Managing IPSec | MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide and DVD Training System

EXAM 70-293 OBJECTIVE 3.3.1, 5, 5.6.2

Windows Server 2003 comes with two handy tools for managing IPSec. These include the IP Security Policy Management MMC snap-in and the netsh utility (for those who love to use the command-line to execute commands).

IPSec policies are used to apply security at various levels within a network. IPSec policies can be applied to a computer, application, OU, domain, or site. You can create, modify, and add IPSec policies to these Active Directory objects using the IP Security Policy Management console. Each IPSec policy can be configured to store more than one rule, so different traffic types can be affected by each policy.

The following sections describe the IPSec management tools, and then how to manage IPSec policies.

Using the IP Security Policy Management MMC Snap-in

You can use the IPSec console to manage IPSec policies and to add and remove filters applied to the IPSec policies. IPSec filtering is used to permit or block certain types of IP traffic. With IPSec filtering, you can secure workstations from outside security hazards.

Follow these steps to install and access the IP Security Policy Management console:

Select Start | Run, type mmc, and click OK.
In the empty console, select File | Add/Remove Snap-In.
Click the Add button and scroll down to the IP Security Policy Management snap-in, as shown in Figure 10.6.

Figure 10.6: Add the IP Security Policy Management Console to the MMC
Click the Add button. The next window asks you to select the appropriate computer or domain that this snap-in will be used to configure. For this example, choose Local computer, as shown in Figure 10.7. Then click the Finish button.

Figure 10.7: Select the Computer or Domain to Manage
Select Close, and then click OK. The IP Security Policy Management console will open, as shown in Figure 10.8.

Figure 10.8: The Newly Created IP Security Policy Management Console
Double-click IP Security Policies on Local Computer. The three basic policy templates are now displayed in the right pane, as shown in Figure 10.9.

Figure 10.9: The Three Standard IPSec Policies in the IP Security Policy Management Console

Now you can use the IP Security Policy Management console to define, assign, and manage IPSec policies.

Using the netsh Command-line Utility

netsh is a command-line utility provided in Windows Server 2003 that you can use to control IPSec. This command can be used for managing advanced features of IPSec, including the following:

Enabling IPSec driver event logging
Configuring startup security on computers
Viewing details of IPSec policies
Troubleshooting IPSec configurations
Setting default traffic exemptions

To use the netsh utility to manage IPSec, you need to change it to the ipsec context. Open a command prompt window (select Start | Run, type cmd, and click OK). In the command prompt window, type netsh ipsec. The IPSec command syntax you use at the prompt will depend on whether you are using IPSec static or dynamic mode commands. These two command modes have different functions in IPSec, as follows:

netsh ipsec static mode commands Used to perform the same functions as the IP Security Policy Management and IP Security Monitor consoles. These commands allow you to create, modify, and assign IPSec policies, without affecting the current IPSec policy configuration.
netsh IPSec dynamic mode commands Used to display the current state of IPSec; using this configuration will immediately affect the configuration of the IPSec policy.

Some netsh commands and switches are shown in Table 10.2. To view all of the available switches, type netsh /? at the prompt. All computers on which you wish to use the netsh utility for IPSec policy configurations must be members of the Windows Server 2003 family.

Table 10.2: netsh Command Switches
Command	Description
netsh ipsec static add policy name	Creates an IPSec policy with the specified name
netsh ipsec static delete all	Removes all IPSec policies, filter lists, and filter actions
netsh ipsec dynamic set policy name	Immediately sets a policy name
netsh ipsec dynamic delete policy name	Immediately removes a policy name
netsh ipsec dynamic export policy name	Immediately exports all IPSec policies to a specific file
netsh ipsec dynamic set policy name	Immediately sets a policy name

Note

You cannot use the netsh utility to configure IPSec on Windows XP machines. Instead, you must obtain the Windows XP installation CD and go to the Support/Tools folder, where you will find the Ipseccmd.exe utility. For IPSec policy configuration, you must use ipsecpol.exe, which is located in the Windows 2000 Server Resource Kit.

Exam Warning

Because the ability to use the ipsec context to manage IPSec with the netsh command-line utility is new to Windows Server 2003, it is likely that Exam 70-293 will contain questions on this topic. Be certain that you have a good understanding of all the netsh ipsec commands and know the difference between static mode and dynamic mode.

Default IPSec Policies

IPSec has a predefined set of default policies that can be implemented via the IP Security Policy Management console. The set includes Client (Respond Only), Server (Request Security), and Server (Require Security). The following sections explain the usage and settings for each default policy.

Client (Respond Only)

Client (Respond Only) is the least secure default policy. You might wish to implement this policy for intranet computers that need to respond to IPSec requests but do not require secure communications. If you implement this policy, the computer will use secured data communications when requested to do so by another computer.

This policy uses the default response rule, which creates dynamic IPSec filters for inbound/ outbound traffic based on the port/protocol requested. The policy settings are as follows:

IP Filter List: All
Filter Action: None
Authentication: Kerberos
Tunnel Setting: None
Connection Type: All

Server (Request Security)

The Server (Request Security) policy consists of three rules and can be used when a computer needs to be configured to accept unsecured traffic from other computers that are not IPSec-enabled. However, it will always check for secure communication and use it if the other computer is able to use IPSec. The policy settings for the three rules are shown in Table 10.3.

