Administrators can use a number of IPSec troubleshooting tools to assist them with their IPSec policy configurations. IPSec MonitorYou can use the IPSec Monitor MMC to view details about an active IPSec policy that is applied to a domain or on the local system. You can also use it to search for all matches for filters of a specific traffic type in a domain or on the local system.
You can also use the IPSec Monitor MMC to view details about IKE policies, negotiation policies, and active IPSec policy details. On systems in the Windows Server 2003 family, use the IP Security Monitor console and the netsh ipsec static show gpoassignedpolicy command from netsh to view the name of the active IPSec policy. The netsh CommandA number of commands can be used with netsh . The following list describes the main options for its use. For more details, see "Need to Know More?" at the end of this chapter. To access help from the command line, use the syntax shown in this example: C:\Documents and Settings\jzandri>netsh netsh>help The following commands are available:
The following subcontext is available: bridge diag interface ras routing To view help for a command, type the command, followed by a space, and then type ? .
Resultant Set of PolicyYou can use the Resultant Set of Policy (RSoP) MMC to review IPSec policy assignments for a computer or for members of a Group Policy container. To view IPSec policy assignments in the RSoP MMC, run a logging mode query, which is used for viewing IPSec policy assignments for a computer, or a planning mode query, which is used for viewing IPSec policy assignments for members of a Group Policy container. The RSoP logging mode query can be used to view all IPSec policies assigned to a particular IPSec client. The query results display the precedence of each IPSec policy assignment and shows which IPSec policies are assigned but not being applied and which IPSec policy is being applied. The RSoP MMC also displays detailed settings, such as filter rules, filter actions, authentication methods , and so on, for the IPSec policy being applied. The results shown in the RSoP MMC gives you a view of the policy settings being applied to the system. The RSoP planning mode query can be used to view all IPSec policies assigned to members of a Group Policy container by gathering names of the target user , computer, and domain controller from the Windows Management Instrumentation (WMI) repository on the domain controller. The query enables you to get an idea of the changes you can expect by moving systems from one OU to another. When you run a planning mode query, the RSoP MMC displays detailed policy settings for the IPSec policy being applied. The Group Policy Management Console (GPMC) available in Windows Server 2003 is used for managing Group Policies. This combination MMC has the Active Directory Users and Computers, Active Directory Sites and Services, and Resultant Set of Policy snap-ins added by default. With the new GPMC, administrators can now back up and restore Group Policy objects (GPOs) without having to bring a domain controller offline and perform an authoritative restore. You can also copy and import GPOs and WMI filters, get detailed information on GPO and RSoP data, and search GPOs. You can also use the system Event Viewer and the Security Audit Logs to view any IPSec-related events logged for the policy agent. You should check the Security Audit Logs for Oakley informational messages and messages about failed IPSec communications. The following examples show System log messages related to IPSec and ISAKMP/Oakley that you can find in the Event Log. For example, the following message indicates whether an IPSec policy is in effect on the computer, specifies the source of the IPSec policy (local, domain), and indicates the Active Directory polling interval, if policy source is the domain. System Log Informational Event 279 Source: PolicyAgent Category: None This message also specifies whether changes to an IPSec policy have been detected in the policy source. In this case, the text displayed is Updating IPSec Policy . The following message indicates that PolicyAgent was unable to contact Active Directory for the domain in which the computer is a member: System Log Error Event 284 Source: PolicyAgent Category: None These next examples are Security log messages related to IPSec and ISAKMP/Oakley. The following message indicates that an IPSec hard security association has been established. (Soft security associations are not audited .) Security Log Success Audit event 541 Source: Security Category: Logon/Logoff The following message indicates that an IPSec hard or soft security association has ended: Security Log Success Audit event 542 Source: Security Category: Logon/Logoff These next examples show some Application log messages related to IPSec and ISAKMP/Oakley. The following message indicates that the export client cannot generate domestic-strength key material; the resulting negotiation agrees only on export-strength key material: Application Warning Event 541 Source: Oakley Category: None The following message indicates that the export client cannot perform encryption stronger than DES; the resulting negotiation agrees only on DES (provided the other computer can do DES): Application Warning Event 542 Source: Oakley Category: None |