This is the built-in help made by Microsoft for the command 'New-NetIPsecRule', in PowerShell version 4 - as retrieved from
Windows version 'Microsoft Windows 8.1 Enterprise' PowerShell help files on 2016-06-23.
For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.
Creates an IPsec rule that defines security requirements for network connections that match the specified criteria.
New-NetIPsecRule [-AllowSetKey <Boolean>] [-AllowWatchKey <Boolean>] [-AsJob] [-CimSession <CimSession[]>] [-Description <String>] [-Enabled <Enabled>] [-EncryptedTun
nelBypass <Boolean>] [-ForwardPathLifetime <UInt32>] [-GPOSession <String>] [-Group <String>] [-InboundSecurity <SecurityPolicy>] [-InterfaceAlias <WildcardPattern[]>
] [-InterfaceType <InterfaceType>] [-IPsecRuleName <String>] [-KeyModule <KeyModule>] [-LocalAddress <String[]>] [-LocalPort <String[]>] [-LocalTunnelEndpoint <String
[]>] [-Machine <String>] [-Mode <IPsecMode>] [-OutboundSecurity <SecurityPolicy>] [-Phase1AuthSet <String>] [-Phase2AuthSet <String>] [-Platform <String[]>] [-PolicyS
tore <String>] [-Profile <Profile>] [-Protocol <String>] [-QuickModeCryptoSet <String>] [-RemoteAddress <String[]>] [-RemotePort <String[]>] [-RemoteTunnelEndpoint <S
tring[]>] [-RemoteTunnelHostname <String>] [-RequireAuthorization <Boolean>] [-ThrottleLimit <Int32>] [-User <String>] -DisplayName <String> [-Confirm] [-WhatIf] [<Co
mmonParameters>]
The New-NetIPsecRule cmdlet creates a transport-mode or tunnel-mode IPsec rule and adds it to the target computer. Some parameters are used to specify the conditions
that must be matched for the rule to apply, such as the LocalAddress and the RemoteAddress parameters. Other parameters specify the way that the connection should be
secured, such as the InboundSecurity and the OutboundSecurity parameters. Rules that already exist can be managed with the Get-NetIPsecRule and Set-NetIPsecRule cmdle
ts.
In order for custom main mode and quick mode security negotiations to occur, appropriate authorization and cryptographic sets must be associated with the rule. See th
e New-NetIPsecPhase1AuthSet, New-NetIPsecPhase2AuthSet, and New-NetIPsecQuickModeCryptoSet cmdlets for more information.
Note: Each authentication or cryptographic set must be created in the policy store for the associated IPsec rule. If a particular set applies to multiple IPsec rules
in different policy stores (GPOs), then the set must be duplicated for each of those stores (so that policies can be updated without linking issues). See the Copy-Net
FirewallRule, Copy-NetIPsecMainModeCryptoSet, Copy-NetIPsecMainModeRule, Copy-NetIPsecPhase1AuthSet, Copy-NetIPsecPhase2AuthSet, and Copy-NetIPsecQuickModeCryptoSet c
mdlets and this cmdlet for more information.
<
Online Version: http://go.microsoft.com/fwlink/?LinkId=288122
Get-NetFirewallAddressFilter
Get-NetFirewallInterfaceFilter
Get-NetFirewallInterfaceTypeFilter
Get-NetFirewallPortFilter
Get-NetIPsecRule
New-NetIPsecPhase1AuthSet
New-NetIPsecPhase2AuthSet
New-NetIPsecQuickModeCryptoSet
Open-NetGPO
Save-NetGPO
Set-NetIPsecRule
New-NetIPsecAuthProposal
New-NetIPsecQuickModeCryptoProposal
New-GPO
<
EXAMPLE 1
PS C:\>New-NetIPsecRule -DisplayName "Multi DTE" –Name "Multi DTE" –Mode Tunnel –InboundSecurity Require –OutboundSecurity Require –RemoteTunnelEndpoint 2002:9d3b::2,
2002:9d3b::3, 2002:9d3b::4 –RemoteAddress 2002:9d3b::/32 –LocalTunnelEndpoint Any
This example creates a multi dynamic tunnel end point rule.
EXAMPLE 2
PS C:\>New-NetIPsecRule -DisplayName "Domain Isolation Rule" -InboundSecurity Require –OutboundSecurity Request -PolicyStore contoso.com\Domain_Isolation
This example creates a rule that could be used in a domain isolation scenario, where incoming traffic is only permitted from other domain member computers. The defaul
t main mode negotiation uses Kerberos v5 for computer and user authentication.
EXAMPLE 3
PS C:\>$qMProposal = New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -ESPHash SHA1 -Encryption DES3
PS C:\>$qMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName "esp:sha1-des3" -Proposal $qMProposal
PS C:\>New-NetIPSecRule -DisplayName "Tunnel from HQ to Dallas Branch" -Mode Tunnel -LocalAddress 192.168.0.0/16 -RemoteAddress 192.157.0.0/16 -LocalTunnelEndpoint 1.
1.1.1 -RemoteTunnelEndpoint 2.2.2.2 -InboundSecurity Require -OutboundSecurity Require -QuickModeCryptoSet $qMCryptoSet.Name
This example creates an IPsec tunnel that routes traffic from a private network at 192.168.0.0/16 through an interface on the local computer at 1.1.1.1 attached to a
public network to a second computer through a public interface at 2.2.2.2 to another private network at 192.157.0.0/16. All traffic through the tunnel is integrity ch
ecked using ESP/SHA1, and encrypted using ESP/DES3.
EXAMPLE 4
This cmdlet illustrates how to include both AH and ESP protocols in a single suite.
PS C:\>$aHandESPQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation AH,ESP -AHHash SHA1 -ESPHash SHA1 -Encryption DES3
This cmdlet illustrates how to specify the use of the AH protocol only.
PS C:\>$aHQM = New-NetipsecQuickModeCryptoProposal -Encapsulation AH -AHHash SHA1 -ESPHash None -Encryption None
This cmdlet illustrates how to specify the use of the ESP protocol only, and uses the None keyword to specify not to include an encryption option.
PS C:\>$eSPQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -ESPHash SHA1 -Encryption None
This cmdlet illustrates how to use the None keyword to specify that ESP is used with an encryption protocol, but with no integrity protocol. This cmdlet also illustra
tes how to set a custom SA timeout using both time and data amount values.
PS C:\>$eSPnoAHQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -ESPHash None -Encryption AES256 -MaxKiloBytes 50000 -MaxMinutes 30
PS C:\>$qMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName "Custom Quick Mode" -Proposal $aHandESPQM,$aHQM,$eSPQM,$eSPnoAHQM
PS C:\>New-NetIPsecRule -DisplayName "Domain Isolation Rule" -InboundSecurity Require Request -OutboundSecurity Request -QuickModeCryptoSet $qMCryptoSet.Name
This example creates a domain isolation rule, but uses a custom quick mode proposal that includes multiple quick mode suites, separated by commas.