Table 10.3: Policy Settings for Server (Request Security) Rules
Setting	First Rule	Second Rule	Third Rule (Default Response Rule)
IP Filter List	All IP Traffic	All ICMP Traffic	Dynamic
Filter Action	Request Security (Optional)	Permit	Default Response
Authentication	Kerberos	N/A	Kerberos
Tunnel Setting	None	None	None
Connection Type	All	All	All

Secure Server (Require Security)

The Secure Server (Require Security) policy consists of three rules and can be used for computers that require high security. Filters used in this policy require all outbound communication to be secured. This allows only initial inbound communication requests to be unsecured. The policy settings for the three rules are as shown in Table 10.4.

Table 10.4: Policy Settings for Secure Server (Require Security) Rules
Setting	First Rule	Second Rule	Third Rule (Default Response Rule)
IP Filter List	All IP Traffic	All ICMP Traffic	Dynamic
Filter Action	Require Security	Permit	Default Response
Authentication	N/A	Kerberos	Kerberos
Tunnel Setting	None	None	None
Connection Type	All	All	All

Test Day Tip

In order for Windows 2000 computers to use the 3DES algorithm, they must have the High Encryption Pack or Service Pack 2 or later installed. If a Windows 2000 computer receives a 3DES setting without having Service Pack 2 or the High Encryption Pack installed, the 3DES setting in the security method will be set to the weaker DES setting. Remember that DES is far less secure than 3DES, so this will not provide a level of security as high as when 3DES is supported.

Custom Policies

In addition to the default policies that can be implemented with the IPSec Security Policy MMC, you can also create your own custom policies for implementation by using the New IPSec Policy option in the IP Security Policy Management MMC.

To create your own custom policies with the IP Security Policy Management MMC, open the console and select the policy you wish to customize. See Exercise 10.02 for instructions on creating custom policies.

Exercise 10.02: Customizing an IPSec Security Policy

Open the IP Security Policy Management console and click IP Security Policies.
Locate the policy you wish to customize in the right pane and double-click it, or right-click it and select Properties.
Click on the Rules tab, locate the rule you wish to modify and click Edit. Switch to the Filter Action tab, double-click the filter action that you want to modify.
Next, switch to the Security Methods tab, and do one of the following:
- To add a new security method, select the Add option.
- To modify an existing security method, select the security method that you want to modify and click the Edit option.
- To remove a security method, click the security method that you wish to delete and select the Remove option.
To add or modify a security method, select the Security Method tab, choose the Custom option button, and then click Settings.
Set the security method as follows, depending on your policy’s need for encryption:
- Select the Data and address integrity without encryption (AH) check box if you need to provide data integrity for the packet’s IP header and the data. Then for Integrity algorithm, select either MD5 (which uses a 128-bit key) or SHA1 (which uses a 160-bit key).
- If you need to provide both integrity and encryption for data confidentiality, select the Data integrity and encryption (ESP) check box. Then under Integrity algorithm, click None (for no data integrity; if you have AH enabled and for increased performance, you can choose this), MD5, or SHA1. Under Encryption algorithm, choose None, DES, or 3DES.
You can also change the default session key lifetime settings, as follows:
- You can set the number of kilobytes of data that is transferred before a new key is generated by choosing the Generate a new key every check box and typing in a value in kilobytes.
- You can choose the Generate a new key every option to enter the number of seconds to elapse before a new session key is to be generated.

Test Day Tip

If you set the policy to use shorter key lifetime values, this will not increase the security level at which the data is protected. These short key lifetimes work by decreasing the amount of data that is revealed if an attacker discovers one encryption key.

Using the IP Security Policy Wizard

You can open the IP Security Policy Management console by clicking Start | Run and typing mmc, and then clicking OK. Select File | Add/Remove Snap-in, and then click Add, Click IP Security Policy Management, and then click Add. For each computer scenario, you need to select a specific option. Table 10.5 shows the scenario and specific snap-in you would need to use.

Table 10.5: IPSec Policy Management Scenarios
Scenario	Snap-In to Choose
Manage IPSec policy for local computer	Select the Local computer snap-in
Manage IPSec policies for any domain members	Select The Active Directory domain of which this computer is a member snap-in
Manage IPSec policies for a domain that this computer is not a member of	Select the Another Active Directory domain snap-in
Manage a remote computer	Select the Another computer snap-in

After you’ve chosen the snap-in, you can close the management console by selecting Finish, choosing Close, and clicking the OK button. To save your console settings select File | Save.

You can also access the IP Security Policy Management console from the Group Policy console. To do this, select Start | Administrative Tools | Active Directory Users and Computers and right-click the domain or OU for which you need to set Group Policy. (To open Active Directory Users and Computers utility, select Start | Control Panel | Administrative Tools | Active Directory Users and Computers.)

Note

To save console settings, on the File menu, click Save, and then type in a name for the console.

Creating an IPSec Policy with the IP Security Policy Wizard

To create your own IPSec policy using the IP Security Wizard, follow these steps:

Open the IPSec Security Management Snap-in, right-click IP Security Policies in the left console pane, and then choose Create IP Security Policy from the context menu, as shown in Figure 10.10.

Figure 10.10: Creating a Custom IPSec Policy
The IP Security Policy Wizard Welcome window appears, as shown in Figure 10.11. Click the Next button.

Figure 10.11: The IP Security Policy Wizard.
The IP Security Policy Name window appears, prompting you to give your IPSec policy a name and description, as shown in Figure 10.12. You can choose to accept the default name (not recommended, as it’s not very descriptive), or you can enter a new name and description. Then click the Next button.

