New-NetIPsecPhase1AuthSet PowerShell Get-Help Output

This is the built-in help made by Microsoft for the command 'New-NetIPsecPhase1AuthSet', in PowerShell version 3 - as retrieved from Windows version 'Microsoft Windows Server 2012 Standard' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.

SYNOPSIS

Creates a phase 1 authentication set that specifies the methods offered for main mode first authentication during IPsec negotiations.

SYNTAX

New-NetIPsecPhase1AuthSet [-AsJob [<SwitchParameter>]] [-CimSession <CimSession[]>] [-Default [<SwitchParameter>]] [-Description <String>]
[-GPOSession <String>] [-Group <String>] [-Name <String>] [-PolicyStore <String>] [-ThrottleLimit <Int32>] -DisplayName <String> -Proposal
<CimInstance[]> [-Confirm [<SwitchParameter>]] [-WhatIf [<SwitchParameter>]] [<CommonParameters>]

Search powershellhelp.space

DESCRIPTION

The New-NetIPsecPhase1AuthSet cmdlet creates a set of authentication methods to use during IPsec negotiations. The first phase of
authentication is typically a computer authentication method such as Kerberos v5, certificate, or pre-shared key authentication.

A phase 1 authentication set contains an ordered list of computer authentication proposals. A proposal is created by running the
New-NetIPsecAuthProposal cmdlet. During the main mode negotiation, the first proposal that both peers have in common will be used for mutual
authentication. A NetIPsecPhase1AuthSet object and a NetIPsecMainModeCryptoSet object provide all of the necessary security association (SA)
parameters for a NetIPsecMainModeRule object. Use the Get-NetIPsecMainModeSA cmdlet to monitor the SAs that are created.

The newly created authentication set can be associated with one or more IPsec rules using the Set-NetIPsecRule cmdlet or the
Set-NetIPsecMainModeRule cmdlet.

RELATED LINKS

REMARKS

Examples

EXAMPLE 1

PS C:\> $cert1Proposal = New-NetIPsecAuthProposal -Machine –Cert -Authority "C=US,O=MSFT,CN=Microsoft Root Authority" -AuthorityType Root

PS C:\> $cert2Proposal = New-NetIPsecAuthProposal –Machine –Cert -Authority "C=US,O=MYORG,CN=\'My Organizations Root Certificate\'"
-AuthorityType Root

PS C:\> $certAuthSet = New-NetIPsecPhase1AuthSet –DisplayName "Computer Certificate Auth Set" -Proposal $cert1Proposal,$cert2Proposal

PS C:\> New-NetIPSecRule -DisplayName "Authenticate with Certificates Rule" -InboundSecurity Require -OutboundSecurity Request -Phase2AuthSet
$certAuthSet.Name

This example creates a rule that requires that incoming connections are authenticated by using either of two computer certificates. The
computer also requests authentication for outbound connections, but allows an outbound connection if authentication is not successful.

EXAMPLE 2

PS C:\> $mkerbauthprop = New-NetIPsecAuthProposal -Machine -Kerberos

PS C:\> $mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM

PS C:\> $p1Auth = New-NetIPsecPhase1AuthSet -DisplayName "First Computer Auth" -Proposal $mkerbauthprop,$mntlmauthprop

PS C:\> $ukerbauthprop = New-NetIPsecAuthProposal -User –Kerberos

PS C:\> $unentlmauthprop = New-NetIPsecAuthProposal -User –NTLM

PS C:\> $anonyauthprop = New-NetIPsecAuthProposal –Anonymous

PS C:\> $p2Auth = New-NetIPsecPhase2AuthSet -DisplayName "Second User Auth" –Proposal $ukerbauthprop,$unentlmauthprop,$anonyauthprop

PS C:\> New-NetIPSecRule -DisplayName "Authenticate Both Computer and User" -InboundSecurity Require -OutboundSecurity Require -Phase1AuthSet
$p1Auth.Name -Phase2AuthSet $p2Auth.Name

This example creates a rule that requires a first, or computer, authentication and attempts an optional second, or user, authentication.

EXAMPLE 3

PS C:\> $proposal1 = (New-NetIPsecMainModeCryptoProposal -Encryption DES3 -Hash MD5 -KeyExchange DH1)

PS C:\> $proposal2 = (New-NetIPsecMainModeCryptoProposal -Encryption AES192 -Hash MD5 -KeyExchange DH14)

PS C:\> $proposal3 = (New-NetIPsecMainModeCryptoProposal -Encryption DES3 -Hash MD5 -KeyExchange DH19)

PS C:\> $mmCryptoSet = New-NetIPsecMainModeCryptoSet -DisplayName "Main Mode Crypto Set" -Proposal $proposal1,$proposal2,$proposal3

PS C:\> New-NetIPsecMainModeRule -DisplayName "Custom Main Mode Rule" -MainModeCryptoSet $mmCryptoSet.Name

This example creates a main mode rule linked to a cryptographic set that contains three cryptographic proposals.

EXAMPLE 4

PS C:\> $cert1Proposal = New-NetIPsecAuthProposal -Machine –Cert -Authority "C=US,O=MSFT,CN=Microsoft Root Authority" -AuthorityType Root

PS C:\> $cert2Proposal = New-NetIPsecAuthProposal –Machine –Cert -Authority "C=US,O=MYORG,CN='My Organizations Root Certificate'"
-AuthorityType Root

PS C:\> $certAuthSet = New-NetIPsecPhase1AuthSet –DisplayName "Computer Certificate Auth Set" -Proposal $cert1Proposal,$Cert2Proposal

PS C:\> New-NetIPsecMainModeRule -DisplayName "Main Mode Authenticate with Certificates Rule" –Phase1AuthSet $certAuthSet.Name

This example creates a main mode rule that requires that incoming connections are authenticated by using either of two computer certificates.

EXAMPLE 5

PS C:\> $proposal1 = New-NetIPsecAuthProposal -Machine –Cert -Authority "C=US,O=MSFT,CN=Microsoft Root Authority" -AuthorityType Root

PS C:\> $poAuthSet = New-NetIPsecPhase1AuthSet –DisplayName "Computer Certificate Auth Set" -Proposal $proposal1

PS C:\> $proposal2 = New-NetIPsecMainModeCryptoProposal -Encryption DES3 -Hash MD5 -KeyExchange DH1

PS C:\> $mmCryptoSet = New-NetIPsecMainModeCryptoSet –DisplayName "dhgroup2:3des-sha256,3des-sha384" –Proposal $proposal2

PS C:\> New-NetIPsecMainModeRule -DisplayName "Alternate Main Mode Rule" –LocalAddress Any –RemoteAddress 192.168.0.5 –Phase1AuthSet
$poAuthSet.Name –MainModeCryptoSet $mmCryptoSet.Name

This example creates a main mode rule that specifies using alternate authentication and security methods for clients that communicate with the
server at address 192.168.0.5 only.