Add a single IP:
netsh ipsec static add filter filterlist = allow access ports srcaddr = 192.168.60.20 staddr = me dstport = 80 protocol = TCP
Add Subnet:
netsh ipsec static add filter filterlist = allow access to port = 192.168.60.0 srcaddr for srcmask = 255.255.255.0 dstaddr Me dstport A = = 80 = the TCP Protocol
Which, srcaddr is the source address, destaddr is the destination address, "me" said the host's own all IP, destport is the destination port. filterlist is the name of the IP filter list