Figure 10.12: Enter a IP Security Policy Name
The next window allows you to specify how the policy will respond to requests, as shown in Figure 10.13. Accept the default (Activate the default response rule) or clear the check box, and then click the Next button

Figure 10.13: Specify How the Policy Will Respond to Secure Communication Requests

The Default Rule Authentication Method window appears, as shown in Figure 10.14. Select a different authentication method or accept the default, Active Directory default (Kerberos V5 protocol), and then click Next.

click to expand
Figure 10.14: Select the Default Rule Authentication Method

Note

Nothing special is required to use Kerberos authentication. If you select to use a certificate for authentication, you will need a PKI implementation and you must specify the certification authority to issue the certificate. If you select to use a pre-shared key, you must enter a string of characters that is also known to the party with which you are communicating.

The Completing the IP Security Policy Wizard window appears, as shown in Figure 10.15. You can choose to edit the properties of the policy (the default) or clear the check box if you do not wish to edit the properties at this time. Click Finish to complete the wizard. For this example, we will leave the Edit properties box selected.

Figure 10.15: Completing the IP Security Policy Wizard
When you select the option to edit properties, the New IP Security Policy Properties dialog box opens, as shown in Figure 10.16. This dialog box allows you to edit the IP security rules and change the general properties of the rule, such as the name and description. Click the Edit button in this dialog box.

Figure 10.16: IP Security Policy Properties
The Edit Rule Properties dialog box opens, as shown in Figure 10.17. Here, you can add, edit, or remove security methods; set the security methods that can be used when working with another machine; and select to use session key perfect forward secrecy (PFS). You can also arrange the order of precedence by using the

Figure 10.17: Edit the IP Security Policy Security Methods

Move up and Move down buttons to change a method’s position in the list. After making your selections, you can close the dialog box, or continue and select authentication methods. For this example, click the Authentication Methods tab.
The Authentication Methods tab, shown in Figure 10.18, allows you to choose a trust method for communicating client computers. Click Add to add a method (again, your selections include using a certificate or a pre-shared key). You can change the order of precedence for these authentication methods in the same manner as described in Step 7. Click OK to close the dialog box.

Figure 10.18: Edit the IP Security Policy Authentication Methods

After the policy has been edited, you need to assign the policy. Before you assign the policy, make sure that you have the IPSec service started. To assign the policy, right-click the policy name in the right pane and select Assign, as shown in Figure 10.19.

click to expand
Figure 10.19: Assign the Newly Created IP Security Policy

Note

The policy must be assigned before it can be used, and the IPSec service must be started before you assign the policy.

Exam Warning

Ensure that you have the appropriate rights assigned to the account you will use to manage IPSec policies. To manage Active Directory-based IPSec policies, you must be a member of the Domain Admins group in Active Directory. To administer IPSec policies on a local or remote computer, you must be a member of the Administrators group on the local or remote computer.

Configuring & Implementing…
Perfect Forward Secrecy

You can use perfect forward secrecy (PFS) to force reauthentication and negotiation of a new master key any time a new session key is required. There are two types of PFS used in Microsoft’s IPSec implementation: master key PFS and session key PFS. Master key PFS should be used when it’s needed for interoperability. By default, it is disabled. One reason is that it requires a lot of resources on the domain controller to perform the reauthentications (assuming Kerberos is the authentication protocol). Session key PFS is not as resource-intensive. Reauthentication is not required. You can configure PFS separately for master and session keys.

PFS doesn’t determine when a new key is generated (as do key lifetimes). Instead, it is used to determine how new keys are generated, so that if one key is compromised, this won’t compromise the entire communication. With PFS enabled, additional keys cannot be created from the keying material used to generate a particular key.

Defining Key Exchange Settings

You can define key exchange settings that apply to IP security policy. Open the MMC containing the security policy, and follow these instructions for modifying the policy:

Select the policy you wish to modify by double-clicking that policy.
Select the General tab and click the Settings button.
To force reauthentication and the negotiation of new master key keying material each time a new session key is required, click Master key perfect forward secrecy (PFS).
To cause the reauthentication and new master key regeneration based on number of minutes, type in a value for Authenticate and generate a new key after every number minutes.

If you require a different setting, you can add a value in the Authenticate and generate a new key after every number sessions. This will set a maximum limit on the number of times a master key or its base keying material can be reused to generate the session key. When this limit is reached it will force a reauthentication with a new master key generation.

If you have enabled Master key perfect forward secrecy (PFS), the number of sessions is set to 1 by default and cannot be reconfigured. For special requirements on the master key exchange, select the methods and use master key PFS where it is required for interoperability. By default, this setting is disabled, which should be appropriate in most environments. If you set the session limit to 0, it will cause rekeys to be determined based only on time. If you work in a performance-based environment, keep in mind that if you enable master key PFS, it could affect performance because each quick mode will require a new main mode negotiation.

Managing Filter Lists and Filter Actions

To manage IP filter lists and filter actions, open the IP Security Policy Management MMC and select the policy you wish to modify by double-clicking that policy. In the Rules tab, select the rule you wish to modify that contains the IP filter and double-click it. Select the IP Filter List tab and double-click the IP filter that contains the filter list you want to configure. Then do one of the following:

Click Add to add a filter list.
Select an additional filter that needs modifying and select Edit.
To delete an existing filter, choose the filter and click the Remove button.

