IPSec Tools and Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

IPSec Tools and Settings

In this section

  • IPSec Tools

  • IPSec Registry Entries

  • Related Information

Use the following Internet Protocol security (IPSec) tools and registry setting to enable, configure, and manage IPSec on a computer running the Microsoft Windows Server 2003 operating system.

IPSec Tools

To manage IPSec policy in Windows Server 2003, you use three tools: the IP Security Policy Management snap-in, the Netsh IPSec context, and the Resultant Set of Policy (RSoP) snap-in. To monitor IPSec performance, you use the IP Security Monitor snap-in. If you need additional troubleshooting functionality, you can use audit logging and detailed IKE logging in Event Viewer and Network Monitor.

As the following table shows, several of the tools that you used to create and manage IPSec policies in previous versions of the Microsoft Windows operating system have been changed, replaced, or are no longer available in Windows Server 2003.

IPSec Tool Changes in Windows Server 2003

Tool Where It Was Previously Available Changes in Windows Server 2003

IPSeccmd

Support Tools folder of the Microsoft Windows XP operating system CD

Not included in Windows Server 2003. Use the Netsh IPSec context instead.

IPSecmon.exe

Microsoft Windows 2000

Replaced by the new IP Security Monitor snap-in.

IPSecpol.exe

Microsoft Windows 2000 Server Resource Kit

Not included in Windows Server 2003.

Netdiag.exe

Support Tools folder of the Windows Server 2003 operating system CD

No longer includes IPSec functionality. Use the Netsh IPSec context instead.

Despite these changes, you can share IPSec policies created on computers running the Windows XP, Windows 2000, and Windows Server 2003 operating systems among any of those operating systems.

IP Security Policy Management Snap-In

Category

The IP Security Policy Management snap-in is included in Windows Server 2003.

Version compatibility

The IP Security Policy Management snap-in is available with the Microsoft Windows XP, Windows 2000 Server, and Windows Server 2003 operating systems.

To create and manage IPSec policy, you primarily use the IP Security Policy Management snap-in that is available in the Microsoft Management Console (MMC). You can use IP Security Policy Management to create, modify, and store local IPSec policies or IPSec policies based on the Active Directory directory service. Additionally, you can use IP Security Policy Management to modify IPSec policy on remote computers.

To manage local IPSec policy, you can use either IP Security Policy Management or the command line, depending on your deployment needs. It is recommended that you use IP Security Policy Management to manage IPSec policy for Active Directory-based IPSec policy,

You use different methods to access IP Security Policy Management, depending on whether the IPSec policy is Active Directory-based or local.

To access Active Directory-based IPSec policy, do either of the following on the computer from which you want to manage policy:

  • Start IP Security Policy Management from the appropriate organizational unit (OU) in Active Directory (Group Policy).

  • Add IP Security Policy Management for Active Directory-based IPSec policy to MMC.

To access local IPSec policy for a computer, do any of the following on the computer for which you want to manage policy:

  • Start IP Security Policy Management from Local Security Policy.

  • Add IP Security Policy Management for local IPSec policy to MMC.

  • Add Group Policy Object Editor for local IPSec policy to MMC.

To create an IPSec policy, a user or process must be logged on to the computer as a member of the Domain Admins group or the local Administrators group or must be running with local system privileges.

For more information about Group Policy settings, see "Group Policy Settings Reference for Windows Server 2003" in the Tools and Settings Collection.

Resultant Set of Policy (RSoP) Snap-In

Category

RSoP is included as part of the operating system.

Version compatibility

Logging mode is available on Windows XP and later operating systems. Planning mode requires that you have a Windows Server 2003 computer as a domain controller.

To view IPSec policy assignments for a computer or for members of a Group Policy container, use the RSoP addition to Group Policy. You can use information about IPSec policy assignments to troubleshoot policy precedence issues and to plan your deployment.

To view IPSec policy assignments in RSoP, you must first open the RSoP MMC console, and then run a query. RSoP provides two types of queries: logging mode queries (for viewing IPSec policy assignments for a computer) and planning mode queries (for viewing IPSec policy assignments for members of a Group Policy container).

For more information about RSoP, see “How Core Group Policy Works” in Core Group Policy Technical Reference.

