PowerShell Script to implement ipsec rule

Question

I am troubleshooting an issue in our local IT infrastructure. Some time ago a GPO was pushed that blocked traffic from our IT administration program to our production devices.

Long story short the big company made a decision which wrongly affects our very specific IT needs/design in our department.

Due to sheer coincidence we managed to resolve the issue by manually adding an IPSEC security exception on a device to solve a different issue.

Now the below dodgy attempt by me to make a PS command is just a base as the correct parameters are still to be decided after meeting with multiple sides of the business and IT.

But to reduce the time I need to implement the solution on hundreds of our devices I would like to get a script working where I just have to add or adjust the parameters when I receive the word "go"

I would need the command below to be useable with an input (list/array) of all our devices. I am looking into the CimSession cmdlet but I struggle to come up with a solution to loop through a list/array and add both the target computer and its IP address to the script.

Thank you in advance for your tips on how to proceed.

With the responses below I have expanded the script to the following:

    ```Powershell
# Ask for the csv file
$CsvLocation = Read-Host -Prompt 'input the location of the csv file (for 
example c:\Users\USERNAME\Documents\workstations.csv)'
$CsvFile = Import-CSV -Path $CsvLocation
# Create empty Hash Table
$Machines = @{Workstation = "Test" ; IP = "123"}
# create a hashtable to store the parameters in for splatting
$ruleParams = @{
Confirm              = $false
Enabled              = $true
Description          = 'This rule is instated to allow MobiControl 
Administration to be performed on this device.'
DisplayName          = 'MobiControl connection'
IPsecRuleName        = 'Mobicontrol connection'
OutboundSecurity     = 'None'
InboundSecurity      = 'None'
Platform             = '6.1+'
PolicyStore          = 'PersistentStore'
Profile              = 'Any'
RemoteAddress        = '10.133.120.207'
RequireAuthorization = $false
Protocol             = 'any'
}

# For each Element in the csv file add name and ip address to the hash 
table
$CsvFile | ForEach-Object {
$Workstation = $_.Workstation
$IpAddress = [System.Net.Dns]::GetHostAddresses($Workstation) |
   Where-Object { $_.AddressFamily -eq 'InterNetwork' } | Select-Object - 
ExpandProperty IpAddressToString
$Machines.add($Workstation, $IpAddress)
# fill in the two remaining parameters with the IP address and computer 
name
<# test print contents
Read-Host  "press enter to see the values for hostname and ip address"
Echo $Machines.keys
Read-Host  "press enter to continue"
#>
$ruleParams['LocalAddress'] = $_.Value     # IP Address
$ruleParams['CimSession']   = $_.Key       # HostName
# execute using the ruleParams splat
Write-Host "Creating IPsecRule on computer $() with IP address $()"
# New-NetIPsecRule @ruleParams

}

This looks to be more in the direction I want. Any obvious flaws? the input csv file would just be a list of workstation names.

Testing the code all seems to be in working order up until the execution of the New-NetIPsecRule. The values inside the hashtable $Machines are non valid inputs for their related parameters.

Answer 1

The way you add the parameters to the cmdlet is incorrect and would require the much hated backticks at the end of each line, preceeded with a space.

Similar that, but much better is to use Splatting

# create a hashtable to store the parameters in for splatting
$ruleParams = @{
    Confirm              = $false
    Enabled              = $true
    Description          = 'This rule is instated to allow MobiControl Administration to be performed on this device.'
    DisplayName          = 'MobiControl connection'
    IPsecRuleName        = 'Mobicontrol connection'
    OutboundSecurity     = 'None'
    InboundSecurity      = 'None'
    Platform             = '6.1+'
    PolicyStore          = 'PersistentStore'
    Profile              = 'Any'
    RemoteAddress        = '10.133.120.207'
    RequireAuthorization = $false

    # I'm not sure about the Protocol parameter..
    # The docs say it is a String, but also refer to the Get-NetFirewallPortFilter
    # cmdlet where this parameter is a string array (String[])
    Protocol            = 'TCP,UDP'
}

# now iterate over the $machines hashtable, fill in the two missing parameters in the hash and execute
$machines.GetEnumerator() | ForEach-Object { 
    $CimSession = Get-CimSession -ComputerName $_.Key
    # fill in the two remaining parameters with the IP address and computer name
    $ruleParams['LocalAddress'] = $_.Value     # IP Address
    $ruleParams['CimSession']   = $CimSession
    # execute using the ruleParams splat
    Write-Host "Creating IPsecRule on computer $($_.Key) with IP address $($_.Value)"
    New-NetIPsecRule @ruleParams
    $CimSession | Remove-CimSession
}

Disclaimer.. I cannot try this myself, and as I'm not sure the Protocol parameter should be a single comma separated string or a string array, please try this on a limited test set of machines first.

P.S. When creating the $machines hashtable, change this line

$IpAddress = [System.Net.Dns]::GetHostAddresses($Workstation) |
Where-Object { $_.AddressFamily -eq 'InterNetwork' } | select IpAddressToString

into

$IpAddress = [System.Net.Dns]::GetHostAddresses($Workstation) |
Where-Object { $_.AddressFamily -eq 'InterNetwork' } | Select-Object -ExpandProperty IpAddressToString