To edit or modify a filter in the IP Filter properties window, double-click the filter, choose the Addresses tab, and then select the Source Address drop-down box. Choose a source address as follows:

My IP Address Secures packets from all IP addresses on the computer.
Any IP Address Secures packets from any computer.
A specific DNS name Secures packets from the Domain Name System (DNS) name that you specify in Host name. This is available only when creating new filters.
A specific IP address Secures packets from only the IP address that you enter in IP address.
A specific IP subnet Secures packets from the IP subnet indicated by the IP address that you specified in IP address and the subnet mask that you specify in Subnet mask.
DNS Servers dynamic Secures packets from the DNS server that the computer is using. The filter is updated as needed, and it will automatically detect changes in the DNS server addresses.
WINS Servers dynamic Secures packets from the WINS server that the computer is using. The filter is updated as needed, and it will automatically detect changes in the WINS server addresses.
DHCP Server dynamic Secures packets from the DHCP server that the computer is using. The filter is updated as needed, and it will automatically detect changes in the DHCP server addresses.
Default Gateway dynamic Secures packets from the default gateway that the computer is using. The filter is updated as needed, and it will automatically detect changes in the default gateway server addresses.

Select the Destination Address and repeat the same steps for the destination address. Next, select the desired Mirrored setting, as follows:

To create two filters based on the filter settings, with one filter for traffic to the destination and one filter for traffic from the destination, select the Mirrored check box.
To create a single filter based on filter settings, uncheck the Mirrored box.
To create a filter for an IPSec tunnel, uncheck the Mirrored box and create two filter lists. The first filter list describes outbound traffic, and the other filter describes inbound traffic. Also, create two rules that use the inbound and outbound filter lists in the IP security policy.

Note
Mirrored IPSec filters are used to create two filters: one for traffic going to the destination and another filter for traffic coming from the destination computer.

Enter a description for the filter in the Description tab. To filter by a specific port or protocol, select Configure advanced filter settings on the Protocol tab.

When modifying IPSec rules, remember the following:

Outbound packets that do not match any filter are sent unsecured.
Inbound packets not matching any filters are allowed.
Filters are applied in order, with the most specific followed by least specific.
Filters are not applied in the order in which they appear in the filter list.
Only address-based filters are supported.
Protocol-specific filters are not supported.
Port-specific filters are not supported.
Tunnel filters should not be mirrored.
IKE security requests result in the source IP address of the request being used to find a matching filter.
IKE response is determined by the security action and tunnel settings that are associated with that particular filter.
Filters used in tunnel rules are matched first.
End-to-end transport filters are matched after tunnel rule filters have been matched.

Head of the Class...
Setting Up an IPSec Test Lab

You should set up an IPSec test lab with a server and a few client machines running the same operating system that your clients are using, so you can test IPSec policy configurations before deploying them on your production network. Use the lab to ensure that you can perform basic IPSec management tasks after you get the IPSec policies and filters set up.

Some of these tasks include the following:

Secure Web traffic
Secure ping
Communication with a fallback server
Communication with a secured server and communication with an IPSec/VPN connection

In a test lab, you can test and make changes to the environment without the possibility of causing a work stoppage on your live network. Be careful when rolling out IPSec, because misconfigured IPSec policies can shut down communications on your network.

Assigning and Applying Policies in Group Policy

Now we will take a look at how to assign or unassign IPSec policy in Group Policy for Active Directory. These settings will take effect the next time Group Policy is refreshed, and if a new policy is assigned over an existing policy, the current policy is automatically unassigned. Use the IP Security Policies on Active Directory within the Group Policy console to assign policies to apply to Active Directory objects. Follow these steps to assign or unassign IPSec policy in Group Policy for Active Directory-based Group Policy:

Click Start | Administrative Tools | Active Directory Computers and Users and right-click the domain or OU for which you want to set Group Policy.
Click Properties, and then click the Group Policy tab.
Select the Group Policy Object (GPO) you wish to modify and choose Edit. Alternatively, select New to create a new GPO (and type a descriptive name for it), and then click Edit.
From the Group Policy console tree in the left pane of the Group Policy Object Editor, under Computer Configuration, expand Windows Settings, and then expand Security Settings.
Select IP Security Policies on Active Directory.
In the right pane, click the IPSec policy that you want to assign or unassign. Click the Action menu (or right-click the policy), and then click Assign or Un-assign.

To assign or unassign a local computer policy, select Start | Run, type mmc, and click OK. Then choose File | Add/Remove Snap-in and click Add. Click the Group Policy Object Editor and click Add. Choose Finish, click Close, and then click OK.

Test Day Tip

When dealing with IPSec policies, ensure that you unassign the IPSec policy before you delete the GPO or Group Policy. This is because an IPSec policy can remain active even after the GPO or IPSec policy that it has been assigned to has been deleted. To prevent these types of problems, unassign the IPSec policy and then make sure the change is effective by waiting at least 24 hours. Then delete the GPO or IPSec policy.

Active Directory Based IPSec Policies

Any IPSec policy that is applied for the domain will take precedence over local IPSec policy that is located on the member computer. After the IPSec policy has been applied to one of the Active Direcotry Group Policy Objects, it will be broadcast to all of the computer accounts that are affected by that GPO. When you wish to apply an IPSec policy within your Active Directory network, remember the following guidelines:

OU IPSec policy assignments will take precedence over domain-level policies for members of that OU.
Although the entire list of IPSec policies is available to assign at any level in the Active Directory structure, only a single IPSec policy can be assigned at a specific level (site, domain, or OU) in Active Directory.
An IPSec policy that is assigned to the lowest level OU in the domain structure will override an IPSec policy that is assigned to a higher-level OU for computers that belong to that OU.
Unless a policy is blocked or unassigned, OUs will inherit the policies of their parent OUs.
IPSec policies from different OUs can never merge.
The highest possible level of the Active Directory structure should be used to assign policies. Just as with Group Policy assignment, an IPSec policy might remain active even after the GPO to which it was assigned has been deleted. Ensure that you unassign the policy before deleting the GPO. You should unassign the IPSec policy in the GPO, wait 24 hours, ensure that the change has taken effect, and then remove the GPO.

