1

We've an AD Domain on Server 2008R2 (objectVersion 47) and running at 2003 functionality. Running commands on PowerShell v5.0.10586.117

IPSec policies and associated IP filter lists are used just for IP filtering (no encryption).

I believe all IPSec filter lists and policies are domain wide, GPOs only handle which single IPSec policy to apply?

I've used whatever google-fu I have on how to enumerate the many IPSec IP filters we have on domain/GPO and cannot get a meaningful result. Can get Windows Firewall with Advanced Security results successfully using Get-NetFirewallRule and Show-NetFirewallRule.

Tried these commands Get-NetIPsecRule and Show-NetIPsecRule Using their -PolicyStore argument such as:

# Always results in empty even if the GPO in question has a policy assigned.
# However am looking for all IP filters specified (which are domain wide as far as I can see)
Get-NetIPSecRule -PolicyStore domain.fqdn.com\GPO_Friendly_Name

# Fails as no GPO is specified
Get-NetIPSecRule -PolicyStore domain.fqdn.com

netsh commands so far have been on local machine or a remote machine which doesn't work for this situation.

Please feel to correct my above assumptions if they're wrong. Any help would be appreciated! Thank you!

HP_PH
  • 11
  • 3
  • What does `Get-NetIPSecRule -PolicyStore ActiveStore -TracePolicyStore -PolicyStoreSourceType GroupPolicy` return? – AdminOfThings Mar 12 '19 at 18:15
  • It errors out with the following: `Get-NetIPsecRule : No MSFT_NetConSecRule objects found with property 'PolicyStoreSourceType' equal to 'GroupPolicy'. Verify the value of the property and retry.` – HP_PH Mar 12 '19 at 20:40
  • I tried it with the other `PolicyStoreSourceType` and it fails. Looks like it's looking at local machine for rules and none are applied to the local machine as I'm looking at the many rules that are associated with the domain. – HP_PH Mar 15 '19 at 14:45

0 Answers0