tags:

views:

287

answers:

1

Hey stackoverflow,

The only method I know how to execute IPsec changes involves calling netsh to do the changes. Is there a method using System.Management and WMI objects directly? If so, what is it? I am having a hard time finding relevant WMI information with MSDN.

Or is there some other useful method someone out there has used?

EDIT: I am working in C#, and would prefer C# examples with regard to .NET System.Management based answers.

Thank you!

+1  A: 

1) Exact: WMI.

The EnableIPFilterSec WMI class static method can enable IP security globally across all IP-bound network adapters. With security enabled, security characteristics for any specific adapter can be altered with the EnableIPSec WMI class method. MSDN for the former here:

http://msdn.microsoft.com/en-us/library/aa390381%28VS.85%29.aspx

And see this MSDN entry for information about EnableIPSec and its parameters (that allow you to declare a list of ports and protocols):

http://msdn.microsoft.com/en-us/library/aa390382%28VS.85%29.aspx

Finally, this is a link to the WMI.NET code directory, where there are useful samples of code using System.Management to execute WQL queries.

http://msdn.microsoft.com/en-us/library/ms257338.aspx

NOTE:

If you need to mess around extensively with WQL tests for your ObjectQuery/SelectQuery System.Management objects, as I did, give wbemtest a try. It is the Windows Management Instrumentation tester, and makes writing, testing, and honing WQL for your applications much nicer.

2) Related: Programmatic firewall changes on Vista or later using FirewallAPI, INetFwRule Interface, and anything else one may need.

On Vista or later, using the FirewallAPI.dll is an easy option if you need ipsec functionality but don't care about the legacy PolicyAgent implementation.

I did not realize this was an option at first because I did not know that the Advanced Firewall in Vista and later truly combines IPSec and firewalling within the WFP (Windows Filtering Platform), and keeps legacy IPSec implementations going through PolicyAgent.

This means that using FirewallAPI.dll can give all the functionality of IPSec with the stateful intelligence of the firewall, which is exactly what I wanted. I just add blacklist rules (since blacklist rules take precedence), and add to the blacklist when needed through the API and WFP starts dropping the traffic. Done!

asteroid