Exporting and Importing IPSec Policies

How can I export an IPSec Policy from one computer and import it to another computer?

As written in previous articles (see related articles at bottom of page), Windows 2000/XP/2003 machines have a built-in IP security mechanism called IPSec (IP Security). IPSec is a protocol that’s designed to protect individual TCP/IP packets traveling across your network by using public key encryption. Besides encryption, IPSec will also let you protect and configure your server/workstation with a firewall-like mechanism.
When working on one single computer you can easily set up and assign IPSec Policies either from the Command Prompt by using the NETSH command, or from an MMC console that’s loaded with the IP Security snap-in.
However when working with more than one computer, one might need a better way than going through each computer and re-configuring the IPSec Policy. We need a method in which we can use the same IPSec Policy on multiple computers, or at least have the same policy set up on a number of computers.
One method of configuring many computers to use the same IPSec Policy is to Configuring IPSec Policies through GPO. However in this article we will use the second method – exporting the IPSec Policy to an .IPSEC file, then importing this file to other computers.
There are 2 methods for exporting and importing IPSec Policies:

Method #1 – Using the GUI

Probably easier for most people.
Export

1. Open an MMC window (Start > Run > MMC).
2. Add the IP Security and Policy Management Snap-In.

 

3. In the Select which computer this policy will manage window select the local computer (or any other policy depending upon your needs). Click Close then click Ok.

 

4. Right-click IP Security Policies in the left pane of the MMC console. Select All Tasks and then Export Policies.

 

5. Browse to the location where you want to save the file, give it a name and select Save.

 

5. File is now ready for importing, either by the GUI or by using NETSH.

Important Security Warning: Exporting IPSec Policies to a file might reveal pass phrases used by various IPSec Policies if file is stolen or left on a public share. If you’re using Kerberos or Digital Certificates in your IPSec Policies then there is no security issue.
Import

1. In the same MMC as before, right-click IP Security Policies in the left pane of the MMC console. Select All Tasks and then Import Policies.

 

2. Browse to the location where you saved the file, give it a name and select Open.

 

5. IPSec Policy is now ready and you can easily assign it by right-clicking it and selecting Assign.

 

Method #2 – Using NETSH

Requires a bit of Command Prompt knowledge, but still quite useful for batch operations.
Export
Open a Command Prompt and type:

​netsh ipsec static exportpolicy c:'temp'ipsec_policy.ipsec

Import
Open a Command Prompt and type:

​netsh ipsec static importpolicy c:'temp'ipsec_policy.ipsec

Related articles

You may find these related articles of interest to you:

• Block Ping Traffic with IPSec
• Block Web Browsing but Allow Intranet Traffic with IPSec
• Block Web Browsing with IPSec
• Configuring IPSec Policies through GPO
• Secure IPSec Policy Agent