Bad choice in NETSH.EXE for configuring IPSec

Discussion in 'Windows Vista Security' started by Walter Porter, Nov 1, 2006.

  1. NETSH.EXE does not allow both the actioninbound and actionoutbound to be
    "block" in Vista 5728.

    The following generates an error message in Vista 5728, but works fine in
    Win2k3:

    netsh.exe ipsec dynamic add mmpolicy name=temp
    netsh.exe ipsec dynamic add rule srcaddr=any dstaddr=any mmpolicy=temp
    actioninbound=block actionoutbound=block

    This is unfortunate because it is handy to use IPSec for packet filtering.
    This seems to be a useless artificial limitation in Vista and breaks
    compatibility with Win2k3. I hope it is fixed...
     
    Walter Porter, Nov 1, 2006
    #1
    1. Advertisements

  2. IPsec rules, called "connection security rules" in the advanced MMC, now require negotiation. You'll use firewall rules for general packet filtering. I just tried these on my laptop, and they blocked everything:

    netsh advfirewall firewall add rule name="temp" dir=in action=block
    netsh advfirewall firewall add rule name="temp" dir=out action=block

    ______________________________________________________
    Steve Riley

    http://blogs.technet.com/steriley
    http://www.protectyourwindowsnetwork.com


    NETSH.EXE does not allow both the actioninbound and actionoutbound to be
    "block" in Vista 5728.

    The following generates an error message in Vista 5728, but works fine in
    Win2k3:

    netsh.exe ipsec dynamic add mmpolicy name=temp
    netsh.exe ipsec dynamic add rule srcaddr=any dstaddr=any mmpolicy=temp
    actioninbound=block actionoutbound=block

    This is unfortunate because it is handy to use IPSec for packet filtering.
    This seems to be a useless artificial limitation in Vista and breaks
    compatibility with Win2k3. I hope it is fixed...
     
    Steve Riley [MSFT], Nov 4, 2006
    #2
    1. Advertisements

  3. IPsec rules ... now require negotiation.

    Thank you for the response and the suggestion, but it still seems to be a
    pointless artificial limitation on the IPSec implementation, isn't
    consistent with Win2000/XP/2003, and complicates the task if you just want
    to stick with using IPSec alone. This also seems rather easy to fix before
    RTM.
     
    Walter Porter, Nov 6, 2006
    #3
  4. --
    Steve Riley

    http://blogs.technet.com/steriley
    http://www.protectyourwindowsnetwork.com


    Thank you for the response and the suggestion, but it still seems to be a
    pointless artificial limitation on the IPSec implementation, isn't
    consistent with Win2000/XP/2003, and complicates the task if you just want
    to stick with using IPSec alone. This also seems rather easy to fix before
    RTM.
     
    Steve Riley [MSFT], Nov 6, 2006
    #4
  5. It was more of a happy accident that the IPsec engine in 2000/XP/2003 could be used as a rudimentary packet filter. However, it really isn't the best choice, since it lacks an understanding of TCP connection states ("stateful inspection" as it's commonly called). A firewall is the appropriate choice for performing packet filtering.

    --
    Steve Riley

    http://blogs.technet.com/steriley
    http://www.protectyourwindowsnetwork.com


    Thank you for the response and the suggestion, but it still seems to be a
    pointless artificial limitation on the IPSec implementation, isn't
    consistent with Win2000/XP/2003, and complicates the task if you just want
    to stick with using IPSec alone. This also seems rather easy to fix before
    RTM.
     
    Steve Riley [MSFT], Nov 6, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.