This is the built-in help made by Microsoft for the command 'New-NetIPsecMainModeRule', in PowerShell version 3 - as retrieved from
Windows version 'Microsoft Windows Server 2012 Standard' PowerShell help files on 2016-06-23.
For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.
Creates an IPsec main mode rule that tells the computer which peers require IPsec security associations (SAs) for securing network traffic, and how to negotiate those SAs.
New-NetIPsecMainModeRule [-AsJob [<SwitchParameter>]] [-CimSession <CimSession[]>] [-Description <String>] [-Enabled <Enabled>] [-GPOSession
<String>] [-Group <String>] [-LocalAddress <String[]>] [-MainModeCryptoSet <String>] [-Name <String>] [-Phase1AuthSet <String>] [-Platform
<String[]>] [-PolicyStore <String>] [-Profile <Profile>] [-RemoteAddress <String[]>] [-ThrottleLimit <Int32>] -DisplayName <String> [-Confirm
[<SwitchParameter>]] [-WhatIf [<SwitchParameter>]] [<CommonParameters>]
The New-NetIPsecMainModeRule cmdlet creates an IPsec main mode rule.
A main mode rule contains a set of local and remote end points to determine the peers to which it applies. When an application on the local
computer attempts to communicate with one of these specified remote hosts, the computer attempts to establish a security association (SA) with
the remote server.
In order to set up this SA, the computers need to agree on how to authenticate with each other. The local computer will only agree to use one
of the proposals from the network IPsec phase 1 authorization set associated with the main mode rule. See the New-NetIPsecPhase1AuthSet cmdlet
for more information. When the negotiation is successful a main mode SA is created. See the Get-NetIPsecMainModeSA cmdlet for more information.
The computers also need to agree on common encryption, hashing, and key exchange methods. The local computer will only agree to use one of the
cryptographic methods contained in the IPsec main mode cryptographic set associated with the main mode rule. See the
New-NetIPsecMainModeCryptoSet cmdlet for more information. When the negotiation is successful a quick mode SA is created. See the
Get-NetIPsecQuickModeSA cmdlet for more information.
A main mode rule offers four mandatory parameters that negotiated as part of the main mode security association (SA):
-- The computer authentication method: Kerberos v5, certificate, or pre-shared key authentication that is provided by the
NetIPsecPhase1AuthSet object.
-- The encryption algorithm that is provided by the NetIPsecMainModeCryptoSet object.
-- The hashing algorithm that is provided by the NetIPsecMainModeCryptoSet object.
-- The Diffie-Hellman (DH) key exchange group to be used for the base keying material that is provided by the NetIPsecMainModeCryptoSet
object.
Note: Each main mode rule must be created in the policy store of the associated IPsec rule. If a particular rule applies to multiple IPsec
rules in different policy stores (GPOs), then the rule must be duplicated for each of those stores (so that policies can be updated without
linking issues). See the Copy-NetFirewallRule, Copy-NetIPsecMainModeCryptoSet, Copy-NetIPsecMainModeRule, Copy-NetIPsecPhase1AuthSet,
Copy-NetIPsecPhase2AuthSet, Copy-NetIPsecQuickModeCryptoSet, or Copy-NetIPsecRule cmdlet for more information.
<
Get-NetFirewallAddressFilter
Get-NetIPsecMainModeCryptoSet
Get-NetIPsecMainModeRule
Get-NetIPsecMainModeSA
Get-NetIPsecQuickModeSA
New-NetFirewallRule
New-NetIPsecMainModeCryptoSet
New-NetIPsecPhase1AuthSet
Open-NetGPO
Save-NetGPO
Set-NetFirewallRule
Set-NetIPsecMainModeCryptoSet
New-NetIPsecAuthProposal
New-NetIPsecMainModeCryptoProposal
New-GPO
<
EXAMPLE 1
PS C:\> $proposal1 = (New-NetIPsecMainModeCryptoProposal -Encryption DES3 -Hash MD5 -KeyExchange DH1)
PS C:\> $proposal2 = (New-NetIPsecMainModeCryptoProposal -Encryption AES192 -Hash MD5 -KeyExchange DH14)
PS C:\> $proposal3 = (New-NetIPsecMainModeCryptoProposal -Encryption DES3 -Hash MD5 -KeyExchange DH19)
PS C:\> $mmCryptoSet = New-NetIPsecMainModeCryptoSet -DisplayName "Main Mode Crypto Set" -Proposal $proposal1,$proposal2,$proposal3
PS C:\> New-NetIPsecMainModeRule -DisplayName "Custom Main Mode Rule" -MainModeCryptoSet $mmCryptoSet.Name
This example creates a main mode rule linked to a cryptographic set that contains three cryptographic proposals.
EXAMPLE 2
PS C:\> $cert1Proposal = New-NetIPsecAuthProposal -Machine –Cert -Authority "C=US,O=MSFT,CN=Microsoft Root Authority" -AuthorityType Root
PS C:\> $cert2Proposal = New-NetIPsecAuthProposal –Machine –Cert -Authority "C=US,O=MYORG,CN='My Organizations Root Certificate'"
-AuthorityType Root
PS C:\> $certAuthSet = New-NetIPsecPhase1AuthSet –DisplayName "Computer Certificate Auth Set" -Proposal $Cert1Proposal,$cert2Proposal
PS C:\> New-NetIPsecMainModeRule -DisplayName "Main Mode Authenticate with Certificates Rule" –Phase1AuthSet $certAuthSet.Name
This example creates a main mode rule that requires that incoming connections are authenticated by using either of two computer certificates.
EXAMPLE 3
PS C:\> $proposal1 = New-NetIPsecAuthProposal -Machine –Cert -Authority "C=US,O=MSFT,CN=Microsoft Root Authority" -AuthorityType Root
PS C:\> $poAuthSet = New-NetIPsecPhase1AuthSet –DisplayName "Computer Certificate Auth Set" -Proposal $proposal1
PS C:\> $proposal2 = New-NetIPsecMainModeCryptoProposal -Encryption DES3 -Hash MD5 -KeyExchange DH1
PS C:\> $mmCryptoSet = New-NetIPsecMainModeCryptoSet –DisplayName "dhgroup2:3des-sha256,3des-sha384" –Proposal $proposal2
PS C:\> New-NetIPsecMainModeRule -DisplayName "Alternate Main Mode Rule" –LocalAddress Any –RemoteAddress 192.168.0.5 –Phase1AuthSet
$poAuthSet.Name –MainModeCryptoSet $mmCryptoSet.Name
This example creates a main mode rule that specifies using alternate authentication and security methods for clients that communicate with the
server at the IP address 192.168.0.5 only.