• FAQs
• Articles
• Tutorials
• Web Tools
• Reference
• Blog
• Proxy
• Software
• Cell Phones

• Microsoft IPSec Articles
• Understanding IPSec
• Configuring and Managing IPSEC
• IPSec Policies
• IPSec Security Consideration
• Monitor IPSEC
• Articles Menu
• » Windows Server
• » Microsoft Networking
• » Microsoft Security
• » Active Directory
• » Microsoft IIS
• » Microsoft IPSec
• » Microsoft DNS
• » Microsoft DHCP
• » Microsoft WINS
• » Microsoft Filesystems
• » Remote Access
• » Microsoft Exchange
• » Microsoft SMS
• » Microsoft ISA Server
• » Microsoft Biztalk Server
• Main Menu
• » Networking
• » Physical Layer
• » Data Link Layer
• » Network Layer
• » Network Security
• » Wireless Networks
• » VoIP
• » Telephony
• » Mobile Telephony
• » Electronics
• » Radio
• » Television
• » Cryptology
• » Passwords
• » Smart Cards
• » Privacy
• » Malware
• » Vulnerabilities
• » Unix
• » Macintosh
• » Microsoft Windows
• » The Web
• » Web Publishing
• » E-mail
• » Instant Messaging
• » Databases
• » Computer Hardware
• » CPU's
• » Memory
• » Storage
• » Video
• » Audio
• » Multimedia
• » Satellite
• » Java
• » IT Management
• » Science
• » Miscellaneous

Monitoring IPSec

Using the IP Security Monitor Snap-In to Monitor IPSec

The IP Security Monitor snap-in, a new feature in Windows Server 2003, can be used to monitor and troubleshoot IPSec activity. The IP Security Monitor snap-in provides enhanced IPSec security monitoring. As long as the IPSec policy is active, you can monitor how the IPSec policy is functioning within your networking environment through the IP Security Monitor.

The main administrative activities which you can perform through the IP Security Monitor snap-in are listed here:

• Customize the IP Security Monitor display
• Monitor IPSec information on the local computer.
• Monitor IPSec information on remote computers.
• View IPSec statistics.
• View information on IPSec policies
• View security associations information.
• View generic filters
• View specific filters
• Search for specific filters based on IP address

By default, the computer which is listed in the IP Security Monitor snap-in is the local computer. You can though add another computer(s) which you want to monitor to the IP Security Monitor snap-in.

To add other computers to the IP Security Monitor snap-in,

1. Open the IP Security Monitor.
2. In the left pane, right-click the IP Security Monitor node and then click Add Computer on the shortcut menu.

The information which is displayed in the IP Security Monitor snap-in is categorized into the following three nodes:

• Active Policy node
• Main Mode node
• Quick Mode node

IPSec information, on which IPSec policy is assigned, is displayed under the Active Policy node within the IP Security Monitor tool. This includes the following IPSec policy information:

• Policy Name
• Policy Description
• Policy Last Modified.
• Policy Store
• Policy Patch
• Organization Unit
• Group Policy Object Name

For the Main Mode and Quick Mode nodes, you can view IP Security statistics by clicking the Statistics node contained within the Main Mode node and Quick Mode node. It is this Statistics node which should be used to monitor IPSec activity:

• The Statistics node located under the Main Mode node can be used to obtain information on Phase 1 of the IPSec negotiations.
• The Statistics node located under the Quick Mode node can be used to obtain information on Phase 2 of the IPSec negotiations.

The various Main mode statistics, together with a brief description on what each statistic tracks are listed here:

• Active Acquire; indicates and tracks the number of IKE requests needed to start an IKE negotiation so that an SA can be established between two computers running IPSec. The figure displayed for this statistic includes the current IKE negotiation request and all requests which are queued by the IKE process.
• Acquire Failures; indicates the number of requests to establish SAs between IPSec computers that have failed since the last time the IPSec service started.
• Receive Failures; indicates the number of errors which took place at the time of receiving IKE messages since the last time the IPSec service started.
• Send Failures; indicates the number of errors which took place at the time of sending IKE messages since the last time the IPSec service started.
• Acquire Heap Size; indicates the number of queued outbound requests for SAs between IPSec computers.
• Receive Heap Size; indicates the number of incoming IKE messages which were successful.
• Authentication Failures; indicates the number of authentication failures that have occurred since the last time the IPSec service started. Authentication failures are typically caused by mismatched authentication methods and authentication configuration errors.
• Negotiation Failures; indicates the number of negotiation failures that have occurred since the last time the IPSec service started. Negotiation failures are typically caused by mismatched authentication methods, authentication configuration errors, and mismatched security methods and security settings.
• Invalid Cookies Received; indicates the number of cookies which was left unmatched to a Main mode SA.
• Total Acquire; indicates the total number of requests which was sent to IKE to establish a Main mode SA since the last time that the IPSec service started.
• Total Get SPI; indicates the number of requests to the IPSec driver for a Security Parameters Index (SPI).
• Key Additions; indicates the number of outbound Quick mode SAs which were added to the IPSec driver.
• Key Updates; indicates the number of inbound Quick mode SAs which were added to the IPSec driver.
• Get SPI Failures; indicates the number of failed requests to the IPSec driver for a Security Parameters Index (SPI).
• Key Addition Failures; indicates the number of failed outbound Quick mode SAs which were added to the IPSec driver.
• Key Update Failures; indicates the number of failed inbound Quick mode SAs which were added to the IPSec driver.
• ISADB List Size; indicates the total number of successful Main mode entries. This includes all queued Main mode negotiations and failed Main mode negotiations.
• Connection List Size; indicates the queued Quick mode negotiations.
• IKE Main Mode; indicates the total number of successful SAs which have been created during Main mode since the last time that the IPSec service started.
• IKE Quick Mode; indicates the total number of successful SAs which have been created during Quick mode since the last time that the IPSec service started.
• Soft Associations; indicates the total number of negotiations with computers not running IPSec which created unencrypted soft SAs.
• Invalid Packets Received; indicates the number of IKE messages that was received but was invalid. Typically caused by mismatched preshared keys.

