PowerShell Logo Small

New-NetIPsecAuthProposal



This is the built-in help made by Microsoft for the command 'New-NetIPsecAuthProposal', in PowerShell version 4 - as retrieved from Windows version 'Microsoft Windows 8.1 Enterprise' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.

SYNOPSIS

Creates a main mode authentication proposal that specifies a suite of authentication protocols to offer in IPsec main mode negotiations with other computers.

SYNTAX


New-NetIPsecAuthProposal [-User] [-Cert] [-AccountMapping] [-AuthorityType <CertificateAuthorityType>] [-ExcludeCAName] [-ExtendedKeyUsage <String[]>] [-FollowRenewal
] [-SelectionCriteria] [-Signing <CertificateSigningAlgorithm>] [-SubjectName <String>] [-SubjectNameType <CertificateSubjectType>] [-Thumbprint <String>] [-Validatio
nCriteria] -Authority <String> [<CommonParameters>]
New-NetIPsecAuthProposal [-Machine] [[-Health]] [-Cert] [-AccountMapping] [-AuthorityType <CertificateAuthorityType>] [-ExcludeCAName] [-ExtendedKeyUsage <String[]>]
[-FollowRenewal] [-SelectionCriteria] [-Signing <CertificateSigningAlgorithm>] [-SubjectName <String>] [-SubjectNameType <CertificateSubjectType>] [-Thumbprint <Strin
g>] [-ValidationCriteria] -Authority <String> [<CommonParameters>]
New-NetIPsecAuthProposal [-Anonymous] [<CommonParameters>]
New-NetIPsecAuthProposal [-User] [-Kerberos] [-Proxy <String>] [<CommonParameters>]
New-NetIPsecAuthProposal [-Machine] [-Kerberos] [-Proxy <String>] [<CommonParameters>]
New-NetIPsecAuthProposal [-Machine] [-Ntlm] [<CommonParameters>]
New-NetIPsecAuthProposal [-Machine] [-PreSharedKey] <String> [<CommonParameters>]
New-NetIPsecAuthProposal [-User] [-Ntlm] [<CommonParameters>]



Search powershellhelp.space

DESCRIPTION


The New-NetIPsecAuthProposal cmdlet creates a single authentication proposal to be used in IPsec main mode negotiations. An authentication proposal describes a single
authentication method that the computer would accept as valid proof of the identity of the peer. This cmdlet is also used to authenticate the identity of the local u
ser, so that a peer computer would accept the proof.


Multiple network IPsec authentication proposal fields are grouped into a single network IPsec phase 1 authentication set or network IPsec phase 2 authentication set.
Each set is a list of proposals in order of preference. A phase 1 authentication is generally used for computer authentication, and a phase 2 authentication is used f
or user authentication or computer health certification. See the New-NetIPsecPhase1AuthSet and New-NetIPsecPhase2AuthSet cmdlets for more information. The authenticat
ion method, such as Kerberos v5, Certificate, or pre-shared key authentication, is provided by a network IPsec authentication proposal, specified through a network IP
sec phase 1 authentication set, is required for a successful main mode security association. See the Get-NetIPsecMainModeSA and Get-NetIPsecQuickModeSA cmdlets for mo
re information.



<

RELATED LINKS

Online Version: http://go.microsoft.com/fwlink/?LinkId=287915
Get-NetIPsecMainModeSA
New-NetIPsecPhase1AuthSet
New-NetIPsecPhase2AuthSet
New-NetIPSecRule

REMARKS

<

Examples


EXAMPLE 1

PS C:\>$cert1Proposal = New-NetIPsecAuthProposal -Machine –Cert -Authority "C=US,O=MSFT,CN=ꞌMicrosoft Root Authorityꞌ" -AuthorityType Root



PS C:\>$cert2Proposal = New-NetIPsecAuthProposal –Machine –Cert -Authority "C=US,O=MYORG,CN='My Organizations Root Certificate'" -AuthorityType Root



PS C:\>$certAuthSet = New-NetIPsecPhase1AuthSet –DisplayName "Computer Certificate Auth Set" -Proposal $cert1Proposal,$cert2Proposal



PS C:\>New-NetIPSecRule -DisplayName "Authenticate with Certificates Rule" -InboundSecurity Require -OutboundSecurity Request -Phase2AuthSet $certAuthSet.Name



This example creates a rule that requires that incoming connections are authenticated by using either of two computer certificates. The computer also requests authent
ication for outbound connections, but allows an outbound connection if authentication is not successful.




EXAMPLE 2

PS C:\>$mkerbauthprop = New-NetIPsecAuthProposal -Machine -Kerberos



PS C:\>$mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM



PS C:\>$p1Auth = New-NetIPsecPhase1AuthSet -DisplayName "First Machine Auth" -Proposal $mkerbauthprop,$mntlmauthprop



PS C:\>$ukerbauthprop = New-NetIPsecAuthProposal -User –Kerberos



PS C:\>$unentlmauthprop = New-NetIPsecAuthProposal -User –NTLM



PS C:\>$anonyauthprop = New-NetIPsecAuthProposal –Anonymous



PS C:\>$p2Auth = New-NetIPsecPhase2AuthSet -DisplayName "Second User Auth" –Proposal $ukerbauthprop,$unentlmauthprop,$anonyauthprop



PS C:\>New-NetIPSecRule -DisplayName "Authenticate Both Computer and User" -InboundSecurity Require -OutboundSecurity Require -Phase1AuthSet $p1Auth.Name -Phase2AuthS
et $p2Auth.Name



This example creates a rule that requires a first, or computer, authentication and attempts an optional second, or user, authentication.