This section describes two useful IPSec diagnostic tools that are available as part of the Windows 2000 resource kit:
Netdiag.exe
IPSecpol.exe
Before creating a new policy, determine if your system already has an existing policy. You can do this by performing the following steps:
Task To check for existing IPSec policy
To install Netdiag.exe, run the Setup.exe program from the \Support\Tools folder on the Windows 2000 Server CD.
The tools are installed in C:\Program Files\Resource kit.
Run the following command from the command line:
netdiag /test:ipsec
If there are no existing filters, then the output looks like the following:
IP Security test . . . . . . . . . : Passed IPSec policy service is active, but no policy is assigned.
The Internet Protocol Security Policies tool helps you automate the creation of policies in local and remote registries. The tool supports the same settings that you can configure by using the MMC snap-in.
Download the tool from the Microsoft Windows 2000 Web site at http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/ipsecpol-o.asp .
For detailed examples of using Ipsecpol.exe to create and manipulate IPSec rules, see Microsoft Knowledge Base article 813878, "How to Block Specific Network Protocols and Ports by Using IPSec."