Real Geek Forums > Archives > Operating Systems > Windows Vista > Windows Vista Security > Bad choice in NETSH.EXE for configuring IPSec

Bad choice in NETSH.EXE for configuring IPSec

Posted: 11-01-2006, 09:16 PM
Walter Porter
Guest
Posts: n/a
 
NETSH.EXE does not allow both the actioninbound and actionoutbound to be
"block" in Vista 5728.

The following generates an error message in Vista 5728, but works fine in
Win2k3:

netsh.exe ipsec dynamic add mmpolicy name=temp
netsh.exe ipsec dynamic add rule srcaddr=any dstaddr=any mmpolicy=temp
actioninbound=block actionoutbound=block

This is unfortunate because it is handy to use IPSec for packet filtering.
This seems to be a useless artificial limitation in Vista and breaks
compatibility with Win2k3. I hope it is fixed...






Reply With Quote

Responses to "Bad choice in NETSH.EXE for configuring IPSec"

Steve Riley [MSFT]
Guest
Posts: n/a
 
Re: Bad choice in NETSH.EXE for configuring IPSec
Posted: 11-04-2006, 10:21 PM
IPsec rules, called "connection security rules" in the advanced MMC, now require negotiation. You'll use firewall rules for general packet filtering. I just tried these on my laptop, and they blocked everything:

netsh advfirewall firewall add rule name="temp" dir=in action=block
netsh advfirewall firewall add rule name="temp" dir=out action=block

__________________________________________________ ____
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Walter Porter" <wporter23@aol.com> wrote in message news:OgDN9Mg$GHA.4676@TK2MSFTNGP04.phx.gbl...
NETSH.EXE does not allow both the actioninbound and actionoutbound to be
"block" in Vista 5728.

The following generates an error message in Vista 5728, but works fine in
Win2k3:

netsh.exe ipsec dynamic add mmpolicy name=temp
netsh.exe ipsec dynamic add rule srcaddr=any dstaddr=any mmpolicy=temp
actioninbound=block actionoutbound=block

This is unfortunate because it is handy to use IPSec for packet filtering.
This seems to be a useless artificial limitation in Vista and breaks
compatibility with Win2k3. I hope it is fixed...






Reply With Quote
Walter Porter
Guest
Posts: n/a
 
Re: Bad choice in NETSH.EXE for configuring IPSec
Posted: 11-06-2006, 03:08 PM
> IPsec rules ... now require negotiation.

Thank you for the response and the suggestion, but it still seems to be a
pointless artificial limitation on the IPSec implementation, isn't
consistent with Win2000/XP/2003, and complicates the task if you just want
to stick with using IPSec alone. This also seems rather easy to fix before
RTM.





Reply With Quote
Steve Riley [MSFT]
Guest
Posts: n/a
 
Re: Bad choice in NETSH.EXE for configuring IPSec
Posted: 11-06-2006, 10:04 PM


--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Walter Porter" <wporter23@aol.com> wrote in message news:ObU663bAHHA.1224@TK2MSFTNGP04.phx.gbl...
> IPsec rules ... now require negotiation.
Thank you for the response and the suggestion, but it still seems to be a
pointless artificial limitation on the IPSec implementation, isn't
consistent with Win2000/XP/2003, and complicates the task if you just want
to stick with using IPSec alone. This also seems rather easy to fix before
RTM.





Reply With Quote
Steve Riley [MSFT]
Guest
Posts: n/a
 
Re: Bad choice in NETSH.EXE for configuring IPSec
Posted: 11-06-2006, 10:06 PM
It was more of a happy accident that the IPsec engine in 2000/XP/2003 could be used as a rudimentary packet filter. However, it really isn't the best choice, since it lacks an understanding of TCP connection states ("stateful inspection" as it's commonly called). A firewall is the appropriate choice for performing packet filtering.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Walter Porter" <wporter23@aol.com> wrote in message news:ObU663bAHHA.1224@TK2MSFTNGP04.phx.gbl...
> IPsec rules ... now require negotiation.
Thank you for the response and the suggestion, but it still seems to be a
pointless artificial limitation on the IPSec implementation, isn't
consistent with Win2000/XP/2003, and complicates the task if you just want
to stick with using IPSec alone. This also seems rather easy to fix before
RTM.





Reply With Quote
 
LinkBack Thread Tools Display Modes
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
netsh examples Ferruh Sarisac Windows Vista Networking & Sharing 1 06-18-2007 11:57 AM
template with Netsh James Windows Vista Networking & Sharing 6 05-16-2007 03:17 AM
Netsh in Vista Michael Henderson Windows Vista Networking & Sharing 1 12-14-2006 03:48 AM
Configuring web certificate for ssl using netsh on vista rc2 codedurenard Windows Vista Security 1 11-10-2006 08:46 PM
netsh problem Andrea Windows XP Embedded 3 07-21-2003 03:33 PM