Bad choice in NETSH.EXE for configuring IPSec

NETSH.EXE does not allow both the actioninbound and actionoutbound to be
"block" in Vista 5728.

The following generates an error message in Vista 5728, but works fine in
Win2k3:

netsh.exe ipsec dynamic add mmpolicy name=temp
netsh.exe ipsec dynamic add rule srcaddr=any dstaddr=any mmpolicy=temp
actioninbound=block actionoutbound=block

This is unfortunate because it is handy to use IPSec for packet filtering.
This seems to be a useless artificial limitation in Vista and breaks
compatibility with Win2k3. I hope it is fixed...

 

IPsec rules, called "connection security rules" in the advanced MMC, now require negotiation. You'll use firewall rules for general packet filtering. I just tried these on my laptop, and they blocked everything:

netsh advfirewall firewall add rule name="temp" dir=in action=block
netsh advfirewall firewall add rule name="temp" dir=out action=block

______________________________________________________
Steve Riley

http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


NETSH.EXE does not allow both the actioninbound and actionoutbound to be
"block" in Vista 5728.

The following generates an error message in Vista 5728, but works fine in
Win2k3:

netsh.exe ipsec dynamic add mmpolicy name=temp
netsh.exe ipsec dynamic add rule srcaddr=any dstaddr=any mmpolicy=temp
actioninbound=block actionoutbound=block

This is unfortunate because it is handy to use IPSec for packet filtering.
This seems to be a useless artificial limitation in Vista and breaks
compatibility with Win2k3. I hope it is fixed...

 

IPsec rules ... now require negotiation.

Thank you for the response and the suggestion, but it still seems to be a
pointless artificial limitation on the IPSec implementation, isn't
consistent with Win2000/XP/2003, and complicates the task if you just want
to stick with using IPSec alone. This also seems rather easy to fix before
RTM.

 

--
Steve Riley

http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com

Thank you for the response and the suggestion, but it still seems to be a
pointless artificial limitation on the IPSec implementation, isn't
consistent with Win2000/XP/2003, and complicates the task if you just want
to stick with using IPSec alone. This also seems rather easy to fix before
RTM.

 

It was more of a happy accident that the IPsec engine in 2000/XP/2003 could be used as a rudimentary packet filter. However, it really isn't the best choice, since it lacks an understanding of TCP connection states ("stateful inspection" as it's commonly called). A firewall is the appropriate choice for performing packet filtering.

--
Steve Riley

http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com

Thank you for the response and the suggestion, but it still seems to be a
pointless artificial limitation on the IPSec implementation, isn't
consistent with Win2000/XP/2003, and complicates the task if you just want
to stick with using IPSec alone. This also seems rather easy to fix before
RTM.