The various Quick mode statistics, together with a brief description on what each statistic tracks are listed here:

• Active Security Associations; indicates the number of active Quick mode SAs.
• Offloaded Security Associations; indicates the number of active Quick mode SAs accelerated by certain hardware such as network adapters that can accelerate IPSec processing.
• Pending Key Operations; indicates the current number of IPSec key exchange operations which are in queue or in progress that still have to complete.
• Key Additions; indicates the number of successful Quick mode SAs added from when the computer was last started.
• Key Deletions; indicates the number of successful Quick mode SAs deleted from when the computer was last started.
• Rekeys; indicates the total number of rekey operations for Quick mode SAs from when the computer was last started.
• Active Tunnels; indicates the number of active IPSec tunnels.
• Bad SPI Packets; indicates the total number of packets which have been impacted by an incorrect or bad Security Parameter Index (SPI) from when the computer was last started.
• Packets Not Decrypted; indicates the number of packets that could not be decrypted from when the computer was last started.
• Packets Not Authenticated; indicates the number of packets for which the source could not be authenticated or verified.
• Packets With Replay Detection; indicates the total number of packets which included an invalid sequence number from when the computer was last started.
• Confidential Bytes Sent; indicates the total number of encrypted bytes sent which were encrypted through the Encapsulating Security Payload (ESP) protocol, from when the computer was last started.
• Confidential Bytes Received; indicates the total number of encrypted bytes received which were encrypted through the Encapsulating Security Payload (ESP) protocol, from when the computer was last started.
• Authenticated Bytes Sent; indicates the total number of authenticated bytes sent through the Authentication Header (AH) protocol or the Encapsulating Security Payload (ESP) protocol, from when the computer was last started.
• Authenticated Bytes Received; indicates the total number of authenticated bytes received through the Authentication Header (AH) protocol or the Encapsulating Security Payload (ESP) protocol, from when the computer was last started.
• Transport Bytes Sent; indicates the total number of bytes sent through Transport mode from when the computer was last started.
• Transport Bytes Received; indicates the total number of bytes received through Transport mode from when the computer was last started.
• Bytes Sent In Tunnels; indicates the total number of bytes sent through Tunnel mode from when the computer was last started.
• Bytes Received In Tunnels; indicates the total number of bytes received through Tunnel mode from when the computer was last started.
• Offloaded Bytes Sent; indicates the total number of bytes sent through IPSec hardware offload from when the computer was last started.
• Offloaded Bytes Received; indicates the total number of bytes received through IPSec hardware offload from when the computer was last started.

How to monitor IPSec with the Security Monitor

1. Click Start, click Run, type mmc in the Run dialog box, and then click OK.
2. Click the File Menu item and select Add/Remove Snap-in.
3. The Add/Remove Snap-in dialog box opens. Click Add.
4. The Add Standalone Snap-In dialog box opens.
5. In the Available Standalone Snap-ins list, select IP Security Monitor, and then click Add.
6. The Select Computer Or Domain dialog box opens.
7. Click the Local Computer option.
8. Click Finish.
9. Click Close to close the Add Standalone Snap-in dialog box.
10. Click OK to close the Add/Remove Snap-in dialog box.
1
11. To add another computer to the IP Security Monitor console, right-click IP Security Monitor and then select Add Computer from the shortcut menu.
1
12. To view active policy information, double-click the Active Policy node.
1
13. To view IP Security statistics for Main mode, expand the Main Mode node in the left pane and then click Statistics.
1
14. To view IP Security statistics for Quick mode, expand the Quick Mode node in the left pane and then click Statistics.

Using the Netsh command command-line utility to Monitor IPSec

The Netsh command-line utility can be used to view information on IPSec policies and to monitor IPSec on computers running Windows Server 2003. If you use the Netsh command-line utility to monitor IPSec, you can find and view exactly the same the information which is available for IPSec in the IP Security Monitor snap-in.

