destination ip address (ipv4 or ipv6), address range, dns name, or server type.
  mmpolicy         -Main mode policy
  qmpolicy         -Quick mode policy
  protocol         -Can be ANY, ICMP, TCP, UDP, RAW, or an integer.
                    If you specify a port, acceptable value is TCP or UDP. 
  srcport          -Source port(0 means any port)
  dstport          -Destination port(0 means any port)
  mirrored         -'Yes' creates two filters, one in each direction.
  conntype         -Connection type
  actioninbound    -Action for inbound packets
  actionoutbound   -Action for outbound packets
  srcmask          -Source address mask or a prefix of 1 through 32. Not applicable if srcaddr is set to a range 
  dstmask          -Destination address mask or a prefix of 1 through 32. Not applicable if dstaddr is set to a range 
  tunneldstaddress -Tunnel destination ip address or dns name.
  kerberos         -Provides kerberos authentication if 'yes' is specified.
  psk              -Provides authentication using a specified preshared key.
  rootca           -Provides authentication using a specified root certificate,
                    attempts to map the cert if certmap:Yes is specified,
                    excludes the CA name if excludecaname:Yes is specified.

Remarks: 1. Port valid for TCP and UDP.
         2. Server type can be WINS, DNS, DHCP or GATEWAY
         3. Default for actioninbound and actionoutbound is 'negotiate'.
         4. For tunnel rules, mirrored must be set to 'no'.
         5. Certificate, mapping, and CA name settings are all to be within
            quotes; embedded quotes are to be replaced with \'.
         6. Certificate mapping is valid only for domain members.
         7. Multiple certificates can be provided by using the rootca
            parameter multiple times.
         8. The preference of each authentication method is determined by its
            order in the command.
         9. If no auth methods are stated, dynamic defaults are used.
        10. Excluding the root certification authority (CA) name prevents the
            name from being sent as part of the certificate request.
        11. If an address range is specified, the endpoints need to be specific addresses (not lists, or subnets) and of the same type (both should be v4 or both should be v6).

Example: add rule srcaddr=192.168.145.110 dstaddr=192.168.145.215 mmpolicy=mmp
         qmpolicy=qmp mirrored=no srcmask=32 dstmask=255.255.255.255
         rootca="C=US,O=MSFT,CN=Microsoft Authenticode(tm) Root Authority"
         rootca="C=US,O=MSFT,CN=\'Microsoft North, South, East, and West Root
         Authority\' certmap:yes excludecaname:no"

Deletes policy, filter, and actions from SPD.

netsh ipsec dynamic delete


C:\Windows>netsh ipsec dynamic delete ?

The following commands are available:

Commands in this context:
delete all     - Deletes all policies, filters, and actions from SPD.
delete mmpolicy - Deletes a main mode policy from SPD.
delete qmpolicy - Deletes a quick mode policy from SPD.
delete rule    - Deletes a rule and associated filters from SPD.
delete sa      - 

Deletes all policies, filters, and actions from SPD.

netsh ipsec dynamic delete all


C:\Windows>netsh ipsec dynamic delete all ?

Usage: 
  all

  Deletes all policies, filters, and authentication methods from SPD.

Example: delete all

Deletes a main mode policy from SPD.

netsh ipsec dynamic delete mmpolicy


C:\Windows>netsh ipsec dynamic delete mmpolicy ?

Usage: 
  mmpolicy   [ name = ] <string> | [ all ]

  Deletes a main mode policy from SPD.
  If 'all' is specified, all main mode policies are deleted.

Parameters: 

  Tag     Value
  name   -Name of the main mode policy.

Remarks: To delete a main mode policy, any associated main mode filters must
          first be deleted.

Examples: delete mmpolicy name=mmp

Deletes a quick mode policy from SPD.

netsh ipsec dynamic delete qmpolicy


C:\Windows>netsh ipsec dynamic delete qmpolicy ?

Usage: 
  qmpolicy  [ name = ] <string> | [ all ]

  Deletes a quick mode policy from SPD.
  If 'all' is specified, all quick mode policies are deleted.

Parameters: 

  Tag     Value
  name   -Name of the quick mode policy.

Remarks: To delete a quick mode policy, any associated quick mode filters
          must first be deleted.

Examples: delete qmpolicy name=qmp

Deletes a rule and associated filters from SPD.

netsh ipsec dynamic delete rule


C:\Windows>netsh ipsec dynamic delete rule ?

Usage: 
  rule [ srcaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server)
       [ dstaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server)
       [ protocol = ] (ANY | ICMP | TCP | UDP | RAW | <integer>)
       [ srcport = ] <port>
       [ dstport = ] <port>
       [ mirrored = ] (yes | no)
       [ conntype = ] (lan | dialup | all)
       [ [ srcmask = ] (mask | prefix) ]
       [ [ dstmask = ] (mask | prefix) ]
       [ [ tunneldstaddress = ] (ip | dns) ]

  Deletes a rule from SPD.

Parameters: 

  Tag               Value
  srcaddr          -Source ip address (ipv4 or ipv6), address range, dns name, or server type.
  dstaddr          -Destination ip address (ipv4 or ipv6), address range, dns name, or server type.
  protocol         -Can be ANY, ICMP, TCP, UDP, RAW, or an integer.
  srcport          -Source port. A value of 0 means any port.
  dstport          -Destination port. A value of 0 means any port.
  mirrored         -'Yes' creates two filters, one in each direction.
  conntype         -Connection type can be lan, dialup or 'all'.
  srcmask          -Source address mask or a prefix of 1 through 32.
  dstmask          -Destination address mask or a prefix of 1 through 32.
  tunneldstaddress -Tunnel destination ip address or dns name.

Remarks: 1. To specify the current computer address, set srcaddr/dstaddr=me
             To specify all computer addresses, set srcaddr/dstaddr=any
          2. Server type can be WINS, DNS, DHCP or GATEWAY
          3. If an address range is specified, the endpoints need to be specific addresses (not lists, or subnets) and of the same type (both should be v4 or both should be v6).

Examples: delete rule srca=192.168.145.110 dsta=192.168.145.215
          tunneldsta=192.168.145.1
          proto=tcp srcport=80 dstport=80 mirror=no conntype=lan

netsh ipsec dynamic delete sa


C:\Windows>netsh ipsec dynamic delete sa ?

Displays a configuration script.

netsh ipsec dynamic dump


C:\Windows>netsh ipsec dynamic dump ?

Usage: dump

Remarks: 
    Creates a script that contains the current configuration.  If saved to a
    file, this script can be used to restore altered configuration settings.

Displays a list of commands.

netsh ipsec dynamic help


C:\Windows>netsh ipsec dynamic help ?

Usage: help

Remarks: 
       Displays a list of commands.

Modifies policy, filter, and actions in SPD.

netsh ipsec dynamic set


C:\Windows>netsh ipsec dynamic set ?

The following commands are available:

Commands in this context:
set config     - Sets the IPsec configuration and boot time behavior.
set mmpolicy   - Modifies a main mode policy in SPD.
set qmpolicy   - Modifies a quick mode policy in SPD.
set rule       - Modifies a rule and associated filters in SPD.

Sets the IPsec configuration and boot time behavior.

netsh ipsec dynamic set config


C:\Windows>netsh ipsec dynamic set config ?

Usage: 
  config [ property = ] (ipsecdiagnostics | ipsecexempt | ipsecloginterval | 
                      ikelogging | strongcrlcheck | bootmode | bootexemptions) ]
         [ value = ] <integer> | <bootmode> | <bootexemptions> ]

  Configures the parameters for IPsec.

