Vista - Bad choice in NETSH.EXE for configuring IPSec

11-01-2006

NETSH.EXE does not allow both the actioninbound and actionoutbound to be
"block" in Vista 5728.

The following generates an error message in Vista 5728, but works fine in
Win2k3:

netsh.exe ipsec dynamic add mmpolicy name=temp
netsh.exe ipsec dynamic add rule srcaddr=any dstaddr=any mmpolicy=temp
actioninbound=block actionoutbound=block

This is unfortunate because it is handy to use IPSec for packet filtering.
This seems to be a useless artificial limitation in Vista and breaks
compatibility with Win2k3. I hope it is fixed...

11-04-2006

IPsec rules, called "connection security rules" in the advanced MMC, now require negotiation. You'll use firewall rules for general packet filtering. I just tried these on my laptop, and they blocked everything:

netsh advfirewall firewall add rule name="temp" dir=in action=block
netsh advfirewall firewall add rule name="temp" dir=out action=block

______________________________________________________
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com

"Walter Porter" <wporter23@aol.com> wrote in message news:OgDN9Mg$GHA.4676@TK2MSFTNGP04.phx.gbl...
NETSH.EXE does not allow both the actioninbound and actionoutbound to be
"block" in Vista 5728.

The following generates an error message in Vista 5728, but works fine in
Win2k3:

netsh.exe ipsec dynamic add mmpolicy name=temp
netsh.exe ipsec dynamic add rule srcaddr=any dstaddr=any mmpolicy=temp
actioninbound=block actionoutbound=block

This is unfortunate because it is handy to use IPSec for packet filtering.
This seems to be a useless artificial limitation in Vista and breaks
compatibility with Win2k3. I hope it is fixed...

11-06-2006

> IPsec rules ... now require negotiation.

Thank you for the response and the suggestion, but it still seems to be a
pointless artificial limitation on the IPSec implementation, isn't
consistent with Win2000/XP/2003, and complicates the task if you just want
to stick with using IPSec alone. This also seems rather easy to fix before
RTM.

11-06-2006

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com

"Walter Porter" <wporter23@aol.com> wrote in message news:ObU663bAHHA.1224@TK2MSFTNGP04.phx.gbl...
> IPsec rules ... now require negotiation.

Thank you for the response and the suggestion, but it still seems to be a
pointless artificial limitation on the IPSec implementation, isn't
consistent with Win2000/XP/2003, and complicates the task if you just want
to stick with using IPSec alone. This also seems rather easy to fix before
RTM.

11-06-2006

It was more of a happy accident that the IPsec engine in 2000/XP/2003 could be used as a rudimentary packet filter. However, it really isn't the best choice, since it lacks an understanding of TCP connection states ("stateful inspection" as it's commonly called). A firewall is the appropriate choice for performing packet filtering.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com

"Walter Porter" <wporter23@aol.com> wrote in message news:ObU663bAHHA.1224@TK2MSFTNGP04.phx.gbl...
> IPsec rules ... now require negotiation.

Thank you for the response and the suggestion, but it still seems to be a
pointless artificial limitation on the IPSec implementation, isn't
consistent with Win2000/XP/2003, and complicates the task if you just want
to stick with using IPSec alone. This also seems rather easy to fix before
RTM.

11-01-2006	#1 (permalink)
Walter Porter n/a posts	Bad choice in NETSH.EXE for configuring IPSec NETSH.EXE does not allow both the actioninbound and actionoutbound to be "block" in Vista 5728. The following generates an error message in Vista 5728, but works fine in Win2k3: netsh.exe ipsec dynamic add mmpolicy name=temp netsh.exe ipsec dynamic add rule srcaddr=any dstaddr=any mmpolicy=temp actioninbound=block actionoutbound=block This is unfortunate because it is handy to use IPSec for packet filtering. This seems to be a useless artificial limitation in Vista and breaks compatibility with Win2k3. I hope it is fixed...
My System Specs

11-04-2006	#2 (permalink)
Steve Riley [MSFT] n/a posts	Re: Bad choice in NETSH.EXE for configuring IPSec IPsec rules, called "connection security rules" in the advanced MMC, now require negotiation. You'll use firewall rules for general packet filtering. I just tried these on my laptop, and they blocked everything: netsh advfirewall firewall add rule name="temp" dir=in action=block netsh advfirewall firewall add rule name="temp" dir=out action=block ______________________________________________________ Steve Riley steve.riley@microsoft.com http://blogs.technet.com/steriley http://www.protectyourwindowsnetwork.com "Walter Porter" <wporter23@aol.com> wrote in message news:OgDN9Mg$GHA.4676@TK2MSFTNGP04.phx.gbl... NETSH.EXE does not allow both the actioninbound and actionoutbound to be "block" in Vista 5728. The following generates an error message in Vista 5728, but works fine in Win2k3: netsh.exe ipsec dynamic add mmpolicy name=temp netsh.exe ipsec dynamic add rule srcaddr=any dstaddr=any mmpolicy=temp actioninbound=block actionoutbound=block This is unfortunate because it is handy to use IPSec for packet filtering. This seems to be a useless artificial limitation in Vista and breaks compatibility with Win2k3. I hope it is fixed...
My System Specs

11-06-2006	#3 (permalink)
Walter Porter n/a posts	Re: Bad choice in NETSH.EXE for configuring IPSec > IPsec rules ... now require negotiation. Thank you for the response and the suggestion, but it still seems to be a pointless artificial limitation on the IPSec implementation, isn't consistent with Win2000/XP/2003, and complicates the task if you just want to stick with using IPSec alone. This also seems rather easy to fix before RTM.
My System Specs

11-06-2006	#4 (permalink)
Steve Riley [MSFT] n/a posts	Re: Bad choice in NETSH.EXE for configuring IPSec -- Steve Riley steve.riley@microsoft.com http://blogs.technet.com/steriley http://www.protectyourwindowsnetwork.com "Walter Porter" <wporter23@aol.com> wrote in message news:ObU663bAHHA.1224@TK2MSFTNGP04.phx.gbl... > IPsec rules ... now require negotiation. Thank you for the response and the suggestion, but it still seems to be a pointless artificial limitation on the IPSec implementation, isn't consistent with Win2000/XP/2003, and complicates the task if you just want to stick with using IPSec alone. This also seems rather easy to fix before RTM.
My System Specs

11-06-2006	#5 (permalink)
Steve Riley [MSFT] n/a posts	Re: Bad choice in NETSH.EXE for configuring IPSec It was more of a happy accident that the IPsec engine in 2000/XP/2003 could be used as a rudimentary packet filter. However, it really isn't the best choice, since it lacks an understanding of TCP connection states ("stateful inspection" as it's commonly called). A firewall is the appropriate choice for performing packet filtering. -- Steve Riley steve.riley@microsoft.com http://blogs.technet.com/steriley http://www.protectyourwindowsnetwork.com "Walter Porter" <wporter23@aol.com> wrote in message news:ObU663bAHHA.1224@TK2MSFTNGP04.phx.gbl... > IPsec rules ... now require negotiation. Thank you for the response and the suggestion, but it still seems to be a pointless artificial limitation on the IPSec implementation, isn't consistent with Win2000/XP/2003, and complicates the task if you just want to stick with using IPSec alone. This also seems rather easy to fix before RTM.
My System Specs

Similar Threads
Thread	Forum
netsh examples	Vista networking & sharing
template with Netsh	Vista networking & sharing
Netsh in Vista	Vista networking & sharing
Configuring web certificate for ssl using netsh on vista rc2	Vista security
PSH and netsh	PowerShell