The netsh diag command with the additional diagnostics switches which you can use at the command prompt to monitor IPSec are listed here:

• netsh diag connect; to connect to proxy servers, mail serves, and news servers.
• netsh diag dump; to display a script used for configuration.
• netsh diag show; for displaying the following information:
• Operating system information.
• Computer information.
• Network information.
• Proxy server information
• News information.
• Mail information
• netsh diag gui; for displaying diagnostics on a Web page

Using Event Viewer to Monitor IPSec

If you configure IPSec to add events to the event logs, you can use the Event Viewer tool, located in the Administrative Tools folder, to monitor IPSec activity. Event Viewer stores events that are logged in the system log, application log, and security log.

IPSec can add events for the following:

• Successful IPSec negotiations
• Unsuccessful IPSec negotiations
• Dropped packets

If you want to log an event whenever a change is made to an IPSec policy, you can enable the Audit Policy Change policy.

A few IPSec event log messages are listed here:

• Event ID 541 (Success audit); added whenever a Main mode SA or an IPSec SA is successfully negotiated.
• Event ID 542 (Success audit); added whenever an IPSec SA is successfully deleted by IKE.
• Event ID 543 (success audit); added whenever a Main mode SA is successfully deleted by IKE.
• Event ID 544 (failure audit); logged whenever the IKE negotiation process terminates due to either of the following reasons:
• Certificate trust failure.
• Authentication failure.
• Event ID 545 (failure audit); logged whenever the IKE negotiation process terminates due to the following reason:
• Validation failure of the computer certificate signature.
• Event ID 546 (failure audit); logged whenever an SA is not created due to an invalid IKE proposal from an IPSec-enabled computer.
• Event ID 547 (failure audit); logged whenever an SA negotiation process fails, and no SA was created.

Using Network Monitor to Monitor IPSec Activity

You can use Network Monitor to monitor network traffic, and to troubleshoot network issues or problems. Network Monitor shipped with Windows Server 2003 allow you to monitor network activity and use the gathered information to manage and optimize traffic, identify unnecessary protocols, and to detect problems with network applications and services.

In order to capture frames, you have to install the Network Monitor application and the Network Monitor driver on the server where you are going to run Network Monitor. The Network Monitor driver makes it possible for Network Monitor to receive frames from the network adapter.

The two versions of Network Monitor are:

• The Network Monitor version included with Windows Server 2003: With this version of Network Monitor, you can monitor network activity only on the local computer running Network Monitor.
• The Network Monitor version (full) included with Microsoft Systems Management Server (SMS): With this version, you can monitor network activity on all devices on a network segment. You can capture frames from a remote computer, resolve device names to MAC addresses, and determine the user and protocol that is consuming the most bandwidth.

Because of these features, you can use Network Monitor to monitor and troubleshoot IPSec traffic.

To install Network Monitor

1. Click Start, and then click Control Panel.
2. Click Add Or Remove Programs to open the Add Or Remove programs dialog box.
3. Click Add/Remove Windows Components.
4. Select Management and Monitoring Tools and click the Details button.
5. On the Management and Monitoring Tools dialog box, select the Network Monitor Tools checkbox and click OK.
6. Click Next when you are returned to the Windows Components Wizard.
7. If prompted during the installation process for additional files, place the Windows Server 2003 CD-ROM into the CD-ROM drive.
8. Click Finish on the Completing the Windows Components Wizard page.

To start a Network Monitor capture

1. Click Start, click Administrative Tools, and then click Network Monitor.
2. If you need to specify a network connection, expand Local Computer and then select Local Area Connection. Click OK.
3. Click the Start command on the Action menu.
4. If you want to examine captured data during the capture, select Stop And View from the Capture menu.

How to monitor IPSec logon activity

1. Click Start, click Run, type mmc in the Run dialog box, and then click OK.
2. Click the File Menu item and select Add/Remove Snap-in.
3. The Add/Remove Snap-in dialog box opens. Click Add.
4. The Add Standalone Snap-In dialog box opens.
5. In the Available Standalone Snap-ins list, select Group Policy Object Editor, and then click Add.
6. The Select Computer Or Domain dialog box opens.
7. Click the Local Computer option.
8. Click Finish.
9. Click Close to close the Add Standalone Snap-in dialog box.
10. Click OK to close the Add/Remove Snap-in dialog box.
11. Navigate to the Audit Policy node.
12. Double-click Audit Logon Events.
13. The Local Security Policy Setting dialog box opens.
14. Enable the Success checkbox and the Failure checkbox and then click OK.
15. Double-click Audit Object Access.
16. Enable the Success checkbox and the Failure checkbox.
17. Click OK.
18. You can now view the event log to determine whether IPSec negotiations were successful or not.

Bookmark Monitoring IPSec

Latest Blog Posts

• Acai Berry Spam via MSN

• Obama Seeks Power to Shut Down the Internet

• Help Beta Test Tech-FAQ 2.0!

• Windows 7 Forum

• Boston College: Ability to Use a Command Line is a Sign of Criminal Activity

• Google Hacked?

• Recycle your old phone – Make some money, and save the environment too!

• SourceForge vs. Freshmeat

• Fastest Web Browser: Google Chrome

• New Webmaster Forum