Remarks: - Rule name should be unique and cannot be "all". - When mode=tunnel,tunnel endpoints must be specified, except ...


Remarks:

      - Rule name should be unique and cannot be "all".
      - When mode=tunnel,tunnel endpoints must be specified,
        except when the action is noauthentication.
        When specific IP addresses are entered, they must be
        the same IP version.
        In addition, When configuring dynamic tunnels:
        Tunnel endpoints can be set to any. Local tunnel
        endpoint need not be specified for Client policy
        (i.e any).
        Remote tunnel endpoints need not be specified for
        Gateway Policy (i.e any).
        Also, action must be requireinrequireout, requireinclearout,
        or noauthentication.
      - requireinclearout is not valid when mode=Transport.
      - At least one authentication must be specified.
      - Auth1 and auth2 can be comma-separated lists of options.
      - Computerpsk and computerntlm methods cannot be specified together
        for auth1.
      - Computercert cannot be specified with user credentials for auth2.
      - Certsigning options ecdsap256 and ecdsap384 are only supported on 
        Windows Vista SP1 and later.
      - Qmsecmethods can be a list of proposals separated by a ",".
      - For qmsecmethods, integrity=md5|sha1|sha256|aesgmac128|aesgmac192|
        aesgmac256|aesgcm128|aesgcm192|aesgcm256  and
        encryption=3des|des|aes128|aes192|aes256|aesgcm128|aesgcm192|aesgcm256.
      - If aesgcm128, aesgcm192, or aesgcm256 is specified, it must be used for
        both ESP integrity and encryption.
      - Aesgmac128, aesgmac192, aesgmac256, aesgcm128, aesgcm192, aesgcm256,
        sha256 are only supported on Windows Vista SP1 and later. 
      - Qmpfs=mainmode uses the main mode key exchange setting for PFS.
      - The use of DES, MD5 and DHGroup1 is not recommended. These
        cryptographic algorithms are provided for backward compatibility
        only.
      - The default value for certmapping and excludecaname is 'no'.
      - The " characters within CA name must be replaced with \'
      - For auth1ca and auth2ca, the CA name must be prefixed by 'CN='.
      - catype can be used to specify the Certification authority type -
        catype=root/intermediate
      - authnoencap is supported on Windows 7 and later.
      - authnoencap means that the computers will only use authentication,
        and will not use any per packet encapsulation or encryption
        algorithms to protect subsequent network packets exchanged as part
        of this connection.
      - QMPFS and authnoencap cannot be used together on the same rule.
      - AuthNoEncap must be accompanied by at least one AH or ESP integrity
        suite.
      - applyauthz can only be specified for tunnel mode rules.
      - exemptipsecprotectedconnections can only be specified
        for tunnel mode rules. By setting this flag to "Yes", 
        ESP traffic will be exempted from the tunnel. 
        AH only traffic will NOT be exempted from the tunnel. 
      - Valuemin(when specified) for a qmsecmethod should be between 5-2880
        minutes. Valuekb(when specified) for a qmsecmethod should be
        between 20480-2147483647 kilobytes.
      - Certhash specifies the thumbprint, or hash of the certificate.
      - Followrenewal specifies whether to automatically follow renewal
        links in certificates. Only applicable for certificate section
        (requires certhash).
      - Certeku specifies the comma separated list of EKU OIDs to match
        in the certificate.
      - Certname specifies the string to match for certificate name
        (requires certnametype).
      - Certnametype specifies the certificate field for the certname
        to be matched against (requires certname).