PowerShell Logo Small

New-NetIPsecMainModeRule



This is the built-in help made by Microsoft for the command 'New-NetIPsecMainModeRule', in PowerShell version 5 - as retrieved from Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.

SYNOPSIS

Creates an IPsec main mode rule that tells the computer which peers require IPsec security associations (SAs) for securing network traffic, and how to negotiate those SAs.

SYNTAX


New-NetIPsecMainModeRule [-AsJob] [-CimSession <CimSession[]>] [-Description <String>] [-Enabled <Enabled>] [-GPOSession <String>] [-Group <String>] [-LocalAddress
<String[]>] [-MainModeCryptoSet <String>] [-Name <String>] [-Phase1AuthSet <String>] [-Platform <String[]>] [-PolicyStore <String>] [-Profile <Profile>] [-RemoteAddress
<String[]>] [-ThrottleLimit <Int32>] -DisplayName <String> [-Confirm] [-WhatIf] [<CommonParameters>]



Search powershellhelp.space

DESCRIPTION


The New-NetIPsecMainModeRule cmdlet creates an IPsec main mode rule.


A main mode rule contains a set of local and remote end points to determine the peers to which it applies. When an application on the local computer attempts to communicate
with one of these specified remote hosts, the computer attempts to establish a security association (SA) with the remote server.


In order to set up this SA, the computers need to agree on how to authenticate with each other. The local computer will only agree to use one of the proposals from the
network IPsec phase 1 authorization set associated with the main mode rule. See the New-NetIPsecPhase1AuthSet cmdlet for more information. When the negotiation is successful
a main mode SA is created. See the Get-NetIPsecMainModeSA cmdlet for more information.


The computers also need to agree on common encryption, hashing, and key exchange methods. The local computer will only agree to use one of the cryptographic methods
contained in the IPsec main mode cryptographic set associated with the main mode rule. See the New-NetIPsecMainModeCryptoSet cmdlet for more information. When the
negotiation is successful a quick mode SA is created. See the Get-NetIPsecQuickModeSA cmdlet for more information.


A main mode rule offers four mandatory parameters that negotiated as part of the main mode security association (SA):

-- The computer authentication method: Kerberos v5, certificate, or pre-shared key authentication that is provided by the NetIPsecPhase1AuthSet object.

-- The encryption algorithm that is provided by the NetIPsecMainModeCryptoSet object.

-- The hashing algorithm that is provided by the NetIPsecMainModeCryptoSet object.

-- The Diffie-Hellman (DH) key exchange group to be used for the base keying material that is provided by the NetIPsecMainModeCryptoSet object.


Note: Each main mode rule must be created in the policy store of the associated IPsec rule. If a particular rule applies to multiple IPsec rules in different policy stores
(GPOs), then the rule must be duplicated for each of those stores (so that policies can be updated without linking issues). See the Copy-NetFirewallRule,
Copy-NetIPsecMainModeCryptoSet, Copy-NetIPsecMainModeRule, Copy-NetIPsecPhase1AuthSet, Copy-NetIPsecPhase2AuthSet, Copy-NetIPsecQuickModeCryptoSet, or Copy-NetIPsecRule
cmdlet for more information.



<

RELATED LINKS

Online Version: http://go.microsoft.com/fwlink/?LinkId=288043
Get-NetFirewallAddressFilter
Get-NetIPsecMainModeCryptoSet
Get-NetIPsecMainModeRule
Get-NetIPsecMainModeSA
Get-NetIPsecQuickModeSA
New-NetFirewallRule
New-NetIPsecMainModeCryptoSet
New-NetIPsecPhase1AuthSet
Open-NetGPO
Save-NetGPO
Set-NetFirewallRule
Set-NetIPsecMainModeCryptoSet
New-NetIPsecAuthProposal
New-NetIPsecMainModeCryptoProposal
New-GPO

REMARKS

<

Examples


EXAMPLE 1

PS C:\>$proposal1 = (New-NetIPsecMainModeCryptoProposal -Encryption DES3 -Hash MD5 -KeyExchange DH1)



PS C:\>$proposal2 = (New-NetIPsecMainModeCryptoProposal -Encryption AES192 -Hash MD5 -KeyExchange DH14)



PS C:\>$proposal3 = (New-NetIPsecMainModeCryptoProposal -Encryption DES3 -Hash MD5 -KeyExchange DH19)



PS C:\>$mmCryptoSet = New-NetIPsecMainModeCryptoSet -DisplayName "Main Mode Crypto Set" -Proposal $proposal1,$proposal2,$proposal3



PS C:\>New-NetIPsecMainModeRule -DisplayName "Custom Main Mode Rule" -MainModeCryptoSet $mmCryptoSet.Name



This example creates a main mode rule linked to a cryptographic set that contains three cryptographic proposals.




EXAMPLE 2

PS C:\>$cert1Proposal = New-NetIPsecAuthProposal -Machine –Cert -Authority "C=US,O=MSFT,CN=Microsoft Root Authority" -AuthorityType Root



PS C:\>$cert2Proposal = New-NetIPsecAuthProposal –Machine –Cert -Authority "C=US,O=MYORG,CN='My Organizations Root Certificate'" -AuthorityType Root



PS C:\>$certAuthSet = New-NetIPsecPhase1AuthSet –DisplayName "Computer Certificate Auth Set" -Proposal $Cert1Proposal,$cert2Proposal



PS C:\>New-NetIPsecMainModeRule -DisplayName "Main Mode Authenticate with Certificates Rule" –Phase1AuthSet $certAuthSet.Name



This example creates a main mode rule that requires that incoming connections are authenticated by using either of two computer certificates.




EXAMPLE 3

PS C:\>$proposal1 = New-NetIPsecAuthProposal -Machine –Cert -Authority "C=US,O=MSFT,CN=Microsoft Root Authority" -AuthorityType Root



PS C:\>$poAuthSet = New-NetIPsecPhase1AuthSet –DisplayName "Computer Certificate Auth Set" -Proposal $proposal1



PS C:\>$proposal2 = New-NetIPsecMainModeCryptoProposal -Encryption DES3 -Hash MD5 -KeyExchange DH1



PS C:\>$mmCryptoSet = New-NetIPsecMainModeCryptoSet –DisplayName "dhgroup2:3des-sha256,3des-sha384" –Proposal $proposal2



PS C:\>New-NetIPsecMainModeRule -DisplayName "Alternate Main Mode Rule" –LocalAddress Any –RemoteAddress 192.168.0.5 –Phase1AuthSet $poAuthSet.Name –MainModeCryptoSet
$mmCryptoSet.Name



This example creates a main mode rule that specifies using alternate authentication and security methods for clients that communicate with the server at the IP address
192.168.0.5 only.