IPSec Policy Extension Tools and Settings

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

IP Security Policy Extension Tools and Settings

In this subject

  • Resultant Set of Policies

  • Tools for Viewing IPSec Policy Assignment on Computers Running Windows Server 2003

  • Tools for Viewing IPSec Policy Assignment on Computers Running Windows 2000

  • Tools for Viewing IPSec Policy Assignment on Computers Running Windows XP

  • Tools for Managing and Monitoring IPSec Policy

  • Network Ports Used by IPSec

  • Related Information

This section is an overview of IPSec tools, Resultant Set of Policies (RSoP) in particular, which are used to determine which IPSec policy settings are currently in effect for a computer or a user. RSoP is also used to assess how policy settings would affect computers or users if a specific Group Policy object were applied to them. This section also describes the Windows Server 2003 command-line tools for configuring and analyzing IPSec policy settings.

Resultant Set of Policies

Windows XP and the Windows Server 2003 family support an enhanced Group Policy infrastructure that utilizes Windows Management Instrumentation (WMI) to collect Group Policy-related data for planning and troubleshooting Group Policy. This structure is the Resultant Set of Policy (RSoP), a query engine that polls existing policy settings and planned policy settings, and then reports the results of those queries. RSoP polls existing policies based on site, domain, domain controller, and organizational unit. RSoP gathers this information from the Common Information Management Object Model (CIMOM) database (also known as CIM-compliant object repository) by using WMI.

Administrators can use RSoP in one of two modes. To determine which policy settings are in effect for a particular computer or user, administrators use Resultant Set of Policy (RSoP) Logging Mode; to evaluate how policy settings would affect a computer or user if a specific Group Policy object were applied to users or computers, they use Resultant Set of Policy (RSoP) Planning Mode.

In Windows Server 2003, you can use the Group Policy Modeling node in the Group Policy Management Console (GPMC) to access the RSoP Planning Mode capabilities of Windows Server 2003. By using this feature, administrators can simulate policy settings applied to users and computers with Group Policy before actually applying the policy settings. You can also use the Group Policy Results node of GPMC to access the RSoP Logging Mode capabilities. Group Policy Results represents the actual resultant set of policy that was applied to a given user and computer. This information is obtained by directly querying the target user or computer. Each subnode represents a different RSoP query for a given user/computer combination.

RSOP_IPSECPolicySetting

The RSOP_IPSECPolicySetting WMI class represents the policy data for the IPSec extension. The RSOP_IPSECPolicySetting class is derived from RSOP_PolicySetting, and is included in Windows Server 2003. This class was available starting with Windows Server 2003 family and might not be available in future versions of Windows.

For more detailed information about RSoP and WMI and to download SDKs, see the Microsoft Platform SDK page.

For more information about GPMC, see the Group Policy Management Console page.

Tools for Viewing IPSec Policy Assignment on Computers Running Windows Server 2003

IPSec provides support for RSoP to enhance deployment and troubleshooting of IPSec Policy in Windows Server 2003. You can run an RSoP Logging-Mode query or an RSoP Planning-Mode query to view detailed settings (the filter rules, filter actions, authentication methods, tunnel endpoints, and connection types) for the IPSec policy that is currently being applied, or would be applied if you deployed that IPSec policy.

The RSoP console displays the following information for each Group Policy object (GPO) that contains an IPSec policy assignment: the name of the IPSec policy, the name of the GPO to which the IPSec policy is assigned, the IPSec policy precedence, and the name of the site, domain, and organizational unit to which the GPO containing the IPSec policy applies (that is, the scope of management for the GPO). The lower the number in the Precedence column, the higher the precedence of the IPSec policy. A precedence of 1 indicates the IPSec policy that is being applied.

To provide support for RSoP in Windows Server 2003, the RSOP_IPSECPolicySetting WMI class was created. For more information, see RSOP_IPSECPolicySetting earlier in this document.

RSoP and the Group Policy Management Console

If you have installed Group Policy Management Console (GPMC), you can find out which policies are currently applied to a specific computer, including the IPSec policy assignments, by using the Group Policy Results node in GPMC. This runs the GPMC Group Policy Results wizard, which replaces the Resultant Set of Policy (RSoP) Logging Mode capabilities. Running the wizard shows which IPSec policy is assigned to a specific computer by right-clicking on the computer node, and then selecting Advanced View.

GPMC is available as a download from the Microsoft Web site. For more information about GPMC, see the Group Policy Management Console page.

Netsh Commands for IPSec

Netsh is a command-line scripting utility that you can run on a local or remote computer to display or modify the network configuration of a computer that is currently running. Netsh also provides a scripting feature so you can run a group of commands in batch mode against a specified computer, and it can also save a configuration script in a text file for archival purposes or to help you configure other servers.

