This is the built-in help made by Microsoft for the command 'New-NetIPsecPhase1AuthSet', in PowerShell version 3 - as retrieved from
Windows version 'Microsoft Windows Server 2012 Standard' PowerShell help files on 2016-06-23.
For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.
Creates a phase 1 authentication set that specifies the methods offered for main mode first authentication during IPsec negotiations.
New-NetIPsecPhase1AuthSet [-AsJob [<SwitchParameter>]] [-CimSession <CimSession[]>] [-Default [<SwitchParameter>]] [-Description <String>]
[-GPOSession <String>] [-Group <String>] [-Name <String>] [-PolicyStore <String>] [-ThrottleLimit <Int32>] -DisplayName <String> -Proposal
<CimInstance[]> [-Confirm [<SwitchParameter>]] [-WhatIf [<SwitchParameter>]] [<CommonParameters>]
The New-NetIPsecPhase1AuthSet cmdlet creates a set of authentication methods to use during IPsec negotiations. The first phase of
authentication is typically a computer authentication method such as Kerberos v5, certificate, or pre-shared key authentication.
A phase 1 authentication set contains an ordered list of computer authentication proposals. A proposal is created by running the
New-NetIPsecAuthProposal cmdlet. During the main mode negotiation, the first proposal that both peers have in common will be used for mutual
authentication. A NetIPsecPhase1AuthSet object and a NetIPsecMainModeCryptoSet object provide all of the necessary security association (SA)
parameters for a NetIPsecMainModeRule object. Use the Get-NetIPsecMainModeSA cmdlet to monitor the SAs that are created.
The newly created authentication set can be associated with one or more IPsec rules using the Set-NetIPsecRule cmdlet or the
Set-NetIPsecMainModeRule cmdlet.
<
Get-NetIPsecMainModeCryptoSet
Get-NetIPsecMainModeSA
New-NetIPsecMainModeCryptoSet
New-NetIPsecPhase2AuthSet
New-NetIPSecRule
Rename-NetIPsecMainModeCryptoSet
Open-NetGPO
Save-NetGPO
Set-NetIPsecMainModeCryptoSet
Set-NetIPsecMainModeRule
Set-NetIPsecRule
New-NetIPsecAuthProposal
New-NetIPsecMainModeCryptoProposal
New-GPO
<
EXAMPLE 1
PS C:\> $cert1Proposal = New-NetIPsecAuthProposal -Machine –Cert -Authority "C=US,O=MSFT,CN=Microsoft Root Authority" -AuthorityType Root
PS C:\> $cert2Proposal = New-NetIPsecAuthProposal –Machine –Cert -Authority "C=US,O=MYORG,CN=\'My Organizations Root Certificate\'"
-AuthorityType Root
PS C:\> $certAuthSet = New-NetIPsecPhase1AuthSet –DisplayName "Computer Certificate Auth Set" -Proposal $cert1Proposal,$cert2Proposal
PS C:\> New-NetIPSecRule -DisplayName "Authenticate with Certificates Rule" -InboundSecurity Require -OutboundSecurity Request -Phase2AuthSet
$certAuthSet.Name
This example creates a rule that requires that incoming connections are authenticated by using either of two computer certificates. The
computer also requests authentication for outbound connections, but allows an outbound connection if authentication is not successful.
EXAMPLE 2
PS C:\> $mkerbauthprop = New-NetIPsecAuthProposal -Machine -Kerberos
PS C:\> $mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM
PS C:\> $p1Auth = New-NetIPsecPhase1AuthSet -DisplayName "First Computer Auth" -Proposal $mkerbauthprop,$mntlmauthprop
PS C:\> $ukerbauthprop = New-NetIPsecAuthProposal -User –Kerberos
PS C:\> $unentlmauthprop = New-NetIPsecAuthProposal -User –NTLM
PS C:\> $anonyauthprop = New-NetIPsecAuthProposal –Anonymous
PS C:\> $p2Auth = New-NetIPsecPhase2AuthSet -DisplayName "Second User Auth" –Proposal $ukerbauthprop,$unentlmauthprop,$anonyauthprop
PS C:\> New-NetIPSecRule -DisplayName "Authenticate Both Computer and User" -InboundSecurity Require -OutboundSecurity Require -Phase1AuthSet
$p1Auth.Name -Phase2AuthSet $p2Auth.Name
This example creates a rule that requires a first, or computer, authentication and attempts an optional second, or user, authentication.
EXAMPLE 3
PS C:\> $proposal1 = (New-NetIPsecMainModeCryptoProposal -Encryption DES3 -Hash MD5 -KeyExchange DH1)
PS C:\> $proposal2 = (New-NetIPsecMainModeCryptoProposal -Encryption AES192 -Hash MD5 -KeyExchange DH14)
PS C:\> $proposal3 = (New-NetIPsecMainModeCryptoProposal -Encryption DES3 -Hash MD5 -KeyExchange DH19)
PS C:\> $mmCryptoSet = New-NetIPsecMainModeCryptoSet -DisplayName "Main Mode Crypto Set" -Proposal $proposal1,$proposal2,$proposal3
PS C:\> New-NetIPsecMainModeRule -DisplayName "Custom Main Mode Rule" -MainModeCryptoSet $mmCryptoSet.Name
This example creates a main mode rule linked to a cryptographic set that contains three cryptographic proposals.
EXAMPLE 4
PS C:\> $cert1Proposal = New-NetIPsecAuthProposal -Machine –Cert -Authority "C=US,O=MSFT,CN=Microsoft Root Authority" -AuthorityType Root
PS C:\> $cert2Proposal = New-NetIPsecAuthProposal –Machine –Cert -Authority "C=US,O=MYORG,CN='My Organizations Root Certificate'"
-AuthorityType Root
PS C:\> $certAuthSet = New-NetIPsecPhase1AuthSet –DisplayName "Computer Certificate Auth Set" -Proposal $cert1Proposal,$Cert2Proposal
PS C:\> New-NetIPsecMainModeRule -DisplayName "Main Mode Authenticate with Certificates Rule" –Phase1AuthSet $certAuthSet.Name
This example creates a main mode rule that requires that incoming connections are authenticated by using either of two computer certificates.
EXAMPLE 5
PS C:\> $proposal1 = New-NetIPsecAuthProposal -Machine –Cert -Authority "C=US,O=MSFT,CN=Microsoft Root Authority" -AuthorityType Root
PS C:\> $poAuthSet = New-NetIPsecPhase1AuthSet –DisplayName "Computer Certificate Auth Set" -Proposal $proposal1
PS C:\> $proposal2 = New-NetIPsecMainModeCryptoProposal -Encryption DES3 -Hash MD5 -KeyExchange DH1
PS C:\> $mmCryptoSet = New-NetIPsecMainModeCryptoSet –DisplayName "dhgroup2:3des-sha256,3des-sha384" –Proposal $proposal2
PS C:\> New-NetIPsecMainModeRule -DisplayName "Alternate Main Mode Rule" –LocalAddress Any –RemoteAddress 192.168.0.5 –Phase1AuthSet
$poAuthSet.Name –MainModeCryptoSet $mmCryptoSet.Name
This example creates a main mode rule that specifies using alternate authentication and security methods for clients that communicate with the
server at address 192.168.0.5 only.