Parameters: 

  Tag             Value
  property       -Property name.
  value          -Value that corresponds to the property.

Remarks: 1. Valid values for the properties are:
             ipsecdiagnostics - 0, 1, 2, 3, 4, 5, 6, 7
             ikelogging       - 0, 1
             strongcrlcheck   - 0, 1, 2
             ipsecloginterval - 60 to 86400 sec
             ipsecexempt      - 0, 1, 2, 3
             bootmode         - stateful, block, permit
             bootexemptions   - none, "exemption#1 exemption#2 ... exemption#n"
                                where the quoted string specifies a list of
                                protocols and ports to always allow during
                                boot mode in the following format:
                                  Protocol:SrcPort:DstPort:Direction
                                    where protocol is ICMP, TCP, UDP,
                                      RAW, or <integer>
                                    where direction is inbound or outbound
         2. ipsecdiagnostics, ikelogging, ipsecloginterval, bootmode and 
            bootexemptions options are provided for backward compatibility.
            Not valid for Windows Vista and later operating systems.
         3. SrcPort and DstPort are only valid for TCP and UDP, with other
            protocols the format of the exemption is Protocol:Direction.
         4. A port setting of 0 allows for traffic for any port.
         5. ikelogging and strongcrlcheck are activated immediately;
            all other properties take effect on next boot.

Examples: 1. set config property=ipsecdiagnostics value=0
          2. set config property=bootmode value=stateful
          3. set config property=bootexemptions value=none
          4. set config property=bootexemptions
             value="ICMP:inbound TCP:80:80:outbound"

Modifies a main mode policy in SPD.

netsh ipsec dynamic set mmpolicy


C:\Windows>netsh ipsec dynamic set mmpolicy ?

Usage: 
  mmpolicy [ name = ] <string>
           [ [ qmpermm = ] <integer>  ]
           [ [ mmlifetime = ] <integer> ]
           [ [ softsaexpirationtime  = ] <integer> ]
           [ [ mmsecmethods = ] (sec#1 sec#2 ... sec#n) ]

  Modifies a main mode policy with the   new parameters in SPD.

Parameters: 

  Tag                     Value
  name                   -Name of the main mode policy.
  qmpermm                -Number of quick mode sessions per main mode session
                          of IKE.
  mmlifetime             -Time in minutes to rekey for main mode of IKE.
  softsaexpirationtime   -Time in minutes for an unprotected SA to expire.
  mmsecmethods           -List of one or more space separated security
                          methods in the form of ConfAlg-HashAlg-GroupNum,
                          where ConfAlg can be DES or 3DES,
                          HashAlg is MD5 or SHA1,
                          GroupNum can be 1 (Low) or 2 (Med) or 3 (DH2048).

Remarks: The use of DES and MD5 is not recommended. These cryptographic
          algorithms are provided for backward compatibility only.

Example: set mmpolicy name=mmp qmpermm=10 mmlife=10 mmsecmethod=3DES-MD5-3

Modifies a quick mode policy in SPD.

netsh ipsec dynamic set qmpolicy


C:\Windows>netsh ipsec dynamic set qmpolicy ?

Usage: 
  qmpolicy [ name = ] <string>
           [ [ soft = ] (yes | no) ]
           [ [ pfsgroup = ] (GRP1 | GRP2 | GRP3 | GRPMM | NOPFS) ]
           [ [ qmsecmethods = ] (neg#1 neg#2 ... neg#n) ]

  Modifies a quick mode policy in SPD.

Parameters: 

  Tag                     Value
  name                   -Name of the quick mode policy.
  soft                   -Allow unsecured communication with
                          non-IPsec-aware computers.
                          This takes a value of either 'yes' or 'no'.
  pfsgroup               -GRP1,GRP2,GRP3,GRPMM,NOPFS(default).
  qmsecmethods           -IPsec offer in one of the following formats:
                          ESP[ConfAlg,AuthAlg]:k/s
                          AH[HashAlg]:k/s
                          AH[HashAlg]+ESP[ConfAlg,AuthAlg]:k/s
                          where ConfAlg can be DES, or 3DES or None.
                          where AuthAlg can be MD5, or SHA1 or None.
                          where HashAlg is MD5 or SHA1.
                          where k is lifetime in kilobytes.
                          where s is lifetime in seconds.

Remarks: The use of DES and MD5 is not recommended. These cryptographic
          algorithms are provided for backward compatibility only.

Example: set qmpolicy name=qmp pfsg=grp3
         qmsec="AH[MD5]:100000k/29999s+ESP[DES,SHA1]"

Modifies a rule and associated filters in SPD.

netsh ipsec dynamic set rule


C:\Windows>netsh ipsec dynamic set rule ?

Usage: 
  rule [ srcaddr = ] (ip | dns | server)
       [ dstaddr = ] (ip | dns | server)
       [ protocol = ] (ANY | ICMP | TCP | UDP | RAW | <integer>)
       [ srcport = ] <port>
       [ dstport = ] <port>
       [ mirrored = ] (yes | no)
       [ conntype = ] (lan | dialup | all)
       [ [ srcmask = ] (mask | prefix) ]
       [ [ dstmask = ] (mask | prefix) ]
       [ [ tunneldstaddress = ] (ip | dns) ]
       [ [ mmpolicy = ] <string> ]
       [ [ qmpolicy = ] <string> ]
       [ [ actioninbound = ] (permit | block | negotiate) ]
       [ [ actionoutbound = ] (permit | block | negotiate) ]
       [ [ kerberos = ] (yes | no) ]
       [ [ psk = ] <preshared key> ]
       [ [ rootca = ] "<certificate> certmap:(yes | no) excludecaname:(yes | no)" ]

  Modifies a rule and associated filters in SPD.

Parameters: 

  Tag               Value
  srcaddr          - Source ip address (ipv4 or ipv6), address range, dns name, or server type.
  dstaddr          -Destination ip address (ipv4 or ipv6), address range,  dns name, or server type.
  protocol         -Can be ANY, ICMP, TCP, UDP, RAW, or an integer.
  srcport          -Source port (0 means any port)
  dstport          -Destination port (0 means any port)
  mirrored         -'Yes' creates two filters, one in each direction.
  conntype         -Connection type
  srcmask          -Source address mask or a prefix of 1 through 32. Not applicable if srcaddr is set to a range 
  dstmask          -Destination address mask or a prefix of 1 through 32. Not applicable if dstaddr is set to a range 
  tunneldstaddress -Tunnel destination ip address or dns name.
  mmpolicy         -Main mode policy
  qmpolicy         -Quick mode policy
  actioninbound    -Action for inbound packets
  actionoutbound   -Action for outbound packets
  kerberos         -Provides kerberos authentication if 'yes' is specified
  psk              -Provides authentication using a specified preshared key
  rootca           -Provides authentication using a specified root certificate,
                    attempts to map the cert if certmap:Yes is specified,
                    excludes the CA name if excludecaname:Yes is specified.

Remarks: 1. Mmpolicy, qmpolicy, actioninbound, actionoutbound
             and authmethods can be set; other fields are identifiers.
          2. Server type can be WINS, DNS, DHCP or GATEWAY
          3. Certificate, mapping, and CA name settings are all to be within
             quotes; embedded quotes are to be replaced with \'.
          4. Certificate mapping is valid only for domain members.
          5. Multiple certificates can be provided by using the rootca
             parameter multiple times.
          6. The preference of each authentication method is determined by
             its order in the command.
          7. If no auth methods are stated, dynamic defaults are used.
          8. All authentication methods are overwritten with the stated list.
          9. Excluding the root certification authority (CA) name prevents
             the name from being sent as part of the certificate request.
         10. If an address range is specified, the endpoints need to be specific addresses (not lists, or subnets) and of the same type (both should be v4 or both should be v6).