Netsh interacts with other operating system components using dynamic-link library (DLL) files. Netsh helper DLLs provide an extensive set of features called a context, which is a group of commands specific to a networking component. These contexts extend the functionality of netsh by providing configuration and monitoring support for one or more services, utilities, or protocols. For example, Nshipsec.dll provides netsh the context and set of commands necessary to configure and manage IPSec policies and state.

To run a netsh command, you must start netsh from the Cmd.exe prompt and change to the context that contains the command you want to use. The contexts that are available to you depend on which networking components you have installed.

For computers running members of the Windows Server 2003 family, you can use the netsh commands for Internet Protocol security (netsh ipsec context) as an alternative to the console-based management and diagnostic capabilities provided by the IP Security Policy Management and the IP Security Monitor snap-ins. By using the netsh commands for IPSec, you can script IPSec configuration, and change the IPSec configuration for troubleshooting. You can also use this command to extend the security and manageability of IPSec. For example, you can use the netsh commands for IPSec to enable IPSec driver event logging, set default traffic exemptions, and configure computer startup security.

Note

  • For computers running Windows 2000, use Ipsecpol.exe, which is provided with the Windows 2000 Server Resource Kit.

  • For more information about Ipsecpol.exe, see “Ipsecpol.exe: Internet Protocol Security Policies Tool” on the download site for Windows 2000 Server Resource Kit tools.

The Netsh ipsec command supports both static and dynamic mode:

Netsh ipsec static mode commands.

You can use the netshipsec static commands to perform the same management tasks that you can perform by using the IP Security Policy Management console. By using these commands, you can create, modify, and assign IPSec policies without immediately affecting the configuration of the active IPSec policy.

Netsh ipsec dynamic mode commands.

You can use the netsh ipsec dynamic commands to display the active state of IPSec and to immediately affect the configuration of the active IPsec policy. These commands directly configure the security policy database (SPD). Changes that you make to an IPSec policy while using these commands take effect only while the IPSec service is running. If the IPSec service is stopped, the dynamic policy settings are discarded. You can use the netsh ipsec dynamic mode commands to perform the monitoring tasks of the IPSec Monitor snap-in. The netsh ipsec dynamic command allows the active state of IPSec to be displayed, and it also allows modification of the state (unlike the IPSec Monitor tool, which does not allow modification of the state).

You can run these commands from the Windows Server 2003 command prompt or from the command prompt for the netsh ipsec context. For these commands to work at the Windows Server 2003 command prompt, you must type netsh ipsec before typing ipsec commands (such as add filter or add rule) and parameters.

To find more information about netsh ipsec, see “Command Line References” in Tools and Settings.

Gpupdate

This command-line tool refreshes local Group Policy settings and Group Policy settings that are stored in Active Directory, including security settings. This command supersedes the now obsolete /refreshpolicy option for the secedit command.

Syntax

gpupdate [/target:{computer | user}] [/force] [/wait:Value] [/logoff] [/boot]

Parameters

The following table lists the Gpupdate parameters.

Gpupdate parameters

Parameter Description

/target:{computer | user}

Processes only the Computer settings or the current User settings. By default, both the computer settings and the user settings are processed.

/force

Ignores all processing optimizations and reapplies all settings.

/wait:Value

Number of seconds that policy processing waits to finish. The default is 600 seconds. 0 equals no wait, and -1 equals wait indefinitely.

/logoff

Logs off after the refresh has completed. This is required for those Group Policy client-side extensions that do not process on a background refresh cycle but that do process when the user logs on, such as user Group Policy Software Installation and Folder Redirection. This option has no effect if there are no extensions called that require the user to log off.

/boot

Restarts the computer after the refresh has completed. This is required for those Group Policy client-side extensions that do not process on a background refresh cycle but that do process when the computer starts up, such as computer Group Policy Software Installation. This option has no effect if there are no extensions called that require the computer to be restarted.

/?

Displays help at the command prompt.

Examples

The following examples show how you can use the gpupdate command:

gpupdate

gpupdate /target:computer

**gpupdate /force /wait:**100

gpupdate /boot

Tools for Viewing IPSec Policy Assignment on Computers Running Windows 2000

On computers running Windows 2000, you can use the Group Policy Results tool, Gpresult.exe, to display information about how Group Policy affects both the currently logged-on user and the computer.

Gpresult displays Group Policy information regarding:

  • The last time that Group Policy was applied and the domain controller that applied the Group Policy setting for the user and the computer.

  • A list of all applied GPOs and their details, including a summary of the extensions that each GPO contains.

  • Registry settings that are applied and the details.

  • Folders that are redirected and their details.

  • Disk quota information.

  • Internet Protocol (IP) Security settings.