Group Policy has backup and restore tools that you can use to save policy information on assigned GPOs. These tools do not back up the IPSec policies. To back up and restore IPSec policies, use the Export Policies and Import Policies command in the IP Security Policy Management console. The Group Policy console will back up and restore only information pertaining to the IPSec policy assignments in relation to GPOs.

The IPSec Policy Agent on client computers running Windows XP Professional or a Windows Server 2003 operating system will poll Active Directory for updates to the assigned IPSec policy. This does not detect domain or OU changes or whether new IPSec policies have been assigned. The Winlogon service polls for these changes every 90 minutes. If a change has been made, the Winlogon service will notify the IPSec Policy Agent, and the IPSec policy changes will be applied.

Note

You cannot administer Active Directory-based IPSec policies from Windows XP Home Edition computers. Only Windows XP Professional Edition computers can be members of the domain.

Cached IPSec Policy

A copy of the currently assigned IPSec policy for a site, a domain, or an OU is cached in the local Registry of each computer to which it applies. If the computer that has the IPSec policy assigned cannot log on to the domain for any reason, the cache copy will be applied. The cache copy of the IPSec policy cannot be changed or managed.

Local Computer IPSec Policy

All Windows Server 2003 servers and Windows XP Professional computers have one local GPO called the local computer policy. With this local policy, Group Policy settings can be stored on individual computers, even when they are not Active Directory domain members. You can manage the local IPSec policy by using the IP Security Policy Management console. Alternatively, you can use the following netsh command at the prompt:

netsh ipsec static set store location=local

If a computer on which you’ve applied local IPSec policies later joins an Active Directory domain that has IPSec policies applied, the domain policies will override the local IPSec policy.

IPSec Monitoring

It is important for network administrators to monitor IPSec settings and traffic on a regular basis after deploying IPSec. You can perform monitoring with the netsh command-line utility or with the IP Security Monitor MMC snap-in. In the following sections, we will look at each of these tools.

Using the netsh Utility for Monitoring

Earlier in the chapter, we discussed the use of the netsh command-line utility as equivalent to the IP Security Policy Management console. However, the netsh utility provides some features that are not available with the IP Security Policy Management console. These include the following:

IPSec diagnostics
Client computer startup security
Client computer startup traffic exemptions
Default traffic exemptions
Strong certificate revocation list checking Certificate Revocation List
IKE/Oakley logging

netsh Dynamic Mode Policy

If you want the IPSec rules you have configured to take effect without any wait time, you can use the netsh ipsec dynamic commands at the command prompt to add, modify, and assign IPSec policies immediately. Dynamic policies, as their name implies, are not saved; they will be lost if the IPSec service is stopped. However, not all dynamic policies take effect immediately. In some cases, you must restart the computer or the IPSec service first. If you need to make these changes permanent, you need to use the netsh ipsec dynamic set config command. This will ensure that the changes are not lost if the computer is restarted.

Warning

Use of dynamic mode commands is recommended only for network administrators who understand IKE main and quick mode policies. You can cause problems by creating invalid IPSec policies with the dynamic mode commands if you do not have a good understanding of what you’re doing.

IPSec Diagnostics

You can use the netsh diag command with additional diagnostics at the command prompt. The following are the additional diagnostics switches:

netsh diag connect Used to connect to mail, news, and proxy servers.
netsh diag dump Used to display a script that is used for configuration.
netsh diag show Used to show computer, operating system, network, news, mail, and proxy server information.
netsh diag gui Used to display diagnostics on a Web page. Once this command has been run, you can scan the computer for network diagnostics.

Note
Remember that you must type the netsh ipsec command at the command prompt, to enter the ipsec context, before typing any additional commands.

Here are two important things to remember when using the netsh utility:

If you stop the IPSec service when configuring a dynamic policy, you will lose the settings.
Use caution because some commands will require you to stop and restart the IPSec service.

Using the IP Security Monitor MMC Snap-in

Microsoft provides the IP Security Monitor MMC snap-in for monitoring IPSec activity. To use the IP Security Monitor, open the MMC and add the IP Security Monitor to the console. We will discuss the use of the IP Security Monitor in more detail in the next section, which covers troubleshooting IPSec.

Note

Unlike the netsh ipsec commands, which can be used only with Windows Server 2003 computers, you can use the IP Security Monitor to monitor IPSec activities on Windows XP computers as well as Windows Server 2003 systems. For computers running Windows 2000, however, you must use the ipsecmon command.

Troubleshooting IPSec

EXAM 70-293 OBJECTIVE 5.7

Troubleshooting is always a big part of any network administrator’s job. The following sections will cover how to troubleshoot your IPSec configuration. We include tables that will list specific tools and scenarios you can use to perform the troubleshooting tasks. The IP Security Monitor and the Network Monitor are important tools for troubleshooting IPSec problems, as are the IP Security Policy Management MMC and the netsh utility. An additional tool that is introduced in this section is the Network Diagnostics Tool, netdiag.exe.

Using netdiag for Troubleshooting Windows Server 2003 IPSec

The netdiag tool is provided on the Windows Server 2003 family servers, Windows XP, and Windows 2000 machines. However, it is stored in different locations on each platform as described below:

Windows Server 2003 family On the Windows Server 2003 installation CD, locate the Support/Tools folder and run the Suptools.msi installation package with the Complete option to install the tool.
Windows XP Professional On the Windows XP Professional installation CD, locate the Support/Tools folder and run the Setup.exe file with the Complete setup option to install the tool.
Windows 2000 Download the updated version of the tool from the Microsoft Web site.