Examples: 1. set rule srca=WINS dsta=0.0.0.0 srcmask=32 dstmask=32
             tunneldst=192.168.145.1
             proto=tcp srcport=80 dstport=80 mir=no con=lan
             qmp=qmp actionin=negotiate actionout=permit
          2. set rule srcaddr=192.168.145.110 dstaddr=192.168.145.215
             mmpolicy=mmp qmpolicy=qmp mirrored=no srcmask=32
             rootca="C=US,O=MSFT,CN=Microsoft Authenticode(tm) Root Authority"
             rootca="C=US,O=MSFT,CN=\'Microsoft North, South, East, and West
             Root Authority\' certmap:yes excludecaname:no"

Displays policy, filter, and actions from SPD.

netsh ipsec dynamic show


C:\Windows>netsh ipsec dynamic show ?

The following commands are available:

Commands in this context:
show all       - Displays policies, filters, SAs, and statistics from SPD.
show config    - Displays IPsec configuration.
show mmfilter  - Displays main mode filter details from SPD.
show mmpolicy  - Displays main mode policy details from SPD.
show mmsas     - Displays main mode security associations from SPD.
show qmfilter  - Displays quick mode filter details from SPD.
show qmpolicy  - Displays quick mode policy details from SPD.
show qmsas     - Displays quick mode security associations from SPD.
show rule      - Displays rule details from SPD.

Displays policies, filters, SAs, and statistics from SPD.

netsh ipsec dynamic show all


C:\Windows>netsh ipsec dynamic show all ?

Usage: 
  all [ [ resolvedns = ] (yes | no) ]

  Displays details of all policies, filters, SAs, and statistics from SPD.

Parameters: 

  Tag               Value
  resolvedns       -Value of 'yes' displays the resolved dns name.

Remarks: Default value of resolvedns is 'no'.

Examples: show all yes
         - shows all information with dns resolution

Displays IPsec configuration.

netsh ipsec dynamic show config


C:\Windows>netsh ipsec dynamic show config ?

Usage: 
  config

 Displays current settings of IPsec configuration parameters.

Remarks: 

Example: show config

Displays main mode filter details from SPD.

netsh ipsec dynamic show mmfilter


C:\Windows>netsh ipsec dynamic show mmfilter ?

Usage: 
  mmfilter [ name = ] <string> | [ all ]
           [ [ type = ]  (generic | specific) ]
           [ [ srcaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server) ]
           [ [ dstaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server) ]
           [ [ srcmask = ] (mask | prefix) ]
           [ [ dstmask = ] (mask | prefix) ]
           [ [ resolvedns = ] (yes | no) ]

  Displays main mode filter details from SPD.

Parameters: 

  Tag         Value
  name | all -Name of the main mode filter or 'all'.
  type       -Type of filter to display, either specific or generic.
  srcaddr    - Source ip address (ipv4 or ipv6), address range, dns name, or server type.
  dstaddr    -Destination ip address (ipv4 or ipv6), address range, dns name, or server type.
  srcmask    -Source address mask or a prefix of 1 through 32.
  dstmask    -Destination address mask or a prefix of 1 through 32.
  resolvedns -Value of 'yes' displays the resolved dns name.

Remarks: 1. Default for the type parameter is 'generic'.
          2. Server type can be WINS, DNS, DHCP or GATEWAY.
          3. If 'all' is specified, all main mode filters are displayed.
          4. If source address or destination address is specified,
             only filters associated with that address are displayed.
          5. If an address range is specified, the endpoints need to be specific addresses (not lists, or subnets) and of the same type (both should be v4 or both should be v6).

Examples: 1. show mmfilter name=mmf
          2. show mmfilter all srcaddr=wins dstaddr=192.168.145.112

Displays main mode policy details from SPD.

netsh ipsec dynamic show mmpolicy


C:\Windows>netsh ipsec dynamic show mmpolicy ?

Usage: 
  mmpolicy [ name = ] <string> | [ all ]

  Displays main mode policy details from SPD.

Parameters: 

  Tag     Value
  name   -Name of the main mode policy.

Remarks: If 'all' is specified, all main mode policies are displayed.

Examples: 1. show mmpolicy name=mmp
          2. show mmpolicy all

Displays main mode security associations from SPD.

netsh ipsec dynamic show mmsas


C:\Windows>netsh ipsec dynamic show mmsas ?

Usage: 
  mmsas [ [ all ] ]
        [ [ srcaddr =] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server) ]
        [ [ dstaddr =] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server) ]
        [ [ format = ] (list | table) ]
        [ [ resolvedns = ] (yes | no) ]

  Displays the main mode security associations for a specified address.

Parameters: 

  Tag          Value
  all         -Display all main mode security associations.
  srcaddr     - Source ip address (ipv4 or ipv6), address range, dns name, or server type.
  dstaddr     -Destination ip address(ipv4 or ipv6), address range, dns name, or server type.
  format      -Output in screen or tab-delimited format.
  resolvedns  -Value of 'yes' displays the resolved dns name.

Remarks: 1. Server type can be WINS, DNS, DHCP or GATEWAY.
          2. If an address range is specified, the endpoints need to be specific addresses (not lists, or subnets) and of the same type (both should be v4 or both should be v6).\             


Examples: 1. show mmsas  
all
          2. show mmsas srca=192.168.145.110 dsta=192.168.145 
.215

Displays quick mode filter details from SPD.

netsh ipsec dynamic show qmfilter


C:\Windows>netsh ipsec dynamic show qmfilter ?

Usage: 
  qmfilter [ name = ] <string> | [ all ]
           [ [ type = ]  (generic | specific) ]
           [ [ srcaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server) ]
           [ [ dstaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server) ]
           [ [ srcmask = ] (mask | prefix) ]
           [ [ dstmask = ] (mask | prefix) ]
           [ [ protocol = ] (ANY | ICMP | TCP | UDP | RAW | <integer>) ]
           [ [ srcport = ] <port> ]
           [ [ dstport = ] <port> ]
           [ [ actioninbound = ] (permit | block | negotiate) ]
           [ [ actionoutbound = ] (permit | block | negotiate) ]
           [ [ resolvedns = ] (yes | no) ]

  Displays quick mode filter details from SPD.

Parameters: 

  Tag               Value
  name             -Name of the quick mode filter.
  type             -Type of filter to display, either specific or generic.
  srcaddr          - Source ip address (ipv4 or ipv6), address range,  dns name, or server type.
  dstaddr          -Destination ip address (ipv4 or ipv6), address range, dns name, or server type.
  srcmask          -Source address mask or a prefix of 1 through 32.
  dstmask          -Destination address mask or a prefix of 1 through 32.
  protocol         -Can be ANY, ICMP, TCP, UDP, RAW, or an integer.
  srcport          -Source port. A value of 0 means any port.
  dstport          -Destination port. A value of 0 means any port.
  actioninbound    -Action for inbound packets.
  actionoutbound   -Action for outbound packets.
  resolvedns       -Value of 'yes' displays the resolved dns name.

Remarks: 1. If the type is not specified then both 'generic' and
             'specific' filters are displayed.
          2. Server type can be WINS, DNS, DHCP or GATEWAY.
          3. If an address range is specified, the endpoints need to be specific addresses (not lists, or subnets) and of the same type (both should be v4 or both should be v6).

