PowerShell Logo Small

New-NetIPsecAuthProposal



This is the built-in help made by Microsoft for the command 'New-NetIPsecAuthProposal', in PowerShell version 5 - as retrieved from Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.

SYNOPSIS

Creates a main mode authentication proposal that specifies a suite of authentication protocols to offer in IPsec main mode negotiations with other computers.

SYNTAX


New-NetIPsecAuthProposal [-User] [-Cert] [-AccountMapping] [-AuthorityType <CertificateAuthorityType>] [-ExcludeCAName] [-ExtendedKeyUsage <String[]>] [-FollowRenewal]
[-SelectionCriteria] [-Signing <CertificateSigningAlgorithm>] [-SubjectName <String>] [-SubjectNameType <CertificateSubjectType>] [-Thumbprint <String>]
[-ValidationCriteria] -Authority <String> [<CommonParameters>]
New-NetIPsecAuthProposal [-Machine] [[-Health]] [-Cert] [-AccountMapping] [-AuthorityType <CertificateAuthorityType>] [-ExcludeCAName] [-ExtendedKeyUsage <String[]>]
[-FollowRenewal] [-SelectionCriteria] [-Signing <CertificateSigningAlgorithm>] [-SubjectName <String>] [-SubjectNameType <CertificateSubjectType>] [-Thumbprint <String>]
[-ValidationCriteria] -Authority <String> [<CommonParameters>]
New-NetIPsecAuthProposal [-Anonymous] [<CommonParameters>]
New-NetIPsecAuthProposal [-User] [-Kerberos] [-Proxy <String>] [<CommonParameters>]
New-NetIPsecAuthProposal [-Machine] [-Kerberos] [-Proxy <String>] [<CommonParameters>]
New-NetIPsecAuthProposal [-Machine] [-Ntlm] [<CommonParameters>]
New-NetIPsecAuthProposal [-Machine] [-PreSharedKey] <String> [<CommonParameters>]
New-NetIPsecAuthProposal [-User] [-Ntlm] [<CommonParameters>]



Search powershellhelp.space

DESCRIPTION


The New-NetIPsecAuthProposal cmdlet creates a single authentication proposal to be used in IPsec main mode negotiations. An authentication proposal describes a single
authentication method that the computer would accept as valid proof of the identity of the peer. This cmdlet is also used to authenticate the identity of the local user, so
that a peer computer would accept the proof.


Multiple network IPsec authentication proposal fields are grouped into a single network IPsec phase 1 authentication set or network IPsec phase 2 authentication set. Each
set is a list of proposals in order of preference. A phase 1 authentication is generally used for computer authentication, and a phase 2 authentication is used for user
authentication or computer health certification. See the New-NetIPsecPhase1AuthSet and New-NetIPsecPhase2AuthSet cmdlets for more information. The authentication method,
such as Kerberos v5, Certificate, or pre-shared key authentication, is provided by a network IPsec authentication proposal, specified through a network IPsec phase 1
authentication set, is required for a successful main mode security association. See the Get-NetIPsecMainModeSA and Get-NetIPsecQuickModeSA cmdlets for more information.



<

RELATED LINKS

Online Version: http://go.microsoft.com/fwlink/?LinkId=287915
Get-NetIPsecMainModeSA
New-NetIPsecPhase1AuthSet
New-NetIPsecPhase2AuthSet
New-NetIPSecRule

REMARKS

<

Examples


EXAMPLE 1

PS C:\>$cert1Proposal = New-NetIPsecAuthProposal -Machine –Cert -Authority "C=US,O=MSFT,CN=ꞌMicrosoft Root Authorityꞌ" -AuthorityType Root



PS C:\>$cert2Proposal = New-NetIPsecAuthProposal –Machine –Cert -Authority "C=US,O=MYORG,CN='My Organizations Root Certificate'" -AuthorityType Root



PS C:\>$certAuthSet = New-NetIPsecPhase1AuthSet –DisplayName "Computer Certificate Auth Set" -Proposal $cert1Proposal,$cert2Proposal



PS C:\>New-NetIPSecRule -DisplayName "Authenticate with Certificates Rule" -InboundSecurity Require -OutboundSecurity Request -Phase2AuthSet $certAuthSet.Name



This example creates a rule that requires that incoming connections are authenticated by using either of two computer certificates. The computer also requests authentication
for outbound connections, but allows an outbound connection if authentication is not successful.




EXAMPLE 2

PS C:\>$mkerbauthprop = New-NetIPsecAuthProposal -Machine -Kerberos



PS C:\>$mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM



PS C:\>$p1Auth = New-NetIPsecPhase1AuthSet -DisplayName "First Machine Auth" -Proposal $mkerbauthprop,$mntlmauthprop



PS C:\>$ukerbauthprop = New-NetIPsecAuthProposal -User –Kerberos



PS C:\>$unentlmauthprop = New-NetIPsecAuthProposal -User –NTLM



PS C:\>$anonyauthprop = New-NetIPsecAuthProposal –Anonymous



PS C:\>$p2Auth = New-NetIPsecPhase2AuthSet -DisplayName "Second User Auth" –Proposal $ukerbauthprop,$unentlmauthprop,$anonyauthprop



PS C:\>New-NetIPSecRule -DisplayName "Authenticate Both Computer and User" -InboundSecurity Require -OutboundSecurity Require -Phase1AuthSet $p1Auth.Name -Phase2AuthSet
$p2Auth.Name



This example creates a rule that requires a first, or computer, authentication and attempts an optional second, or user, authentication.