Lesson 7: Monitoring IPSec

To view how your IPSec policies and rules are being used in your network, you may want to monitor IPSec. In this lesson, you use several tools to do just that. You focus on IPSec monitoring tools like IPSECMON.EXE, Event Viewer, Performance Monitor, and Network Monitor. These tools help you to maintain a secure, IPSec-rich network.

After this lesson, you will be able to

  • Troubleshoot IPSec with IPSECMON.EXE
  • Troubleshoot IPSec with Event Viewer
  • Troubleshoot IPSec with Network Monitor
  • Describe troubleshooting with an IPSECPA.LOG or OAKLEY.LOG file

Estimated lesson time: 20 minutes

IPSec Management and Troubleshooting Tools

Windows 2000 provides tools that you can use to manage, monitor, and troubleshoot IPSec. This section provides an overview of these tools.

Management Tools

  • The IP Security Policy Management snap-in creates and edits policies (the Group Policy Editor can also be used).
  • The IP Security Management tool is also on the default Start/Programs/Administrative Tools menu.

Monitoring and Troubleshooting Tools

IP Security Monitor (IPSECMON.EXE), illustrated in Figure 9.25, is started at a command prompt. This tool monitors IP SAs, rekeys, negotiation errors, and other IP Security statistics.

Figure 9.25 IP Security Monitor

IPSec Statistics

The following IPSec statistics can be measured using IP Security Monitor.

  • Active Associations. Count the number of active SAs.
  • Confidential Bytes Sent/Received. Total of bytes sent and received using the ESP protocol.
  • Authenticated Bytes Sent/Received. Total of bytes sent and received using the AH protocol.
  • Bad SPI Packets. Total number of packets for which the security parameters index (SPI) was wrong. The SPI is used in conjunction with the destination IP address in the standard IP header and IPSec header to identify an IPSec SA. If the SPI is bad, it may mean that the inbound SA has expired but that a packet using the old SPI has just arrived. This number is likely to increase if rekey intervals are short and there are a large number of SAs. Because SAs expire normally, a bad SPI packet does not necessarily indicate that IPSec is failing.
  • Packets Not Decrypted. Total number of packets that failed decryption. As with bad SPI packets, this failure may indicate that a packet arrived for which the SA had expired. If the SA expires, the session key used to decrypt the packet dies, too. This does not necessarily indicate that IPSec is failing.
  • Packets Not Authenticated. Similar to Bad SPI Packets and Packets Not Decrypted, this is the total number of packets containing data that could not be verified. The most likely cause is an expired SA.
  • Key Additions. The total number of keys that IKE has sent to the IPSec driver. This indicates the total number of successful Phase 2 negotiations.

ISAKMP/Oakley (IKE) Statistics

The following IKE statistics can be measured using IP Security Monitor:

  • Oakley Main Modes. Total number of successful IKE SAs created during Phase 1 negotiations.
  • Oakley Quick Modes. Total number of successful IPSec SAs created during Phase 2 negotiations. Because these SAs may expire at different rates, this number will not necessarily match the Main Modes number.
  • Soft Associations. Total number of Phase 2 negotiations that resulted in agreements to send using clear text. This typically reflects the number of associations formed with non-IPSec-aware computers.
  • Authentication Failures. Total number of identity authentication failures (Kerberos, user certificate, manually configured passwords). This is not the same statistic as Packets Not Authenticated (message authentication through hashing).


To reset the statistics in IP Security Monitor, restart the IP Security Policy Agent.

Performance Monitor includes the following IPSec objects and counters that can be examined:

  • Policy agent and IPSec driver events in the system log
  • Oakley events in the application log
  • IKE events (SA details) in the security log (if logon auditing is enabled)

These related events can also be recorded and then later analyzed in Event Viewer.

Using Network Monitor

Network Monitor version 2.0 is a useful troubleshooting tool that is included with IPSec. Both the limited version included with Windows 2000 Server and the full version included with Microsoft Systems Management Server version 2.0 feature parsers for IKE, AH, and ESP. Network Monitor captures all information transferred over a network interface at any given time.

Network Monitor version 2.0 contains parsers for IPSec packets. If IPSec is encrypting the packets, the contents are not visible, but the packet itself is. If only authentication is being used, the entire packet, including its contents, will be visible. ESP is displayed as IP protocol number 50 (decimal) and AH IS displayed as 51 (decimal). ISAKMP/Oakley is displayed as UDP port number 500 (decimal).


The ESP data itself is not readable because of the encryption.

Practice: Using Network Monitor to View Clear Text Traffic

Using the Network Monitor To View Clear Text Traffic tool, you capture and view data being sent across the wire between your computer and your second computer. Network Monitor version 2.0 contains parsers for IPSec and IKE packets. Network Monitor gets the packet after IPSec, so if IPSec encrypts the packet, the contents will not be visible.


Do the entire practice on both computers. This exercise is done one computer at a time.

Exercise 1: Viewing IPSec Integrity Packets (AH Format)

  1. Start Network Monitor and set the capture network to the media access control (MAC) address of the network card that connects to the second system.


    You can run Ipconfig with the /all parameter to find the MAC address of your network interface card.