Examples: 1. show qmfilter name=qmf
          2. show qmfilter all srcaddr=192.134.135.133 proto=TCP
          3. If 'all' is specified, all quick mode filters are displayed.
          4. If source or destination address name is specified,
             only filters associated with that address are displayed.

Displays quick mode policy details from SPD.

netsh ipsec dynamic show qmpolicy


C:\Windows>netsh ipsec dynamic show qmpolicy ?

Usage: 
  qmpolicy [ name = ] <string> | [ all ]

  Displays quick mode policy details from SPD.

Parameters: 

  Tag     Value
  name   -Name of the quick mode policy.

Remarks: If 'all' is specified, all quick mode policies are displayed.

Examples: 1. show qmpolicy name=qmp
          2. show qmpolicy all

Displays quick mode security associations from SPD.

netsh ipsec dynamic show qmsas


C:\Windows>netsh ipsec dynamic show qmsas ?

Usage: 
  qmsas [ [ all ] ]
        [ [ srcaddr =] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server) ]
        [ [ dstaddr =] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server) ]
        [ [ protocol = ] (ANY | ICMP | TCP | UDP | RAW | <integer>) ]
        [ [ format = ] (list | table) ]
        [ [ resolvedns = ] (yes | no) ]

  Displays the quick mode security associations for a specified address.

Parameters: 

  Tag         Value
  all        -Displays all quick mode security associations.
  srcaddr    -Source ip address(ipv4 or ipv6), address range, dns name, or server type.
  dstaddr    -Destination ip address(ipv4 or ipv6), address range, dns name, or server type.
  protocol   -Can be ANY, ICMP, TCP, UDP, RAW, or an integer. 
  format     -Output in screen or tab-delimited format.
  resolvedns -Value of 'yes' displays the resolved dns name.

Remarks: 1. Server type can be WINS, DNS, DHCP or GATEWAY.
          2. If an address range is specified, the endpoints need to be specific addresses (not lists, or subnets) and of the same type (both should be v4 or both should be v6).\n
Examples: 1. show qmsas all
          2. show qmsas srca=192.168.145.110 dsta=192.168.145.215

Displays rule details from SPD.

netsh ipsec dynamic show rule


C:\Windows>netsh ipsec dynamic show rule ?

Usage: 
  rule   [ [ type = ] (transport | tunnel) ]
         [ [ srcaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server) ]
         [ [ dstaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server) ]
         [ [ srcmask = ] (mask | prefix) ]
         [ [ dstmask = ] (mask | prefix) ]
         [ [ protocol = ] (ANY | ICMP | TCP | UDP | RAW | <integer>) ]
         [ [ srcport = ] <port> ]
         [ [ dstport = ] <port> ]
         [ [ actioninbound = ] (permit | block | negotiate) ]
         [ [ actionoutbound = ] (permit | block | negotiate) ]
         [ [ resolvedns = ] (yes | no) ]

  Displays rule details from SPD.

Parameters: 

  Tag               Value
  type             -Type of rule to display, either transport or tunnel.
  srcaddr          -Source ip address (ipv4 or ipv6), address range, dns name, or server type.
  dstaddr          -Destination ip address (ipv4 or ipv6), address range, dns name, or server type.
  srcmask          -Source address mask or a prefix of 1 through 32.
  dstmask          -Destination address mask or a prefix of 1 through 32.
  protocol         -Can be ANY, ICMP, TCP, UDP, RAW, or an integer.
  srcport          -Source port. A value of 0 means any port.
  dstport          -Destination port. A value of 0 means any port.
  actioninbound    -Action for inbound packets.
  actionoutbound   -Action for outbound packets.
  resolvedns       -Value of 'yes' displays the resolved dns name.

Remarks: 1. Default for the type parameter is 'transport'.
          2. Server type can be WINS, DNS, DHCP or GATEWAY.
          3. If source or destination address name is specified,
             only rules associated with that address are displayed.
          4. If an address range is specified, the endpoints need to be specific addresses (not lists, or subnets) and of the same type (both should be v4 or both should be v6).

Examples: 1. show rule
           - shows both transport and tunnel rules
          2. show rule type=transport srcaddr=192.134.135.133 proto=TCP

Displays a list of commands.

netsh ipsec help


C:\Windows>netsh ipsec help ?

Usage: help

Remarks: 
       Displays a list of commands.

Changes to the `netsh ipsec static' context.

netsh ipsec static


C:\Windows>netsh ipsec static ?

The following commands are available:

Commands in this context:
?              - Displays a list of commands.
add            - Creates new policies and related information.
delete         - Deletes policies and related information.
dump           - Displays a configuration script.
exportpolicy   - Exports all the policies from the policy store.
help           - Displays a list of commands.
importpolicy   - Imports the policies from a file to the policy store.
set            - Modifies existing policies and related information.
show           - Displays details of policies and related information.

To view help for a command, type the command, followed by a space, and then
 type ?.

Creates new policies and related information.

netsh ipsec static add


C:\Windows>netsh ipsec static add ?

The following commands are available:

Commands in this context:
add filter     - Adds a filter to filter list.
add filteraction - Creates a filter action.
add filterlist - Creates an empty filter list.
add policy     - Creates a policy with a default response rule.
add rule       - Creates a rule for the specified policy.

Adds a filter to filter list.

netsh ipsec static add filter


C:\Windows>netsh ipsec static add filter ?

Usage: 
  filter [ filterlist = ] <string>
         [ srcaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server)
         [ dstaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server)
         [ [ description = ] <string> ]
         [ [ protocol = ] (ANY | ICMP | TCP | UDP | RAW | <integer>) ]
         [ [ mirrored = ] (yes  |  no) ]
         [ [ srcmask = ] (mask | prefix) ]
         [ [ dstmask = ] (mask | prefix) ]
         [ [ srcport = ] <port> ]
         [ [ dstport = ] <port> ]

  Adds a filter to the specified filter list.

Parameters: 

  Tag            Value
  filterlist    -Name of the filter list to which the filter is added.
  srcaddr       -Source ip address (ipv4 or ipv6), address range, dns name, or server type.
  dstaddr       -Destination ip address (ipv4 or ipv6), address range, dns name, or server type.
  description   -Brief information about the filter.
  protocol      -Can be ANY, ICMP, TCP, UDP, RAW, or an integer.
  mirrored      -'Yes' creates two filters, one in each direction.
  srcmask       -Source address mask or a prefix of 1 through 32. Not applicable if srcaddr is set to a range 
  dstmask       -Destination address mask or a prefix of 1 through 32. Not applicable if dstaddr is set to a range
  srcport       -Source port of the packet. A value of 0 means any port.
  dstport       -Destination port of the packet. A value of 0 means any port.

Remarks: 1. If the filter list does not exist it will be created.
          2. To specify the current computer address, set srcaddr/dstaddr=me
             To specify all computer addresses, set srcaddr/dstaddr=any
          3. Server type can be WINS, DNS, DHCP or GATEWAY.
          4. If source is a server type, then dest is 'me' and vice-versa.
          5. If an address range is specified, the endpoints need to be specific addresses (not lists, or subnets) and of the same type (both should be v4 or both should be v6).

Examples: 1. add filter filterlist=Filter1 192.145.168.0 192.145.168.45
          srcmask=24 dstmask=32
          2. add filter filterlist=Filter1 srcaddr=DHCP dstaddr=0.0.0.0
          protocol=ICMP srcmask=255.255.255.255 dstmask=255.255.255.255
          3. add filter filterlist=Filter1 srcaddr=me dstaddr=any
          4. add filter filterlist=Filter1 srcaddr= E3D7::51F4:9BC8:00A8:6420 dstaddr= ME
          5. add filter filterlist=Filter1 srcaddr= 192.168.2.1-192,168.2.10 dstaddr= ME

Creates a filter action.

netsh ipsec static add filteraction


C:\Windows>netsh ipsec static add filteraction ?