Logging mode queries

To view all of the IPSec policies that are assigned to an IPSec client, you run an RSoP logging mode query. When you run a logging mode query, RSoP retrieves policy information from the Windows Management Instrumentation (WMI) repository on the target computer, and then displays this information in the RSoP console. In this way, RSoP provides a view of the policy settings that are being applied to a computer at a given time.

The query results show the precedence of each IPSec policy assignment, so that you can quickly determine which IPSec policies are assigned but are not being applied and which IPSec policy is being applied. The RSoP console also displays detailed settings (the filter rules, filter actions, authentication methods, tunnel endpoints, and connection type) for the IPSec policy that is being applied.

Planning mode queries

To view all of the IPSec policies that are assigned to members of a Group Policy container, you run an RSoP planning mode query. A planning mode query can be useful if, for example, you are planning a company reorganization and you want to move computers from one OU to a new OU. By supplying the appropriate information and then running a planning mode query, you can determine which IPSec policies are assigned but are not being applied to the new OU and which IPSec policy is being applied. In this way, you can identify which policy would be applied if you were to move the computers to the new OU. As with logging mode queries, when you run a planning mode query, the RSoP console displays detailed policy settings for the IPSec policy that is being applied.

When you run a planning mode query, RSoP retrieves the names of the target user, computer, and domain controller from the WMI repository on the domain controller. WMI then uses the Group Policy Data Access Service (GPDAS) to create the policy settings that would be applied to the target computer, based on the RSoP query settings that you entered. RSoP reads the policy settings from the WMI repository on the domain controller, and then displays this information in the RSoP console user interface.

IP Security Monitor Snap-In

Category

IP Security Monitor is part of the operating system.

Version compatibility

In Windows 2000, IP Security Monitor was implemented as an executable program (IPSecmon.exe). In Windows XP and Windows Server 2003, IP Security Monitor is implemented as an MMC console. In Windows Server 2003, IP Security Monitor includes enhancements that allow you to:

  • Monitor IPSec information for your local computer and for remote computers.

  • View details —, including the policy name, description, date last modified, store, path, OU, and Group Policy object name — about active IPSec policies.

  • View main mode and quick mode generic filters and specific filters.

  • View main mode and quick mode statistics.

  • Customize refresh rates and use Domain Name System (DNS) name resolution for filter and security association output.

  • Search for specific main mode or quick mode filters that match any source or destination IP address, a source or destination IP address on your local computer, or a specific source or destination IP address.

Netsh.exe: Netsh

Category

Netsh is a command-line tool.

Version compatibility

Although you can use netsh commands with both Windows 2000 Server and Windows Server 2003, specific IPSec-related capabilities were added in Windows Server 2003.

The Netsh commands for IPSec provide a fully equivalent alternative to the console-based management and diagnostic capabilities provided by the IP Security Policy Management and IP Security Monitor consoles. You can use Netsh commands for IPSec to script IPSec policy creation, display details about IPSec policies, and change the IPSec configuration for troubleshooting. In addition, administering IPSec from the command line is useful when you want to extend the security and manageability of IPSec. For example, you can use Netsh commands for IPSec to enable IPSec driver event logging, set default traffic exemptions, and configure computer startup security.

For more information about using Netsh IPSec, see the “Command-Line Reference” in the Tools and Settings Collection.

Eventvwr.msc: Audit Logging in Event Viewer

Category

Event Viewer is part of the operating system.

Version compatibility

Event Viewer is available with Windows XP, Windows 2000 Server, and Windows Server 2003.

You can view the success or failure of Internet Key Exchange (IKE) negotiations in the Event Viewer security log. To view these events, enable success or failure auditing for the Audit logon events audit policy for your domain or local computer.

To disable audit logging, see “DisableIKEAudits” in IPSec Registry Entries.

Eventvwr.msc: Detailed IKE Logging in Event Viewer

Category

Event Viewer is part of the operating system.

Version compatibility

Event Viewer is available with Windows XP, Windows 2000 Server, and Windows Server 2003.

Enabling audit logging for IKE events and viewing the events in Event Viewer is the fastest and simplest way to troubleshoot failed main mode or quick mode negotiations. However, some scenarios might require a more detailed analysis of the IKE main mode negotiation and quick mode negotiations for troubleshooting. If the audit failure events do not provide enough information, you can enable tracing for IKE negotiations. The IKE tracing log is a very detailed log intended for troubleshooting IKE interoperability under controlled circumstances. Expert knowledge of the Internet Security Association and Key Management Protocol (ISAKMP) RFC 2408 and IKE RFC 2409 is required to interpret this log.