  • Scripts.

Gpresult.exe Syntax

Gpresult.exe uses the following syntax:

gpresult [/v] [/s] [/c] [/u]

The following table lists the Gpresult parameters.

Gpresult.exe parameters

Parameter Explanation

/v

Use this parameter to run Gpresult.exe in verbose mode. When you use this parameter, the following information is displayed (in additional to the information that is typically displayed):

  • A list of the user’s security rights.

  • GPO details including globally unique identifier (GUID), friendly name, version, and source.

  • Details for the following Group Policy extensions:

    1. Administrative Templates (registry-based policy settings)

    2. Application management

    3. Disk quotas

    4. Folder redirection

    5. IP Security

    6. Scripts

/s

Use this parameter to run Gpresult.exe in super-verbose mode. When you use this parameter, the following information is displayed (in addition to the information that is typically displayed):

  • Binary values of binary registry settings (when applicable)

  • A detailed list of the programs that are displayed in the Add or Remove Programs tool in Control Panel

  • The Group Policy container and Group Policy template version numbers of the GPO

/c

Use this parameter to display information about computer settings only.

/u

Use this parameter to display information about user settings only.

The Gpresults command-line tool is available in the Windows 2000 Resource Kit. To download this tool, see Windows 2000 Server Resource Kit tools Web site.

Gpotool.exe

You can use Gpotool.exe on a domain controller to check Group Policy object integrity and monitor policy replication. GpoTool performs the following tasks:

  • Checks Group Policy object consistency. The tool reads mandatory and optional directory services properties such as version, friendly name, extension globally unique identifiers (GUIDs), and SYSVOL data (Gpt.ini). GpoTool also compares directory services and SYSVOL version numbers and performs other consistency checks. If the extensions property contains any GUID, the functionality version must be 2 and the user/computer version must be greater than 0.

  • Checks Group Policy object replication. The tool compares the Group Policy object instances from each domain controller.

  • Displays information about a particular Group Policy object, including properties that cannot be accessed by means of the Group Policy snap-in, such as functionality version and extension GUIDs.

  • Browses Group Policy objects. A command-line option can search based on either friendly name or GUID. A partial match is also supported for both name and GUID.

  • Designates preferred domain controllers. By default, all available domain controllers in the domain are used, but this can be overwritten with a list of domain controllers supplied from the command line.

  • Provides cross-domain support. You can use the command-line option to check Group Policy objects in different domains.

  • Runs in verbose mode. If all the Group Policy objects are acceptable, the tool displays a validation message. If errors occur, the tool displays information about the corrupted Group Policy objects. A command-line option can turn on verbose information about each Group Policy object that is being processed.

GpoTool Syntax

gpotool [/gpo:GPO[,GPO]] [/domain:DNSname] [/dc:DC[,DC]] [/checkacl] [/verbose] [/new:GPO[,GPO...]] [/del:GPO[,GPO...]] [/?] [/help]

Where:

**/gpo:**GPO[,GPO] processes preferred Group Policy objects GPO[,GPO]. Partial GUID and friendly name matches are accepted for GPO. If GPO is not specified, the tool processes all Group Policy objects in the domain.

**/domain:**DNSname specifies the DNS name for the domain hosting the Group Policy objects. If a name is not specified, the user’s domain is used.

**/dc:**DC[,DC] finds the preferred list of domain controllers DC[,DC]. If not specified, finds all controllers in the domain.

/checkacl verifies the SYSVOL ACL. For faster processing, this step is skipped by default.

/verbose displays detailed information.

**/new:**GPO[,GPO...] create new Group Policy objects with the specified friendly names GPO[,GPO...].

**/del:**GPO[,GPO...] deletes Group Policy objects with the specified friendly names GPO[,GPO...].

/? or /help displays GpoTool syntax.

Tools for Viewing IPSec Policy Assignment on Computers Running Windows XP

On computers running Windows XP, IPSec does not provide RSoP information. GPMC Group Policy Results shows the GPO being processed, but it does not show which IPSec policy is assigned. To view the assigned IPSec policy, you must use the netdiag /test:ipsec command. Netdiag.exe is a command-line tool that you can use to display information about IPSec policies and statistics, reports network configuration, and tests basic networking capabilities and domain-based functionality.

Specifically, Netdiag.exe displays information about IPSec policy assignments, including the name of the active IPSec policy, the name of the Group Policy object that assigned the policy, and the policy path.

For Windows XP, Netdiag.exe is available for installation from the Windows XP CD. You install it by running the Setup.exe file from the \Support\Tools folder, and choosing the Complete setup option.

Netdiag.exe

On computers running Windows XP, you can use Netdiag.exe to view information about IPSec policies and statistics, report network configuration, and test basic networking capabilities and domain-based functionality.