Usage: 
  filteraction [ name = ] <string>
               [ [ description = ] <string> ]
               [ [ qmpfs = ] (yes | no) ]
               [ [ inpass  = ] (yes | no) ]
               [ [ soft = ] (yes | no) ]
               [ [ action = ] (permit | block | negotiate) ]
               [ [ qmsecmethods = ] (neg#1 neg#2 ... neg#n) ]

  Creates a filter action.

Parameters: 

  Tag           Value
  name         -Name of the filter action.
  description  -Brief information about the type of filter action.
  qmpfs        -Option to set quick mode perfect forward secrecy.
  inpass       -Accept unsecured communication, but always respond
                using IPsec. This takes a value of either 'yes' or 'no'.
  soft         -Allow unsecured communication with non-IPsec-aware
                computers. This takes a value of either 'yes' or 'no'.
  action       -This takes permit, block or negotiate.
  qmsecmethods -IPsec offer in one of the following formats:
                ESP[ConfAlg,AuthAlg]:k/s
                AH[HashAlg]:k/s
                AH[HashAlg]+ESP[ConfAlg,AuthAlg]:k/s
                where ConfAlg can be DES or 3DES or None.
                where AuthAlg can be MD5 or SHA1 or None.
                where HashAlg is MD5 or SHA1.
                where k is Lifetime in kilobytes.
                where s is Lifetime in seconds.

Remarks: 1. Quick mode security methods are ignored if the action is not
             'negotiate'
          2. The use of DES and MD5 is not recommended. These cryptographic
             algorithms are provided for backward compatibility only.

Examples: add filteraction name=FilterA qmpfs=yes soft=y action=negotiate
          qmsec="AH[MD5]:204800k/300s ESP[DES,SHA1]:30000k/480s"

Creates an empty filter list.

netsh ipsec static add filterlist


C:\Windows>netsh ipsec static add filterlist ?

Usage: 
  filterlist [ name = ] <string>
             [ [ description = ] <string> ]

  Creates an empty filter list with the specified name.

Parameters: 

  Tag           Value
  name         -Name of the filter list.
  description  -Brief information about the filter list.

Remarks: 

Examples: add filterlist Filter1

Creates a policy with a default response rule.

netsh ipsec static add policy


C:\Windows>netsh ipsec static add policy ?

Usage: 
  policy [ name = ] <string>
         [ [ description = ] <string> ]
         [ [ mmpfs = ] (yes | no) ]
         [ [ qmpermm = ] <integer> ]
         [ [ mmlifetime = ] <integer> ]
         [ [ activatedefaultrule = ] (yes | no) ]
         [ [ pollinginterval = ] <integer> ]
         [ [ assign = ] (yes | no) ]
         [ [ mmsecmethods = ] (sec#1 sec#2 ... sec#n) ]

  Creates a policy with the specified name.

Parameters: 

  Tag                   Value
  name                 -Name of the policy.
  description          -Brief information about the policy.
  mmpfs                -Option to set master perfect forward secrecy.
  qmpermm              -Number of quick mode sessions per main mode
                        session of IKE.
  mmlifetime           -Time in minutes to rekey for main mode of IKE.
  activatedefaultrule  -Activates or deactivates the default response rule. Valid only for versions of Windows prior to Windows Vista.
  pollinginterval      -Polling Interval, time in minutes for policy agent
                        to check for changes in policy store.
  assign               -Assigns the policy as active or inactive. 
  mmsecmethods         -List of one or more space separated security
                        methods in the form of ConfAlg-HashAlg-GroupNum,
                        where ConfAlg can be DES or 3DES,
                        HashAlg is MD5 or SHA1.
                        GroupNum can be 1 (Low), 2 (Med), 3 (DH2048).

Remarks: 1. If mmpfs is specified, qmpermm is set to 1.
          2. If the store is 'domain' then 'assign' will have no effect.
          3. The use of DES and MD5 is not recommended. These cryptographic
             algorithms are provided for backward compatibility only.

Examples: add policy Policy1 mmpfs= yes assign=yes
          mmsec="3DES-SHA1-3 DES-MD5-3 3DES-MD5-2"

Creates a rule for the specified policy.

netsh ipsec static add rule


C:\Windows>netsh ipsec static add rule ?

Usage: 
  rule [ name = ] <string>
       [ policy = ] <string>
       [ filterlist = ] <string> 
       [ filteraction = ] <string> 
       [ [ tunnel = ] (ip | dns) ]
       [ [ conntype = ] (lan | dialup | all) ]
       [ [ activate = ] (yes | no) ]
       [ [ description = ] <string> ]
       [ [ kerberos = ] (yes | no) ]
       [ [ psk = ] <preshared key> ]
       [ [ rootca = ] "<certificate> certmap:(yes | no) excludecaname:(yes | no)" ]

  Creates a rule with the specified filter list and filter action.

Parameters: 

  Tag            Value
  name          -Name of the rule.
  policy        -Name of the policy the rule belongs to.
  filterlist    -Name of the filter list to be used.
  filteraction  -Name of the filter action to be used.
  tunnel        -Tunnel end point IP address.
  conntype      -Connection type can be lan, dialup or 'all'.
  activate      -Activates the rule in the policy if 'yes' is specified.
  description   -Brief information about the rule.
  kerberos      -Provides Kerberos authentication if 'yes' is specified.
  psk           -Provides authentication using a specified preshared key.
  rootca        -Provides authentication using a specified root certificate,
                 attempts to map the cert if certmap:Yes is specified,
                 excludes the CA name if excludecaname:Yes is specified.

Remarks: 1. Certificate, mapping, and CA name settings are all to be within
             quotes; embedded quotes are to be replaced with \'.
          2. Certificate mapping is valid only for domain members.
          3. Multiple certificates can be provided by using the rootca
             parameter multiple times.
          4. The preference of each authentication method is determined by
             its order in the command.
          5. If no auth methods are stated, dynamic defaults are used.
          6. Excluding the root certification authority (CA) name prevents
             the name from being sent as part of the certificate request.

Examples: add rule name=Rule policy=Policy filterlist=Filterlist
          filteraction=FilterAction kerberos=yes psk="my key"
          rootca="C=US,O=MSFT,CN=Microsoft Authenticode(tm) Root Authority"
          rootca="C=US,O=MSFT,CN=\'Microsoft North, South, East, and West Root
          Authority\' certmap:yes excludecaname:no"

Deletes policies and related information.

netsh ipsec static delete


C:\Windows>netsh ipsec static delete ?

The following commands are available:

Commands in this context:
delete all     - Deletes all policies, filter lists, and filter actions.
delete filter  - Deletes a filter from a filter list.
delete filteraction - Deletes a filter action.
delete filterlist - Deletes a filter list.
delete policy  - Deletes a policy and its rules.
delete rule    - Deletes a rule from a policy.

Deletes all policies, filter lists, and filter actions.

netsh ipsec static delete all


C:\Windows>netsh ipsec static delete all ?

Usage: 
  all

  Deletes all policies, filter lists, and filter actions.

Parameters: 

Remarks: 

Examples: delete all

Deletes a filter from a filter list.

netsh ipsec static delete filter


C:\Windows>netsh ipsec static delete filter ?

