1、IPsec组成及操作基本流程
IP安全策略列表:由多个IP安全策略组成
IP安全策略:由一个或多个规则的组成
规则:由一个IP筛选器列表和一个相应的筛选器操作的组成
IP筛选器列表:由一个或多个IP筛选器组成
筛选器操作:permit或block
操作流程:创建IP安全策略-->创建筛选器操作-->创建IP筛选器列表-->创建策略规则-->激活IP安全策略
2、完整实例
REM 清空策略
netsh ipsec static del all
REM 创建IP安全策略
netsh ipsec static add policy name=MyIPSec
REM 创建筛选器操作(block和permit)
netsh ipsec static add filteraction name=Permit action=permit
netsh ipsec static add filteraction name=Block action=block
REM 首先禁止所有访问(创建IP筛选器列表、创建策略规则)
netsh ipsec static add filterlist name=AllAccess
netsh ipsec static add filter filterlist=AllAccess srcaddr=Me dstaddr=Any mirrored=yes
netsh ipsec static add rule name=BlockAllAccess policy=MyIPSec filterlist=AllAccess filteraction=Block
REM 开放某些IP无限制访问(创建IP筛选器列表、创建策略规则)
netsh ipsec static add filterlist name=UnLimitedIP
netsh ipsec static add filter filterlist=UnLimitedIP srcaddr=192.168.120.83 dstaddr=Me mirrored=yes
netsh ipsec static add rule name=AllowUnLimitedIP policy=MyIPSec filterlist=UnLimitedIP filteraction=Permit
REM 开放某些端口(创建IP筛选器列表、创建策略规则)
netsh ipsec static add filterlist name=OpenSomePort
netsh ipsec static add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=3389 protocol=TCP mirrored=yes
netsh ipsec static add rule name=AllowOpenSomePort policy=MyIPSec filterlist=OpenSomePort filteraction=Permit
REM 开放某些ip可以访问某些端口(创建IP筛选器列表、创建策略规则)
netsh ipsec static add filterlist name=SomeIPSomePort
netsh ipsec static add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any protocol=ICMP mirrored=yes
netsh ipsec static add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any dstport=80 protocol=TCP mirrored=yes
netsh ipsec static add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any dstport=443 protocol=TCP mirrored=yes
netsh ipsec static add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any dstport=53 protocol=TCP mirrored=yes
netsh ipsec static add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any dstport=53 protocol=UDP mirrored=yes
netsh ipsec static add rule name=AllowSomeIPSomePort policy=MyIPSec filterlist=SomeIPSomePort filteraction=Permit
REM 激活IP安全策略
netsh ipsec static set policy name=MyIPSec assign=y
REM =================结束================
3、操作补充
删除规则
netsh ipsec static del rule name=BlockAllAccess policy=MyIPSec
删除筛选器列表
netsh ipsec static add filterlist name=AllAccess
导出策略
netsh ipsec static exportpolicy file=d:\MyIPSec.ipsec
导入策略
netsh ipsec static importpolicy file=d:\MyIPSec.ipsc