Syntax

Netdiag uses the following syntax:

netdiag [/q] [/v] [/l] [/debug] [/d:domain_name] [/fix] [/dcaccountenum] [/test:test_name] [/skip:test_name]

Parameters

You can use the following parameters with Netdiag:

Parameter Explanation

/q

Use this parameter to specify quiet output and display errors only.

/v

Use this parameter to run Netdiag in verbose mode and display information about the actions that are performed.

/l

Use this parameter to write output to the Netdiag.log file. The Netdiag.log file is created in the same folder in which you run Netdiag.

/debug

Use this parameter to run Netdiag in debug mode. This parameter specifies a more verbose output than when you use the /v parameter.

/d:domain_name

Use this parameter to locate a domain controller in the specified domain.

/fix

Use this parameter to correct minor issues.

/dcaccountenum

Use this parameter to enumerate domain controller computer accounts.

/test:test_name

Use this parameter to specify the test or tests that you want to run, where test_name can be any of the following values:

  • Autonet: Automatic Private IP Addressing (APIPA) address test

  • Bindings: Bindings test

  • Browser: Redir and Browser test

  • DcList: Domain controller list test

  • DefGw: Default gateway test

  • DNS: Domain Name Service (DNS) test

  • DsGetDc: Domain controller discovery test

  • IpConfig: Internet Protocol (IP) address configuration test

  • IpLoopBk : IP address loopback ping test

  • IPSec: IP Security Protocol (IPSec) security test

  • IPX: Internetwork Packet Exchange (IPX) test

  • Kerberos: Kerberos Test

  • Ldap: Lightweight Directory Access Protocol (LDAP) test

  • Member: Domain membership test

  • Modem: Modem diagnostics test

  • NbtNm: NetBIOS over TCP/IP (NetBT) name test

  • Ndis: Netcard queries test

  • NetBTTransports: NetBT transports test

  • Netstat: Netstat information test

  • NetWare: NetWare test

  • Route: Routing table test

  • Trust: Trust relationship test

  • WAN: Wide Area Network (WAN) configuration test

  • WINS: Windows Internet Name Service (WINS) service test

  • Winsock: Winsock test

Example

To use Netdiag to display the currently active Internet Protocol security (IPSec) policy, type the following line:

netdiag /test:ipsec /debug

For more information about Netdiag, see the Microsoft Knowledge Base page, and search for Knowledge Base article number 321708 How to: Use the Network Diagnostics Tool (Netdiag.exe) in Windows 2000.

Tools for Managing and Monitoring IPSec

This section describes tools for administering and monitoring IPSec policies:

  • IP Security Policy Managementsnap-in. You can apply IPSec policies to domains, sites, organizational units, or any Group Policy object in Active Directory, as well as to the local computer. To create, modify, and assign IPSec policies, you can use the IP Security Policy Management snap-in.

  • IP Security Monitorsnap-in. You can use this tool to view details about IPSec policy settings as they are applied to a computer.

IP Security Policy Management

Microsoft Windows XP and the Windows Server 2003 family provide the IP Security Policy Management snap-in, which you can use to define IPSec policies for computers through Active Directory (for domain members) or on the local computer (for computers that do not belong to domains). By using IP Security Policy Management, you can create IPSec policies to meet the security requirements of a computer, application, organizational unit, domain, site, or global corporation.

IP Security Monitor

On computers running Windows XP and the Windows Server 2003 family of operating systems, you can use the IP Security Monitor snap-in to view IPSec policy settings as they are applied to the computer. This tool monitors IPSec SAs, rekeys, negotiation errors, and other IPSec statistics.

Note

  • On computers running Windows 2000, you use the Ipsecmon.exe program to view IPSec policy settings.

You use IP Security Monitor to perform the following tasks:

  • Monitor IPSec information for local computer and remote computers.

  • View details about active IPSec policies, including the name, description, date last modified, store, path, organizational unit, and Group Policy object name.

  • View the following IPSec details in main mode and quick mode:

    • Generic filters and specific filters

    • Statistics

    • Security associations

  • Customize refresh rates, and use DNS name resolution for filter and security association output.

  • Search for specific main mode or quick mode filters that match any source or destination IP address, a source or destination IP address on your local computer, or a specific source or destination IP address.

Network Ports Used by IPSec

IPSec uses the following ports:

IPSec protocol Uses

IPSec ESP

Protocol 50.

IPSec AH

Protocol 51.

ISAKMP

UDP port 500.

IPSec NAT-T

Source port of Any or UDP port 4500 (a source port of Any might be used because the network address translator might translate source port UDP 4500 to a different source port).

Destination port of UDP 4500.

The following resources contain additional information that is relevant to this section.