Usage: 
  filter [ filterlist = ] <string>
         [ srcaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server)
         [ dstaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server)
         [ [ protocol = ] (ANY | ICMP | TCP | UDP | RAW | <integer>) ]
         [ [ srcmask = ] (mask | prefix) ]
         [ [ dstmask = ] (mask | prefix) ]
         [ [ srcport = ] <port> ]
         [ [ dstport = ] <port> ]
         [ [ mirrored = ] (yes | no) ]

  Deletes a filter from a filter list

Parameters: 

  Tag           Value
  filterlist   -Name of the filter list to which the filter was added.
  srcaddr      - Source ip address (ipv4 or ipv6), address range, dns name, or server type.
  dstaddr      -Destination ip address (ipv4 or ipv6), address range, dns name, or server type.
  protocol     -Can be ANY, ICMP, TCP, UDP, RAW, or an integer.
  srcmask      -Source address mask or a prefix of 1 through 32. Not applicable if srcaddr is set to a range 
  dstmask      -Destination address mask or a prefix of 1 through 32. Not applicable if dstaddr is set to a range 
  srcport      -Source port of the packet. A value of 0 means any port
  dstport      -Destination port of the packet. A value of 0 means any port.
  mirrored     -'Yes' creates two filters, one in each direction.

Remarks: 1. Deletes the exact match filter from the filter list.
          2. To specify the current computer address, set srcaddr/dstaddr=me
             To specify all computer addresses, set srcaddr/dstaddr=any
          3. Server type can be WINS, DNS, DHCP or GATEWAY.
          4. If source is a server, then dest is set to 'me' and vice-versa.
          5.  If an address range is specified, the endpoints need to be specific addresses (not lists, or subnets) and of the same type (both should be v4 or both should be v6).

Examples: 1. delete filter FilterList1 src=fum.com dst=fum.com
          2. delete filter Filter1 srcaddr=me dstaddr=any proto=TCP
          3. delete filter Filter1 srcaddr=GATEWAY dstaddr=0.0.0.0 proto=TCP
          4. delete filter Filter1 srcaddr=192.168.2.1-192.168.2.10 dstaddr=ME

Deletes a filter action.

netsh ipsec static delete filteraction


C:\Windows>netsh ipsec static delete filteraction ?

Usage: 
  filteraction [ name = ] <string> | [ all ]

  Deletes a filter action.

Parameters: 

  Tag             Value
  name | all     -Name of the filter action or 'all'.

Remarks: If 'all' is specified, all filter actions are deleted.

Examples: 1. delete filteraction FilterA
          2. delete filteraction all

Deletes a filter list.

netsh ipsec static delete filterlist


C:\Windows>netsh ipsec static delete filterlist ?

Usage: 
  filterlist [name = ] <string> | [ all ]

  Deletes the filter list and all of its associated filters.

Parameters: 

  Tag           Value
  name | all   -Name of the filter list or 'all'.

Remarks: If 'all' is specified, all filter lists are deleted.

Examples: delete filterlist all

Deletes a policy and its rules.

netsh ipsec static delete policy


C:\Windows>netsh ipsec static delete policy ?

Usage: 
  policy [ name = ] <string> | [ all ]

  Deletes the policy and all its associated rules.

Parameters: 

  Tag           Value
  name | all   -Name of the policy or 'all'.

Remarks: If 'all' is specified, all policies are deleted.

Examples: 1. delete policy all
           - deletes all policies.
          2. delete policy name=Policy1
           - deletes the policy named Policy1.

Deletes a rule from a policy.

netsh ipsec static delete rule


C:\Windows>netsh ipsec static delete rule ?

Usage: 
  rule [ name = ] <string> | [ id = ] <integer> | [ all ]
       [ policy = ] <string>

  Deletes a rule from a policy.

Parameters: 

  Tag               Value
  name | id | all  -Name of the rule, ID of the rule, or 'all'
  policy           -Name of the policy.

Remarks: 1. If 'all' is specified, deletes all rules from the policy except
             the default response rule.
          2. The default response rule cannot be deleted.
          3. The IDs will change with every delete.

Examples: 1. delete rule id=1 Policy1
            -deletes the rule with id=1 from Policy1.
          2. delete rule all Policy1
            -deletes all the rules from Policy1.

Displays a configuration script.

netsh ipsec static dump


C:\Windows>netsh ipsec static dump ?

Usage: dump

Remarks: 
    Creates a script that contains the current configuration.  If saved to a
    file, this script can be used to restore altered configuration settings.

Exports all the policies from the policy store.

netsh ipsec static exportpolicy


C:\Windows>netsh ipsec static exportpolicy ?

Usage: 
  exportpolicy [ file = ] <string>

  Exports all the policies to a file.

Parameters: 

  Tag         Value
  name       -Name of the file into which the policies are exported.

Remarks: .ipsec extension is by default added to the filename.

Examples: exportpolicy Policy1

Displays a list of commands.

netsh ipsec static help


C:\Windows>netsh ipsec static help ?

Usage: help

Remarks: 
       Displays a list of commands.

Imports the policies from a file to the policy store.

netsh ipsec static importpolicy


C:\Windows>netsh ipsec static importpolicy ?

Usage: 
  importpolicy [ file = ] <string>

  Imports policies from the specified file.

Parameters: 

  Tag         Value
  name       -Name of the file from which the policies are imported.

Remarks: 

Examples: importpolicy Policy1.ipsec

Modifies existing policies and related information.

netsh ipsec static set


C:\Windows>netsh ipsec static set ?

The following commands are available:

Commands in this context:
set batch      - Sets the batch update mode.
set defaultrule - Modifies the default response rule of a policy.
set filteraction - Modifies a filter action.
set filterlist - Modifies a filter list.
set policy     - Modifies a policy.
set rule       - Modifies a rule.
set store      - Sets the current policy store.

Sets the batch update mode.

netsh ipsec static set batch


C:\Windows>netsh ipsec static set batch ?

Usage: 
  set batch [mode = ] (enable | disable) 

  Sets the batch update mode.

Parameters: 

mode - The mode for batch updates. 

Modifies the default response rule of a policy.

netsh ipsec static set defaultrule


C:\Windows>netsh ipsec static set defaultrule ?

Usage: 
  defaultrule [ policy = ] <string>
              [ [ qmpfs = ] (yes | no) ]
              [ [ activate = ] (yes | no) ]
              [ [ qmsecmethods = ] (neg#1 neg#2 ... neg#n) ]
              [ [ kerberos = ] (yes | no) ]
              [ [ psk = ] <preshared key> ]
              [ [ rootca = ] "<certificate> certmap:(yes | no) excludecaname:(yes | no)" ]

  Modifies the default response rule of the specified policy.
  This rule will be ignored on Windows Vista and later versions of Windows
 

Parameters: 

  Tag            
Value
  policy       -Name of the policy for which the default response rule  
is
                to be modified 
.
  qmpfs        -Option to set quick mode perfect forward secrecy 
.
  activate     -Activates the rule in the policy if 'yes' is specified 
.
  qmsecmethods -IPsec offer in one of the following formats:
                ESP[ConfAlg,AuthAlg]:k/ 
s
                AH[HashAlg]:k/ 
s
                AH[HashAlg]+ESP[ConfAlg,AuthAlg]:k/ 
s
                where ConfAlg can be DES, or 3DES or None 
.
                where AuthAlg can be MD5, or SHA1 or None 
.
                where HashAlg is MD5 or SHA1 
.
                where k is lifetime in kilobytes 
.
                where s is lifetime in seconds 
.
  kerberos     -Provides Kerberos authentication if 'yes' is specified 
.
  psk          -Provides authentication using a specified preshared key 
.
  rootca       -Provides authentication using a specified root certificate,
                attempts to map the cert if certmap:Yes is specified,
                excludes the CA name if excludecaname:Yes is specified 
.