New & Noteworthy...
Stateful Filtering

In the Windows Server 2003 version of IPSec, more enhanced security is provided during computer startup by using the stateful filtering feature. This filtering occurs during startup and allows only the following three types of traffic:

DHCP
Outbound traffic that the machine has initiated during startup
Inbound traffic that is sent in response to the allowed outbound traffic

Another option for enhanced security is to configure the computer to not allow any traffic before an IPSec policy has been applied. With any of these options, you can exempt specific types of traffic from filtering if you wish. The stateful filtering option can be configured only at the command prompt with the netsh utility. The command for performing this task is netsh ipsec dynamic set bootexemptions. After this command has been executed, you will need to restart the computer.

Viewing Policy Assignment Information

The Policy Assignment option allows you to view policy assignment and precedence. For troubleshooting, it is often important to be able to view IPSec policy assignments and determine the precedence in which policies are applied. Table 10.6 shows a list of the tools to be used with different Microsoft operating systems for viewing the IPSec policy name viewing the Group Policy object to which the IPSec policy is assigned.

Table 10.6: Viewing the IPSec Policy Precedence on Windows Server 2003 Family Machines
Operating System	IPSec Viewing Tools	IPSec Policy Assignment for Group Policies
Windows Server 2003	IP Security Monitor console or the netsh command: netsh ipsec static show gpoassignedpolicy	Resultant Set of Policy (RSoP) console or the netsh command netsh ipsec static show gpoassignedpolicy
Windows XP	IP Security Policy Management console for local IPSec policy viewing	netdiag.exe netdiag /test:ipsec command. netdiag.exe command netdiag /test:ipsec:ipsec
Windows 2000	netdiag.exe command: netdiag /test:ipsec Go to the properties option in the TCP/IP network connections and select Properties \| Advanced \| Options \| IPSec. The assigned IPSec policy that is shown is the global policy.	netdiag.exe command: netdiag /test:ipsec gpresult.exe -Group Policy Results gpotool.exe Group Policy Verification Tool (these can be downloaded from the Windows 2000 Server Resource Kit Web site)

Additionally, you can view all IPSec policies that are available by using the IP Security Policy Management console. Just because an IPSec policy is available, this does not mean that it has been assigned or applied to a computer. In the Windows Server 2003 family, you can determine the assigned (but not applied) policies on IPSec clients by using the RSoP console. RSoP is discussed in more detail later in this chapter, in the “Using RSoP for IPSec Planning” section.

Note

If you try to use the RSoP console in Windows XP Professional, it will not display the IPSec policies, and the gpresult /scope computer command will not display the GPO that contains the IPSec policy assignment. Use the netdiag /test:ipsec command to view the GPO to which the IPSec policy is assigned on Windows XP Professional or Windows 2000 Client machines. The Group Policy Tool, gpotool.exe, is used to monitor the health of GPOs on Windows 2000 domain controllers only.

Viewing IPSec Statistics

To view IPSec statistics and items such as filters and security associations, use the tools listed in Table 10.7. These tools work on Windows Server 2003, Windows 2000, and Windows XP Professional machines.

Table 10.7: Viewing IPSec Policy and IP Statistic Details
Operating System	Group Membership Required	Tools
Windows Server 2003 family	Administrators group on that server	IP Security Monitor console or the netsh command netsh ipsec dynamic show all
Windows XP Professional	Administrators group on the local computer	IP Security Monitor console or the IPseccmd. exe command ipseccmd show all at the command prompt
Windows 2000	Administrators group for the debug command. If you need to view ActiveDirectory-based IPSec policies, you must be a member of the Domain Admins group in Active Directory. IPsecmon.exe displays outbound quick mode security associations.	Netdiag.exe command netdiag /test:ipsec /v /debug I psecmon.exe

To monitor IPSec policies on a remote computer that is running Windows XP or Windows Server 2003, you can use the Remote Desktop Connection (RDC) to connect to that computer and view its policies as if you were sitting at its desktop. You can do this from any computer that has the RDC client or the Windows 2000 Terminal Services client installed. You can connect remotely to a Windows 2000 server that is running Terminal Services in the same way. However, you cannot connect remotely to the desktop of a computer running Windows 2000 Professional or Windows 9x.

Using IP Security Monitor to View IPSec Information

For Windows Server 2003 and Windows XP, the IP Security Monitor is implemented as an MMC snap-in. This MMC snap-in allows administrators to view details regarding active IPSec policies that have been applied by the domain or applied locally, the quick mode and main mode statistics, and the active IPSec SAs. You can use the IP Security Monitor to search for specific main mode or quick mode filters and to troubleshoot complex IPSec policy configurations, as well as for filter searches that match a certain traffic type. To view IPSec information on computers running Windows 2000, you need to use the ipsecmon.exe command at the run prompt.

To access the IPSec Security Monitor on Windows Server 2003 and Windows XP clients, follow these steps:

Select Start | Run, enter mmc, and click OK.
In the console, select File | Add/Remove Snap-In.
Click the Add button, scroll down and click the IP Security Monitor snap-in.
Select Add, select the Close button, and click OK.
You can now add the local computer or browse to a computer on the network by right-clicking the IP Security Monitor console and selecting the Add Computer option.
When the computer has been added, you can view active policy information by double-clicking Active Policy.

You can view main mode and quick mode statistics by double-clicking these options in the console.

