Chapter Summary

The simplest way to deploy IPSec is to configure IPSec policies by using the Group Policy Object Editor and distributing the GPOs by using Active Directory.

You can configure IPSec policies on individual computers by using command-line tools. These local policies will be overridden by domain IPSec policies if any exist, however. For Windows Server 2003, use Netsh to create IPSec policies from the command line. Use IPSecCmd for computers running Windows XP; use IPSecPol for computers running Windows 2000.

If all IPSec peers are not in a trusted Active Directory domain, you can use certificates to authenticate computers. Windows Server 2003 includes Certificate Services, which can be used to issue certificates for IPSec.

To audit IPSec negotiations, first enable success or failure auditing for Audit Policy Change and possibly for Audit Process Tracking. Then use Event Viewer to examine the Security event log.

To analyze packets that are dropped, enable IPSec driver event logging by using the Netsh command on Windows Server 2003. (Other versions of Windows require adding a registry value to enable IPSec driver event logging.) Then use Event Viewer to examine the System event log.

When you need detailed troubleshooting information, enable IKE tracing by using Netsh. Then examine the %systemroot%\Debug\Oakley.log file.

You can isolate IPSec authentication problems by temporarily changing both peers to the Preshared Key authentication method. Authentication problems when using Kerberos are often caused by one of the IPSec peers not being able to reach a domain controller. IPSec authentication using certificates will fail if a private key is not associated with the certificate.

Firewalls, routers, and other packet-filtering devices must allow traffic on UDP port 4500 and traffic with IP protocol ID 50 for ESP IPSec communications to succeed.