Remarks: 1. Certificate, mapping, and CA name settings are all to be  
within
             quotes; embedded quotes are to be replaced with \' 
.
          2. Certificate mapping is valid only for domain members 
.
          3. Multiple certificates can be provided by using the  
rootca
             parameter multiple times 
.
          4. The preference of each authentication method is determined  
by
             its order in the command 
.
          5. If no auth methods are stated, dynamic defaults are used 
.
          6. The use of DES and MD5 is not recommended. These  
cryptographic
             algorithms are provided for backward compatibility only 
.

Examples: set defaultrule Policy1 activate= 
y
          qmsec="AH[MD5]+ESP[3DES,MD5]:100000k/2000s"

Modifies a filter action.

netsh ipsec static set filteraction


C:\Windows>netsh ipsec static set filteraction ?

Usage: 
  filteraction [ name = ] <string> | [ guid = ] <guid>
               [ [ newname = ] <string> ]
               [ [ description = ] <string> ]
               [ [ qmpfs = ] (yes | no) ]
               [ [ inpass  = ] (yes | no) ]
               [ [ soft = ] (yes | no)  ]
               [ [ action = ] (permit | block | negotiate) ]
               [ [ qmsecmethods = ] (neg#1 neg#2 ... neg#n) ]

  Modifies a filter action.

Parameters: 

  Tag            Value
  name | guid   -Name or guid of the filter action.
  newname       -New name of the filter action.
  description   -Brief information about the filter action.
  qmpfs         -Option to set quick mode perfect forward secrecy.
  inpass        -Accept unsecured communication, but always respond
                 using IPsec. This takes a value of either 'yes' or 'no'.
  soft          -Allow unsecured communication with non-IPsec-aware computers.
                 This takes a value of either 'yes' or 'no'.
  action        -This takes permit or block or negotiate.
  qmsecmethods  -IPsec offer in one of the following formats:
                 ESP[ConfAlg,AuthAlg]:k/s
                 AH[HashAlg]:k/s
                 AH[HashAlg]+ESP[ConfAlg,AuthAlg]:k/s
                 where ConfAlg can be DES or 3DES or None.
                 where AuthAlg can be MD5 or SHA1 or None.
                 where HashAlg is MD5 or SHA1.
                 where k is lifetime in kilobytes.
                 where s is lifetime in seconds.

Remarks: The use of DES and MD5 is not recommended. These cryptographic
          algorithms are provided for backward compatibility only.

Examples: 1. set filteraction name=test qmsec=ESP[3DES,MD5]:100000k/2000s
         2. set filteraction guid={11E6E97E-0031-49f5-AC7D-5F2FE99BABAF}
           inpass=y

Modifies a filter list.

netsh ipsec static set filterlist


C:\Windows>netsh ipsec static set filterlist ?

Usage: 
  filterlist [ name = ] <string> | [ guid = ] <guid>
             [ [ newname = ] <string> ]
             [ [ description = ] <string> ]

  Modifies a filter list name and description.

Parameters: 

  Tag           Value
  name | guid  -Name of the filter list or guid.
  newname      -New name of the filter list.
  description  -Brief information about the filter list.

Examples: 1. set filterlist Filter1 desc=NewFilter1
          2. set filterlist guid={11E6E97E-0031-49f5-AC7D-5F2FE99BABAF}
                newname=FilterName

Modifies a policy.

netsh ipsec static set policy


C:\Windows>netsh ipsec static set policy ?

Usage: 
  policy [ name = ] <string> | [ guid = ] <guid>
         [ [ newname = ] <string> ]
         [ [ description = ] <string> ]
         [ [ mmpfs = ] (yes | no) ]
         [ [ qmpermm = ] <integer> ]
         [ [ mmlifetime = ] <integer> ]
         [ [ activatedefaultrule = ] ( yes | no) ]
         [ [ pollinginterval = ] <integer> ]
         [ [ assign = ] (yes | no) ]
         [ [ gponame = ] <string> ]
         [ [ mmsecmethods = ] (sec#1 sec#2 ... sec#n) ]

  Modifies a policy.

Parameters: 

  Tag                  Value
  name | guid         -Name of the policy, or guid.
  newname             -New name.
  description         -Brief information.
  mmpfs               -Sets master perfect forward secrecy.
  qmpermm             -Number of quick modes per main mode.
  mmlifetime          -Time in minutes to rekey.
  activatedefaultrule -Activates the default response rule. Valid only for versions of Windows prior to Windows Vista.
  pollinginterval     -Time in minutes to check for change in policy store.
  assign              -Assigns the policy.
  gponame             -Local AD group policy object name to which the policy
                       can be assigned. Valid when the store is domain.
  mmsecmethods        -List of one or more space separated security
                       methods in the form of ConfAlg-HashAlg-GroupNum.

Remarks: 1. If mmpfs is specified, qmpermm is set to 1.
          2. A GPO name can only be specified if the store is set to domain.
          3. The use of DES and MD5 is not recommended. These cryptographic
             algorithms are provided for backward compatibility only.

Examples: 1. set policy name=Policy mmpfs=y gpo=DomainPolicy assign=y
          2. set policy guid={11E6E97E-0031-49f5-AC7D-5F2FE99BABAF}
             newname=NewName gpo=DefaultDomainPolicy assign=y

Modifies a rule.

netsh ipsec static set rule


C:\Windows>netsh ipsec static set rule ?

Usage: 
  rule [ name = ] <string> | [id= ] <integer>
       [ policy = ] <string>
       [ [ newname = ] <string> ]
       [ [ description = ] <string> ]
       [ [ filterlist = ] <string> ]
       [ [ filteraction = ] <string> ]
       [ [ tunnel = ] (ip | dns) ]
       [ [ conntype = ] (lan | dialup | all) ]
       [ [ activate = ] (yes | no) ]
       [ [ kerberos = ] (yes | no) ]
       [ [ psk = ] <preshared key> ]
       [ [ rootca = ] "<certificate> certmap:(yes | no) excludecaname:(yes | no)" ]

  Modifies a rule in a policy.

Parameters: 

  Tag            Value
  name | id     -Name or ID of the rule.
  policy        -Name of the policy, the rule belongs to.
  newname       -New name of the rule.
  description   -Brief information about the rule.
  filterlist    -Name of the filter list to be used.
  filteraction  -Name of the filter action to be used.
  tunnel        -Tunnel ip address or dns name.
  conntype      -Connection type can be 'lan', 'dialup' or 'all'.
  activate      -Activates the rule in the policy if 'yes' is specified.
  kerberos      -Provides Kerberos authentication if 'yes' is specified.
  psk           -Provides authentication using a specified preshared key.
  rootca        -Provides authentication using a specified root certificate,
                 attempts to map the cert if certmap:Yes is specified,
                 excludes the CA name if excludecaname:Yes is specified.

Remarks: 1. Certificate, mapping, and CA name settings are all to be within
             quotes; embedded quotes are to be replaced with \'.
          2. Certificate mapping is valid only for domain members.
          3. Multiple certificates can be provided by using the rootca
             parameter multiple times.
          4. The preference of each authentication method is determined by
             its order in the command.
          5. If no auth methods are stated, dynamic defaults are used.
          6. All authentication methods are overwritten with the stated list.
          7. Excluding the root certification authority (CA) name prevents
             the name from being sent as part of the certificate request.