Exam Warning

Only computers running Windows XP Professional or the Windows Server 2003 operating system can use the Security Monitor. When monitoring IPSec remotely, the computer that is being monitored by the IP Security console must run the same version of the Windows operating system as the computer that the IP Security Monitor console is running. For Windows 2000 clients, type ipsecmon at the command prompt to open the console.

Using Event Viewer to Troubleshoot IPSec

Event Viewer is a great troubleshooting tool to use to view IPSec information. However, most IPSec-related information will be contained in the Security log, which is not enabled by default. Verify that security auditing is enabled so security events will be entered in the Security log. For domains, use the Group Policy Editor. For local computers, use the Local Security Policy setting for this procedure. When enabling auditing for Windows Server 2003 machines, you can also turn on the auditing for the security policy database (SPD). Next, you need to edit the audit policy on your domain or local computer. Enable success or failure auditing for Audit logon events to allow Event Viewer to record this information.

After you have enabled security auditing and configured the audit policy, Event Viewer will record as separate events the following information:

Success or failure of each main mode negotiation
Success or failure of each quick mode negotiation
Establishment of each negotiation
Termination of each negotiation

Your Security log will fill up with IKE events, so you might wish to edit the Registry and disable auditing of IKE events by creating the DisableIKEAudits value.

Note

Remember to exercise extreme caution when editing the Registry. One misstep can render your system unbootable. It is always a good idea to back up the Registry before editing it.

To disable auditing of IKE events, perform the following steps:

Open the Registry Editor by selecting Start | Run, typing regedit or regedt32, and clicking OK.
Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ Lsa\Audit.
Right-click the Audit key, select New, and then choose DWORD Value.
In the right pane, change the default name of the new value to DisableIKEAudits.
Double-click the new value, or right-click and select Modify.
In the Edit DWORD Value dialog box, under Value data, type 1. Then click the OK button and close the Registry Editor.

After this modification has been completed, you can stop and restart the IPSec service or restart the system to have the new Registry information read.

Using Packet Event Logging to Troubleshoot IPSec

You can enable packet event logging for the IPSec driver in Windows Server 2003, Windows XP Professional, and Windows 2000 Server by modifying the Registry. This will cause the System log to capture logging information on all dropped inbound and outbound packets. This information can be useful in troubleshooting IPSec problems.

To enable logging of inbound and outbound packets, perform the following steps:

Open the Registry Editor by selecting Start | Run, typing regedit or regedt32, and clicking OK.
Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSec.
Right-click the IPSec key and select New, and then choose DWORD Value.
In the right pane, change the default name of the new value to EnableDiagnostics.
Double-click the new value, or right-click and select Modify.
In the Edit DWORD Value dialog box, under Value data, type 7 and click the OK button.
Close the Registry Editor.

After you’ve made this change, restart the computer.

You can also enable IPSec driver logging of dropped inbound and outbound packets by using netsh command-line tool utility. From a command prompt window, issue the following command:

netsh IPSec dynamic set config ipsecdiagnostics 7

Next, restart the computer so that the settings will take effect.

By default, the IPSec driver will write to the System log on an hourly basis, or after the event threshold value has been met. For troubleshooting purposes, you can change this setting to an interval of 60 seconds. To change this setting, you can modify the Registry by creating the following DWORD value:

Open the Registry Editor by selecting Start | Run, typing regedit or regedt32, and clicking OK.
Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSec.
Right-click the IPSec key and select New, and then select DWORD Value.
In the right pane, change the default name of the new value to LogInterval.
Double-click the new value, or right-click and select Modify.
In the Edit DWORD Value dialog box, under Value data, type 60.
Under Base, click the Decimal option button.
Click the OK button.
Close the Registry Editor.

After you’ve made this change, you can restart the system.

Again, you can use a netsh command to change this setting. Open the command prompt window and type the following command:

netsh ipsec dynamic set config ipsecloginterval 60

Then restart the computer so the changes can take effect.

Packet event logging is disabled by default. After you create the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSec\EnableDiagnostics value as described earlier, you can control the logging level by editing the value. Table 10.8 lists the possible values that you can set. To disable logging altogether after the DWORD value has been created without deleting the value (if you will want to enable it again later), set the value to 0.

Table 10.8: Value Settings and Level of Logging
Value	Logging Performed
1	Bad SPI, IKE negotiation failures, and invalid packet syntax are logged.
2	System log records the inbound per-packet drop events.
3	Unexpected cleartext events and level 1 and level 2 logging are performed.
4	Outbound per-packet drops are recorded.
5	Level 1 and level 4 logging are performed.
6	Level 2 and level 4 logging are performed.
7	All logging is performed.

The value of 7 enables all logging, creating a great deal of information in the logs. Before you enable logging of this magnitude, realize that your system logs will fill up quickly. To prevent problems, do one or more of the following:

Set your system log size to at least 10MB.
Clear all events so the log is empty before you start logging.
Save the current log to a file.

Using IKE Detailed Tracing to Troubleshoot IPSec

Enabling audit logging for IKE events and viewing the events in Event Viewer provide the fastest and simplest way to troubleshoot failed main mode or quick mode negotiations. If you need a more detailed analysis of these negotiations, you can enable tracing for IKE negotiations. This is an extremely detailed log intended for troubleshooting IKE interoperability under controlled circumstances. Before you try to decipher the log, you will need to have expert-level knowledge of RFCs 2408 (defining ISAKMP) and 2409 (defining IKE).

The IKE tracing log is 50,000 lines long and will overwrite if necessary. This log is located in the systemroot\Debug\Oakley.log file. Each time the IPSec service is started, the previous version of the file is renamed Oakley.log.sav, and a new Oakley.log file is created. If the Oakley.log file becomes full before the IPSec service is started, the full log will be named Oakley.log.bak, and a new Oakley.log file will be created.

