1、IPsec组成及操作基本流程

IP安全策略列表:由多个IP安全策略组成

IP安全策略:由一个或多个规则的组成

规则:由一个IP筛选器列表和一个相应的筛选器操作的组成

IP筛选器列表:由一个或多个IP筛选器组成

筛选器操作:permit或block


操作流程:创建IP安全策略-->创建筛选器操作-->创建IP筛选器列表-->创建策略规则-->激活IP安全策略


2、完整实例

REM 清空策略

netsh ipsec static del all


REM 创建IP安全策略

netsh ipsec static add policy name=MyIPSec


REM 创建筛选器操作(block和permit) 

netsh ipsec static add filteraction name=Permit action=permit 

netsh ipsec static add filteraction name=Block action=block 


REM 首先禁止所有访问(创建IP筛选器列表、创建策略规则) 

netsh ipsec static add filterlist name=AllAccess 

netsh ipsec static add filter filterlist=AllAccess srcaddr=Me dstaddr=Any mirrored=yes

netsh ipsec static add rule name=BlockAllAccess policy=MyIPSec filterlist=AllAccess filteraction=Block 


REM 开放某些IP无限制访问(创建IP筛选器列表、创建策略规则) 

netsh ipsec static add filterlist name=UnLimitedIP 

netsh ipsec static add filter filterlist=UnLimitedIP srcaddr=192.168.120.83 dstaddr=Me mirrored=yes

netsh ipsec static add rule name=AllowUnLimitedIP policy=MyIPSec filterlist=UnLimitedIP filteraction=Permit 


REM 开放某些端口(创建IP筛选器列表、创建策略规则)  

netsh ipsec static add filterlist name=OpenSomePort 

netsh ipsec static add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=3389 protocol=TCP mirrored=yes

netsh ipsec static add rule name=AllowOpenSomePort policy=MyIPSec filterlist=OpenSomePort filteraction=Permit 


REM 开放某些ip可以访问某些端口(创建IP筛选器列表、创建策略规则)  

netsh ipsec static add filterlist name=SomeIPSomePort

netsh ipsec static add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any protocol=ICMP mirrored=yes

netsh ipsec static add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any dstport=80 protocol=TCP mirrored=yes

netsh ipsec static add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any dstport=443 protocol=TCP mirrored=yes

netsh ipsec static add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any dstport=53 protocol=TCP mirrored=yes

netsh ipsec static add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any dstport=53 protocol=UDP mirrored=yes

netsh ipsec static add rule name=AllowSomeIPSomePort policy=MyIPSec filterlist=SomeIPSomePort filteraction=Permit 


REM 激活IP安全策略

netsh ipsec static set policy name=MyIPSec assign=y 


REM =================结束================ 



3、操作补充


删除规则

netsh ipsec static del rule name=BlockAllAccess policy=MyIPSec

删除筛选器列表

netsh ipsec static add filterlist name=AllAccess 

导出策略

netsh ipsec static exportpolicy file=d:\MyIPSec.ipsec

导入策略

netsh ipsec static importpolicy file=d:\MyIPSec.ipsc