Examples: 1. set rule name=Rule policy=Policy activate=yes
             rootca="C=US,O=MSFT,CN=\'Microsoft North, South, East, and West
             Root Authority\' certmap:yes excludecaname:no"
          2. set rule id=3 Policy newname=RuleNew tunnel=192.165.123.156

Sets the current policy store.

netsh ipsec static set store


C:\Windows>netsh ipsec static set store ?

Usage: 
  store [location = ] (local | domain)
        [ [ domain = ] <string> ]

Sets the current IPsec policy storage location.

Parameters: 

  Tag         Value
  location    Location of the IPsec policy store.
  domain      Domain name (only applies to the domain location).

Remarks: 1. The local store contains IPsec policies that can be assigned to
             secure this computer. If a domain policy is available, the
             domain policy is applied instead of the local policy.
          2. The domain store contains IPsec policies that can be assigned to
             secure groups of computers in a domain.
          3. Use the 'set machine' command to configure a remote computer.
          4. The default store is Local. Changes to the store setting persist
             only as long as the current Netsh session. If you need to run
             multiple commands in the same store from a batch file, use the
             'Netsh Exec' when executing your batch file.
          5. Persistent store and persistent policy is not supported. 


Examples: 1. set store location= 
local
           - uses the local store of the current computer 
.
          2. set store location=domain domain=example.microsoft. 
com
           - uses the domain policy store for example.microsoft.com 
.

Displays details of policies and related information.

netsh ipsec static show


C:\Windows>netsh ipsec static show ?

The following commands are available:

Commands in this context:
show all       - Displays details of all policies and related information.
show filteraction - Displays filter action details.
show filterlist - Displays filter list details.
show gpoassignedpolicy - Displays details of a group assigned policy.
show policy    - Displays policy details.
show rule      - Displays rule details.
show store     - Displays the current policy store.

Displays details of all policies and related information.

netsh ipsec static show all


C:\Windows>netsh ipsec static show all ?

Usage: 
  all  [ [ format = ] (list | table) ]
       [ [ wide = ] (yes | no) ]

  Displays all policies, filter lists, and filter actions.

Parameters: 

  Tag           Value
  format       -Output in screen or tab-delimited format.
  wide         -If set to 'no', the name and description are truncated
                to fit the screen width of 80 characters.

Remarks: 

Examples: show all

Displays filter action details.

netsh ipsec static show filteraction


C:\Windows>netsh ipsec static show filteraction ?

Usage: 
  filteraction  [ name = ] <string>  | [ rule = ] <string> | [ all ]
                [ [ level = ] (verbose | normal) ]
                [ [ format = ] (list | table) ]
                [ [ wide = ] (yes | no) ]

  Displays the details of a filter action

Parameters: 

  Tag                 Value
  name | rule | all  -Name of the filter action, rule name, or 'all'.
  level              -Verbose or normal.
  format             -Output in screen or tab-delimited format
  wide               -If set to 'no', the name and description are truncated
                      to fit the screen width of 80 characters.

Remarks: If 'all' is specified, all filter actions are displayed.

Examples: 1. show filteraction FilterAction1
           - shows the details of the filter action named FilterAction1
          2. show filteraction rule=Rule1
           - shows the filter action used by the rule named Rule1
          3. show filteraction all
           - shows all filter actions

Displays filter list details.

netsh ipsec static show filterlist


C:\Windows>netsh ipsec static show filterlist ?

Usage: 
  filterlist [ name = ] <string> | [ rule = ] <string> | [ all ]
             [ [ level = ] (verbose | normal) ]
             [ [ format = ] (list | table) ]
             [ [ resolvedns = ] (yes | no) ]
             [ [ wide = ] (yes | no) ]

  Displays the details of a filter list

Parameters: 

  Tag                 Value
  name | rule | all  -Name of the filter list, rule name, or 'all'.
  level              -Verbose or normal.
  format             -Output in screen or tab-delimited format.
  resolvedns         -Value of 'yes' will force the verbose output to show
                      the current dns mapping for ip addresses and dns
                      names that are stored in the filter fields.
  wide               -If set to 'no', the name and description are truncated
                      to fit the screen width of 80 characters.

Remarks: If 'all' is specified, all filter lists are displayed.

Examples: show filterlist Filterlist=Filterlist1 resolvedns=yes wide=yes

Displays details of a group assigned policy.

netsh ipsec static show gpoassignedpolicy


C:\Windows>netsh ipsec static show gpoassignedpolicy ?

Usage: 
  gpoassignedpolicy [name = ] <string>

  Displays the details of the active policy for the specified GPO.

Parameters: 

  Tag            Value
  Name          -Local AD Group policy object name.


Remarks: 1. if the current store is domain, the name parameter
            is required, otherwise it is not allowed

Examples: 1. show gpoassignedpolicy name=GPO1
           - shows the assigned domain policy to GPO1.
          2. show gpoassignedpolicy
           - shows currently assigned policy on this computer.

Displays policy details.

netsh ipsec static show policy


C:\Windows>netsh ipsec static show policy ?

Usage: 
  policy [ name = ] <string> | [ all ]
         [ [ level = ] (verbose | normal) ]
         [ [ format = ] (list | table) ]
         [ [ wide = ] (yes | no) ]

  Displays the details of a policy

Parameters: 

  Tag            Value
  name | all    -Name of the policy or 'all'.
  level         -Verbose or normal.
  format        -Output in screen or tab-delimited format.
  wide          -If set to 'no', the name and description are truncated
                 to fit the screen width of 80 characters.

Remarks: If 'all' is specified, all policy details are displayed.

Examples: show policy Policy1 wide=yes format=table

Displays rule details.

netsh ipsec static show rule


C:\Windows>netsh ipsec static show rule ?

Usage: 
  rule [ name = ] <string>  | [ id = ] <integer> ] | [ all ] | [default]
       [ policy = ] <string> 
       [ [ type = ] (tunnel | tranport) ]
       [ [ level = ] (verbose | normal) ]
       [ [ format = ] (list | table) ]
       [ [ wide = ] (yes | no) ]

  Displays the details of rules for the policy.

Parameters: 

  Tag                         Value
  name | id | all | default  -Name of the rule, its id, 'all', or 'default'.
  policy                     -Name of the policy.
  type                       -Rule type is 'transport' or 'tunnel'.
  level                      -Verbose or normal.
  format                     -Output in screen or tab-delimited format.
  wide                       -If set to 'no', the name and description are
                              truncated to fit the screen width of 80
                              characters.

Remarks: 1. If 'all' is specified, all rules are displayed.
          2. If the type parameter is specified, 'all' needs to be specified.

Examples: 1. show rule all type=transport policy=Policy1
           - shows all the transport rules of the policy named Policy1.
          2. show rule id=1 policy=Policy1
           - shows the first rule of the policy.
          3. show rule default policy=Policy1
           - shows the details of the default response rule of Policy1.

Displays the current policy store.

netsh ipsec static show store


C:\Windows>netsh ipsec static show store ?

Usage: 
  store

Examples: show store



- de -/- en -









Windows-10


... Windows 10 FAQ
... Windows 10 How To


Windows 10 How To


... Windows 11 How To
... Windows 10 FAQ



HTTP: ... console/en/index.htm
0.202
7699
Windows x64 operating systems, whats that? What is word? Was ist ein Browser? Environment variables in the Windows 11, 10, ... Registry! Uninstall WinPing and portable use on Windows Desktops and Server OS! What does VSync mean? Was bedeutet Mounten? Muss Windows 7 (8.1, 10, 11) immer auf NTFS Festplattenpartion installiert sein? What is Multi-Core Processors? Windows 7 ohne Aktivierung?



(0)