The IKE tracing log appears as the systemroot\Debug\Oakley.log file. The log has a fixed size of 50,000 lines and will overwrite as necessary. Each time the IPSec service is started, a new Oakley.log file is created and the previous version of the Oakley.log file is saved as Oakley.log.sav. When the Oakley.log file becomes full, it is saved as Oakley.log.bak, and a new Oakley.log file is created.

Many IKE negotiations can occur simultaneously. Therefore, to capture a more easily interpreted log, minimize the number of negotiations and log for as short a period of time as possible.

In Windows Server 2003, you can enable or disable the IKE tracing log dynamically while the IPSec service is running. You do this by using Netsh IPSec. For more information about how to enable or disable the IKE tracing log, see “Command-Line Reference” in the Tools and Settings Collection.

Netmon.exe: Network Monitor

Category

Network Monitor is available in Microsoft Systems Management Server or with Windows 2000 Server and Windows Server 2003.

Version compatibility

You can use Network Monitor to capture and view packets in Windows XP, Windows 2000, or Windows Server 2003.

To view IPSec and other network communication, you can install and use Network Monitor.

Note

  • You can use the version of Network Monitor that is provided with Windows Server 2003 to view only the network traffic that is sent to or from the computer on which Network Monitor is installed. To view network traffic that is sent to or from another computer and is routed through your computer (using the Routing and Remote Access service), you must use the version of Network Monitor that is provided with Systems Management Server.

The version of Network Monitor that is provided with Windows Server 2003 includes parsers for the ISAKMP (IKE), Authentication Header (AH), and Encapsulating Security Payload (ESP) protocols. The Network Monitor parsers for ESP can parse inside the ESP packet only if null-encryption is being used and the full ESP packet is captured. Network Monitor cannot parse the encrypted portions of IPSec-secured ESP traffic when encryption is performed in software. However, if encryption is performed by an IPSec hardware offload network adapter, the ESP packets are decrypted when Network Monitor captures them and, as a result, they can be parsed and interpreted into the upper-layer protocols. If you need to diagnose ESP software-encrypted communication, you must disable ESP encryption and use ESP-null encryption by changing the IPSec policy on both computers.

IPSec Registry Entries

In Windows Server 2003, you can use the Netsh IPSec command-line tool to perform many of the tasks that you might have performed previously by modifying the registry.

When you enable success or failure auditing for the Audit logon events audit policy, IPSec records the success or failure of each main mode and quick mode negotiation and the establishment and termination of each negotiation as separate events. Keep in mind, however, that enabling this type of auditing can cause the security log to fill with IKE events. In Windows 2000, you cannot disable auditing of IKE events. In Windows Server 2003, however, you can disable auditing of IKE events by modifying the registry.

The following information is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows Server 2003 tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.

DisableIKEAudits

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit\

Version compatibility

Windows Server 2003

When you enable success or failure auditing for the Audit logon events audit policy, IPSec records the success or failure of each main mode and quick mode negotiation and the establishment and termination of each negotiation as separate events. However, enabling this type of auditing can cause the security log to fill with IKE events. For example, for servers that are connected to the Internet, attacks on the IKE protocol can fill the security log with IKE events. IKE events can also fill the security log for servers that use IPSec to secure traffic to many clients. To avoid this, you can disable auditing for IKE events in the security log by modifying the registry.

To disable auditing of IKE events in the security log, you must first create the DisableIKEAudits key and set the registry setting to a value of 1.After making this change to the registry, you must either restart the computer or stop and then restart the IPSec service by running the net stop policyagent and net start policyagent commands at the command prompt.

Note

  • Stopping and restarting the IPSec service can disconnect all of the computers that are using IPSec from the computer on which the service is stopped and it can prevent further communication with that computer. If you restart the IPSec service immediately, the retransmit behavior of TCP might cause the TCP-based communication to resume after new IKE and IPSec Security Associations (SAs) are established.

For more information about this registry entry, see the "Registry Reference for Windows Server 2003" in the Tools and Settings Collection.

The following resources contain additional information that is relevant to this section.