  2. In the Local Security Settings MMC interface, assign the Two Computer Policy (from the practice in Lesson 5).
  3. Start capturing packets with Network Monitor.
  4. Run the Ipsecmon utility.
  5. Ping your second computer's IP address.
  6. You may have to repeat this step, as ping has a very short time-out, and there is some delay in establishing the IPSec association between the two computers.
  7. Stop and view the Network Monitor trace.
  8. View Ipsecmon.
  9. Double-click the first Internet Control Message Protocol (ICMP) packet.
  10. Notice that you see lines indicating headers for frame, Ethernet, IP, and AH.
  11. From the details pane, expand the IP entry.
  12. Record the IP Protocol number.

    Scroll to the bottom of the IP details and click on IP Data: Number Of Data Bytes Remaining = 64 (0x0040). Notice the IP payload is in clear text. The data in a ping is abcdefghij…

IPSec has created an ICV from the IP, ICMP, and Data fields of the frame. By doing this, IPSec prevents someone from capturing the data, altering it, and resending the bad data. When you look at the Hex pane you can still see the 32 characters sent in the ping. By configuring the AH security method, you ensure authentication but do not encrypt the data in the packet. AH just makes sure that the packet data, as well as most parts of the IP header, such as source and destination IP addresses, are not modified. Next you will look at packets using the ESP security method that will encrypt the data part of the IP packet.

Practice: Using Network Monitor to View Encrypted Traffic

In this practice, you use Network Monitor to set ESP encryption and view encrypted packets.

Exercise 1: Setting ESP encryption

Before you can view the encrypted packets (not the content itself), you need to set the ESP encryption.

  1. Unassign the Two Computer Policy.
  2. Edit the Two Computer Policy by right-clicking on it, then click Properties.
  3. Click the Filter Action tab.
  4. Edit the active New Filter Action.
  5. Click Edit to modify the Security Method.
  6. Change Medium to High (ESP).
  7. Close all dialog boxes.
  8. Assign the Two Computer Policy.

Exercise 2: Viewing ESP Packets

Once ESP encryption is enabled, you can use Network Monitor to capture and view the ESP packets.

  1. Begin capturing packets with Network Monitor.
  2. Run the Ipsecmon utility.
  3. Ping the second computer's IP Address.
  4. You may have to repeat this step as ping has a very short time-out and there is some delay in establishing the IPSec association between the two computers.
  5. Stop and view the Netmon trace.
  6. View Ipsecmon.
  7. Double-click the first ESP frame.
  8. This time you will see four entries in the details pane: Frame, Ethernet, IP, and ESP. IPSec has created a hash of the ICMP and Data fields of the frame.
  9. Expand the IP section and record the IP Protocol.
  10. Scroll to the bottom of the IP details and double-click the IP: Data: Number Of Data Bytes Remaining = 76 (0x004C) line. Look at the Hex pane; you will see the data has been encrypted.

Practice: Using Diagnostic Aids

In this practice, you use the IPSec Monitor diagnostic aid to verify that IPSec is active and to view the active SAs.

Using IPSec Monitor

Windows 2000 Server contains a monitoring tool for IPSec called IPSecmon. Run this tool to see active security associations, "soft" or "hard," on the local or remote machines. It does not show failed SAs or other filters.

Click Start, point to Run, then type ipsecmon [computer name]. For each soft or hard SA, you see one line in the white box. The column on the left titled Policy Name is the name of the policy that had been assigned and enforced on the computer. The Negotiation Policy column is actually the specific security method that was agreed to during the negotiation. An attempt is made to resolve the IP addresses for source and destination to DNS names.

There are a number of global statistics to note that have accumulated since the computer was last started:

  • ISAKMP/Oakley Main Mode and Quick Mode - Successful IPSec SAs will initially cause one ISAKMP/Oakley Main Mode and one Quick Mode. Key renewal operations are generally reflected as additional quick modes.
  • The total number of confidential (ESP) or authenticated (ESP and AH) bytes sent or received for all "hard" SAs is shown on the left. Because ESP provides both confidentiality and authenticity, both counters are incremented. Because AH provides only authenticity and not confidentiality, only the authenticated-bytes-sent counter is incremented.
  • The total number of soft associations is shown on the right.

Exercise 1: Verifying that IPSec is Active and Viewing the Active SAs

  1. Open Network And Dial-Up Connections from Control Panel.
  2. Right-click on Local Area Connection, and then click Properties.
  3. Select Internet Protocol (TCP/IP), and then click Properties.
  4. Click Advanced.
  5. Click the Options tab, select IP Security, and then click Properties.

    If the computer is using local policy, the name of the local policy is shown under Use This IP Security Policy. If you are using policy assigned through the Group Policy mechanisms in Active Directory services, the dialog is grayed out and the name of the assigned policy is shown in the same box.

Lesson Summary

Windows 2000 Server has several tools that can be used to manage and troubleshoot IPSec. There is an IPSec Security Policy Management snap-in for MMC that allows you to create and edit policies. IPSec Security Monitor allows you measure a variety of IPSec statistics which can be used to determine the efficiency and security of your network. And Network Monitor can be used to view encrypted packets. These tools allow you to monitor and troubleshoot IPSec communications on your network.

MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
Year: 2004
Pages: 244

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net