Microsoft Windows [Version 6.0.6001] (C) Copyright 2006 Microsoft Corp. c:\windows>netsh ipsec static set defaultrule ?
Usage:
defaultrule [ policy = ][[ qmpfs = ] (yes | no) ][[ activate = ] (yes | no) ][[ qmsecmethods = ] (neg#1 neg#2 ... neg#n) ][[ kerberos = ] (yes | no) ][[ psk = ]][[ rootca = ] " certmap:(yes | no) excludecaname:(yes | no)" ]
Modifies the default response rule of the specified policy.
This rule will be ignored on Windows Vista and later versions of Windows
Parameters:
Tag
Value
policy -Name of the policy for which the default response rule
is
to be modified
.
qmpfs -Option to set quick mode perfect forward secrecy
.
activate -Activates the rule in the policy if 'yes' is specified
.
qmsecmethods -IPsec offer in one of the following formats:
ESP[ConfAlg,AuthAlg]:k/
s
AH[HashAlg]:k/
s
AH[HashAlg]+ESP[ConfAlg,AuthAlg]:k/
s
where ConfAlg can be DES, or 3DES or None
.
where AuthAlg can be MD5, or SHA1 or None
.
where HashAlg is MD5 or SHA1
.
where k is lifetime in kilobytes
.
where s is lifetime in seconds
.
kerberos -Provides Kerberos authentication if 'yes' is specified
.
psk -Provides authentication using a specified preshared key
.
rootca -Provides authentication using a specified root certificate,
attempts to map the cert if certmap:Yes is specified,
excludes the CA name if excludecaname:Yes is specified
.
Remarks: 1. Certificate, mapping, and CA name settings are all to be
within
quotes; embedded quotes are to be replaced with \'
.
2. Certificate mapping is valid only for domain members
.
3. Multiple certificates can be provided by using the
rootca
parameter multiple times
.
4. The preference of each authentication method is determined
by
its order in the command
.
5. If no auth methods are stated, dynamic defaults are used
.
6. The use of DES and MD5 is not recommended. These
cryptographic
algorithms are provided for backward compatibility only
.
Examples: set defaultrule Policy1 activate=
y
qmsec="AH[MD5]+ESP[3DES,MD5]:100000k/2000s"
