PowerShell Logo Small

New-NetIPsecRule



This is the built-in help made by Microsoft for the command 'New-NetIPsecRule', in PowerShell version 5 - as retrieved from Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.

SYNOPSIS

Creates an IPsec rule that defines security requirements for network connections that match the specified criteria.

SYNTAX


New-NetIPsecRule [-AllowSetKey <Boolean>] [-AllowWatchKey <Boolean>] [-AsJob] [-CimSession <CimSession[]>] [-Description <String>] [-Enabled <Enabled>]
[-EncryptedTunnelBypass <Boolean>] [-ForwardPathLifetime <UInt32>] [-GPOSession <String>] [-Group <String>] [-InboundSecurity <SecurityPolicy>] [-InterfaceAlias
<WildcardPattern[]>] [-InterfaceType <InterfaceType>] [-IPsecRuleName <String>] [-KeyModule <KeyModule>] [-LocalAddress <String[]>] [-LocalPort <String[]>]
[-LocalTunnelEndpoint <String[]>] [-Machine <String>] [-Mode <IPsecMode>] [-OutboundSecurity <SecurityPolicy>] [-Phase1AuthSet <String>] [-Phase2AuthSet <String>] [-Platform
<String[]>] [-PolicyStore <String>] [-Profile <Profile>] [-Protocol <String>] [-QuickModeCryptoSet <String>] [-RemoteAddress <String[]>] [-RemotePort <String[]>]
[-RemoteTunnelEndpoint <String[]>] [-RemoteTunnelHostname <String>] [-RequireAuthorization <Boolean>] [-ThrottleLimit <Int32>] [-User <String>] -DisplayName <String>
[-Confirm] [-WhatIf] [<CommonParameters>]



Search powershellhelp.space

DESCRIPTION


The New-NetIPsecRule cmdlet creates a transport-mode or tunnel-mode IPsec rule and adds it to the target computer. Some parameters are used to specify the conditions that
must be matched for the rule to apply, such as the LocalAddress and the RemoteAddress parameters. Other parameters specify the way that the connection should be secured,
such as the InboundSecurity and the OutboundSecurity parameters. Rules that already exist can be managed with the Get-NetIPsecRule and Set-NetIPsecRule cmdlets.


In order for custom main mode and quick mode security negotiations to occur, appropriate authorization and cryptographic sets must be associated with the rule. See the
New-NetIPsecPhase1AuthSet, New-NetIPsecPhase2AuthSet, and New-NetIPsecQuickModeCryptoSet cmdlets for more information.


Note: Each authentication or cryptographic set must be created in the policy store for the associated IPsec rule. If a particular set applies to multiple IPsec rules in
different policy stores (GPOs), then the set must be duplicated for each of those stores (so that policies can be updated without linking issues). See the
Copy-NetFirewallRule, Copy-NetIPsecMainModeCryptoSet, Copy-NetIPsecMainModeRule, Copy-NetIPsecPhase1AuthSet, Copy-NetIPsecPhase2AuthSet, and Copy-NetIPsecQuickModeCryptoSet
cmdlets and this cmdlet for more information.



<

RELATED LINKS

Online Version: http://go.microsoft.com/fwlink/?LinkId=288122
Get-NetFirewallAddressFilter
Get-NetFirewallInterfaceFilter
Get-NetFirewallInterfaceTypeFilter
Get-NetFirewallPortFilter
Get-NetIPsecRule
New-NetIPsecPhase1AuthSet
New-NetIPsecPhase2AuthSet
New-NetIPsecQuickModeCryptoSet
Open-NetGPO
Save-NetGPO
Set-NetIPsecRule
New-NetIPsecAuthProposal
New-NetIPsecQuickModeCryptoProposal
New-GPO

REMARKS

<

Examples


EXAMPLE 1

PS C:\>New-NetIPsecRule -DisplayName "Multi DTE" –Name "Multi DTE" –Mode Tunnel –InboundSecurity Require –OutboundSecurity Require –RemoteTunnelEndpoint 2002:9d3b::2,
2002:9d3b::3, 2002:9d3b::4 –RemoteAddress 2002:9d3b::/32 –LocalTunnelEndpoint Any



This example creates a multi dynamic tunnel end point rule.




EXAMPLE 2

PS C:\>New-NetIPsecRule -DisplayName "Domain Isolation Rule" -InboundSecurity Require –OutboundSecurity Request -PolicyStore contoso.com\Domain_Isolation



This example creates a rule that could be used in a domain isolation scenario, where incoming traffic is only permitted from other domain member computers. The default main
mode negotiation uses Kerberos v5 for computer and user authentication.




EXAMPLE 3

PS C:\>$qMProposal = New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -ESPHash SHA1 -Encryption DES3



PS C:\>$qMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName "esp:sha1-des3" -Proposal $qMProposal



PS C:\>New-NetIPSecRule -DisplayName "Tunnel from HQ to Dallas Branch" -Mode Tunnel -LocalAddress 192.168.0.0/16 -RemoteAddress 192.157.0.0/16 -LocalTunnelEndpoint 1.1.1.1
-RemoteTunnelEndpoint 2.2.2.2 -InboundSecurity Require -OutboundSecurity Require -QuickModeCryptoSet $qMCryptoSet.Name



This example creates an IPsec tunnel that routes traffic from a private network at 192.168.0.0/16 through an interface on the local computer at 1.1.1.1 attached to a public
network to a second computer through a public interface at 2.2.2.2 to another private network at 192.157.0.0/16. All traffic through the tunnel is integrity checked using
ESP/SHA1, and encrypted using ESP/DES3.




EXAMPLE 4

This cmdlet illustrates how to include both AH and ESP protocols in a single suite.
PS C:\>$aHandESPQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation AH,ESP -AHHash SHA1 -ESPHash SHA1 -Encryption DES3


This cmdlet illustrates how to specify the use of the AH protocol only.
PS C:\>$aHQM = New-NetipsecQuickModeCryptoProposal -Encapsulation AH -AHHash SHA1 -ESPHash None -Encryption None


This cmdlet illustrates how to specify the use of the ESP protocol only, and uses the None keyword to specify not to include an encryption option.
PS C:\>$eSPQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -ESPHash SHA1 -Encryption None


This cmdlet illustrates how to use the None keyword to specify that ESP is used with an encryption protocol, but with no integrity protocol. This cmdlet also illustrates how
to set a custom SA timeout using both time and data amount values.
PS C:\>$eSPnoAHQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -ESPHash None -Encryption AES256 -MaxKiloBytes 50000 -MaxMinutes 30



PS C:\>$qMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName "Custom Quick Mode" -Proposal $aHandESPQM,$aHQM,$eSPQM,$eSPnoAHQM



PS C:\>New-NetIPsecRule -DisplayName "Domain Isolation Rule" -InboundSecurity Require Request -OutboundSecurity Request -QuickModeCryptoSet $qMCryptoSet.Name



This example creates a domain isolation rule, but uses a custom quick mode proposal that includes multiple quick mode suites, separated by commas.