IPSec Troubleshooting Tools

Administrators can use a number of IPSec troubleshooting tools to assist them with their IPSec policy configurations.

IPSec Monitor

You can use the IPSec Monitor MMC to view details about an active IPSec policy that is applied to a domain or on the local system. You can also use it to search for all matches for filters of a specific traffic type in a domain or on the local system.

When IPSec Monitor is used remotely, remote systems must be running the same version of the Windows operating system as the locally monitoring system. To perform monitoring by running IPSECMON on a remote system running a different version of Windows than your computer, use Remote Desktop Connection or Terminal Services instead.

You can also use the IPSec Monitor MMC to view details about IKE policies, negotiation policies, and active IPSec policy details. On systems in the Windows Server 2003 family, use the IP Security Monitor console and the netsh ipsec static show gpoassignedpolicy command from netsh to view the name of the active IPSec policy.

The netsh Command

A number of commands can be used with netsh . The following list describes the main options for its use. For more details, see "Need to Know More?" at the end of this chapter. To access help from the command line, use the syntax shown in this example:

 C:\Documents and Settings\jzandri>netsh netsh>help 

The following commands are available:

• .. ” Goes up one context level.

• ? ” Displays a list of commands.

• abort ” Discards changes made while in offline mode.

• add ” Adds a configuration entry to a list of entries.

• alias ” Adds an alias.

• bridge ” Changes to the netsh bridge context.

• bye ” Exits the program.

• commit ” Commits changes made while in offline mode.

• delete ” Deletes a configuration entry from a list of entries.

• diag ” Changes to the netsh diag context.

• dump ” Displays a configuration script.

• exec ” Runs a script file.

• exit ” Exits the program.

• help ” Displays a list of commands.

• interface ” Changes to the netsh interface context.

• offline ” Sets the current mode to offline.

• online ” Sets the current mode to online.

• popd ” Pops a context from the stack.

• pushd ” Pushes current context on the stack.

• quit ” Exits the program.

• ras ” Changes to the netsh ras context.

• routing ” Changes to the netsh routing context.

• set ” Updates configuration settings.

• show ” Displays information.

• unalias ” Deletes an alias.

The following subcontext is available:

 bridge diag interface ras routing 

To view help for a command, type the command, followed by a space, and then type ? .

On Windows 2000 systems you can use the Netdiag.exe, netdiag /test:ipsec command to view the name of the active IPSec policy. To review IPSec settings, you can go to the network connection's Properties dialog box and view the advanced options in the TCP/IP Properties dialog box. (Choose Start, Control Panel, Network Connections, Local Area Connection, and then click the Properties button.) The assigned IPSec policy displayed in the TCP/IP Properties dialog box is for the entire system, regardless of the number of NICs installed locally.

Resultant Set of Policy

You can use the Resultant Set of Policy (RSoP) MMC to review IPSec policy assignments for a computer or for members of a Group Policy container. To view IPSec policy assignments in the RSoP MMC, run a logging mode query, which is used for viewing IPSec policy assignments for a computer, or a planning mode query, which is used for viewing IPSec policy assignments for members of a Group Policy container.

The RSoP logging mode query can be used to view all IPSec policies assigned to a particular IPSec client. The query results display the precedence of each IPSec policy assignment and shows which IPSec policies are assigned but not being applied and which IPSec policy is being applied. The RSoP MMC also displays detailed settings, such as filter rules, filter actions, authentication methods , and so on, for the IPSec policy being applied.

The results shown in the RSoP MMC gives you a view of the policy settings being applied to the system. The RSoP planning mode query can be used to view all IPSec policies assigned to members of a Group Policy container by gathering names of the target user , computer, and domain controller from the Windows Management Instrumentation (WMI) repository on the domain controller. The query enables you to get an idea of the changes you can expect by moving systems from one OU to another. When you run a planning mode query, the RSoP MMC displays detailed policy settings for the IPSec policy being applied.

The Group Policy Management Console (GPMC) available in Windows Server 2003 is used for managing Group Policies. This combination MMC has the Active Directory Users and Computers, Active Directory Sites and Services, and Resultant Set of Policy snap-ins added by default.

With the new GPMC, administrators can now back up and restore Group Policy objects (GPOs) without having to bring a domain controller offline and perform an authoritative restore. You can also copy and import GPOs and WMI filters, get detailed information on GPO and RSoP data, and search GPOs.

You can also use the system Event Viewer and the Security Audit Logs to view any IPSec-related events logged for the policy agent. You should check the Security Audit Logs for Oakley informational messages and messages about failed IPSec communications. The following examples show System log messages related to IPSec and ISAKMP/Oakley that you can find in the Event Log. For example, the following message indicates whether an IPSec policy is in effect on the computer, specifies the source of the IPSec policy (local, domain), and indicates the Active Directory polling interval, if policy source is the domain.

 System Log Informational Event 279 Source: PolicyAgent Category: None 

This message also specifies whether changes to an IPSec policy have been detected in the policy source. In this case, the text displayed is Updating IPSec Policy .

The following message indicates that PolicyAgent was unable to contact Active Directory for the domain in which the computer is a member:

 System Log Error Event 284 Source: PolicyAgent Category: None 

These next examples are Security log messages related to IPSec and ISAKMP/Oakley. The following message indicates that an IPSec hard security association has been established. (Soft security associations are not audited .)

 Security Log Success Audit event 541 Source: Security Category: Logon/Logoff 

The following message indicates that an IPSec hard or soft security association has ended:

 Security Log Success Audit event 542 Source: Security Category: Logon/Logoff 

These next examples show some Application log messages related to IPSec and ISAKMP/Oakley. The following message indicates that the export client cannot generate domestic-strength key material; the resulting negotiation agrees only on export-strength key material:

 Application Warning Event 541 Source: Oakley Category: None 

The following message indicates that the export client cannot perform encryption stronger than DES; the resulting negotiation agrees only on DES (provided the other computer can do DES):

 Application Warning Event 542 Source: Oakley Category: None