Bad choice in NETSH.EXE for configuring IPSec

[Walter Porter]

NETSH.EXE does not allow both the actioninbound and actionoutbound to be
"block" in Vista 5728.

The following generates an error message in Vista 5728, but works fine in
Win2k3:

netsh.exe ipsec dynamic add mmpolicy name=temp
netsh.exe ipsec dynamic add rule srcaddr=any dstaddr=any mmpolicy=temp
actioninbound=block actionoutbound=block

This is unfortunate because it is handy to use IPSec for packet filtering.
This seems to be a useless artificial limitation in Vista and breaks
compatibility with Win2k3. I hope it is fixed...

 

[Steve Riley [MSFT]]

IPsec rules, called "connection security rules" in the advanced MMC, now require negotiation. You'll use firewall rules for general packet filtering. I just tried these on my laptop, and they blocked everything:

netsh advfirewall firewall add rule name="temp" dir=in action=block
netsh advfirewall firewall add rule name="temp" dir=out action=block

______________________________________________________
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


NETSH.EXE does not allow both the actioninbound and actionoutbound to be
"block" in Vista 5728.

The following generates an error message in Vista 5728, but works fine in
Win2k3:

netsh.exe ipsec dynamic add mmpolicy name=temp
netsh.exe ipsec dynamic add rule srcaddr=any dstaddr=any mmpolicy=temp
actioninbound=block actionoutbound=block

This is unfortunate because it is handy to use IPSec for packet filtering.
This seems to be a useless artificial limitation in Vista and breaks
compatibility with Win2k3. I hope it is fixed...

 

[Walter Porter]

IPsec rules ... now require negotiation.

Thank you for the response and the suggestion, but it still seems to be a
pointless artificial limitation on the IPSec implementation, isn't
consistent with Win2000/XP/2003, and complicates the task if you just want
to stick with using IPSec alone. This also seems rather easy to fix before
RTM.

 

[Steve Riley [MSFT]]

--
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com

IPsec rules ... now require negotiation.

Thank you for the response and the suggestion, but it still seems to be a
pointless artificial limitation on the IPSec implementation, isn't
consistent with Win2000/XP/2003, and complicates the task if you just want
to stick with using IPSec alone. This also seems rather easy to fix before
RTM.

 

[Steve Riley [MSFT]]

It was more of a happy accident that the IPsec engine in 2000/XP/2003 could be used as a rudimentary packet filter. However, it really isn't the best choice, since it lacks an understanding of TCP connection states ("stateful inspection" as it's commonly called). A firewall is the appropriate choice for performing packet filtering.

--
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com

IPsec rules ... now require negotiation.

Thank you for the response and the suggestion, but it still seems to be a
pointless artificial limitation on the IPSec implementation, isn't
consistent with Win2000/XP/2003, and complicates the task if you just want
to stick with using IPSec alone. This also seems rather easy to fix before
RTM.