You might wish to minimize the number of negotiations because many of these can occur at the same time. This will make your log file easier to read. See Table 10.9 for scenarios and explanations regarding the IKE tracing log. The Oakley key does not exist in the specified Registry tree. To use these settings, you must first create a new key named Oakley, and then create the new EnableLogging DWORD value within that key.

Table 10.9: IKE Tracing Log Scenarios
Enable/Disable IKE Tracing Log	Operating System	Registry Setting to Enable IKE Tracing	netsh Command to Enable the IKE Tracing Log	IPSec Service Status
Enable	Windows Server 2003	N/A		Remain started
Disable	Windows Server 2003	N/A		Remain started
Enable	Windows XP Professional	HKEY_LOCAL_MACHINE\ System\CurrentControlSet\ Services\PolicyAgent\ Oakley\EnableLogging DWORD Registry setting to a value of 1	N/A	Stop and restart the IPSec service by using net stop policyagent and net start policyagent at the command prompt
Disable	Windows XP Professional	HKEY_LOCAL_MACHINE\ System\CurrentControlSet\ Services\PolicyAgent\ Oakley\EnableLogging DWORD Registry setting to a value of 0	N/A	Stop and restart the SIPSec service by using net stop policyagent and net start policyagent at the command prompt
Enable	Windows 2000	HKEY_LOCAL_MACHINE\ System\CurrentControlSet\ Services\PolicyAgent\ Oakley\EnableLogging DWORD Registry setting to a value of 1	N/A	Stop and restart the IPSec service by using net stop policyagent and net start policyagent at the command prompt
Disable	Windows 2000	HKEY_LOCAL_MACHINE\ System\CurrentControlSet\ Services\PolicyAgent\ Oakley\EnableLogging DWORD Registry setting to a value of 0	N/A	Stop and restart the IPSec service by using net stop policyagent and net start policyagent at the command prompt

Using the Network Monitor to Troubleshoot IPSec

The Windows Server 2003 Network Monitor is a protocol analyzer (also called a packet sniffer) that Microsoft includes with its server operating systems.

Note

The version of Network Monitor that is built into Windows can be used to view IPSec traffic only on the computer on which you are running the Network Monitor utility. If you need to view network traffic on other computers, you can use the version of Network Monitor that is included in Microsoft’s Systems Management Server (SMS), which allows you to place the computer’s NIC in promiscuous mode so that it will capture traffic on the network that is not sent to or from the local computer.

The Network Monitor includes parsers for the AH, ESP, and ISAKMP (IKE) IPSec protocols. However, the Network Monitor cannot parse the encrypted portions of IPSec-secured ESP traffic when encryption is software-based. If you are using encryption on a hardware offload network adapter, ESP packets are decrypted when the Network Monitor captures them and therefore can be parsed and interpreted into the upper-layer protocols. The following types of traffic should be exempt from filtering:

Broadcast
Multicast
IKE
Kerberos
RSVP

IPSec will exempt all multicast, broadcast, RSVP, Kerberos, and IKE traffic if you are using Windows XP and Windows 2000. The Windows Server 2003 family only exempts IKE traffic from traffic filtering by default. Actions such as block, configure, and permit filter actions can be configured just for broadcast and multicast traffic. SAs will not be negotiated for broadcast and multicast traffic. If you wish to change the filtering behavior on your Windows Server 2003 machines to match the default behavior on Windows 2000/XP machines (that is, to exempt multicast, broadcast, RSVP, and Kerberos traffic, along with IKE), you can use the following netsh command at the prompt on the Windows Server 2003 machine:

netsh ipsec dynamic set config ipsecexempt 0

After issuing this command, you will need to reboot the computer for the changes to take effect.

Note

To display monitoring information such as policy settings and statistics on Windows XP machines, use ipseccmd.exe with the show all command.

By design, Windows 2000 and Windows XP default exemption settings for IPSec are configured for low-risk environments, such as corporate LANs, because the risk of attack is minimal. The Windows 2000 and Windows XP default exemption settings should be used in only low-risk environments and be applied only when necessary for troubleshooting purposes.

To exempt all multicast, broadcast, RSVP, Kerberos, and IKE traffic from IPSec filtering, you need to edit the Registry to create a DWORD value called NoDefaultExempt in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC Registry key and set its value to 0. Follow the instructions given previously for creating new DWORD values.

Disabling TCP/IP and IPSec Hardware Acceleration to Solve IPSec Problems

IPSec offload is a process by which some network adapters can do the processing for the mathematical calculations involved in encrypting IPSec data and TCP checksums. This speeds up, or accelerates, the process because it is being handled by a chip on the network interface card (NIC) instead of by the operating system software. NICs that are capable of offloading IPSec cryptographic functions can also perform a large-send offload, which is the processing of very large TCP segments for accelerated transmissions. If a Plug and Play NIC has this capability, its driver can make an advertisement to IPSec and TCP/IP. This results in the protocols passing these tasks to the NIC driver.

Although hardware acceleration speeds up processing, it can sometimes cause problems with packet processing. Exercise 10.03 walks you through the steps of disabling hardware offload functions.

Exercise 10.03: Disabling Hardware Offload Functions

Before you begin to test your network adapter, verify that you have the latest software drivers for the adapter. To disable TCP/IP hardware acceleration, follow these steps:

Open the Registry Editor by selecting Start | Run, typing regedit or regedt32, and clicking OK.
Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\Tcpip\Parameters.
Right-click the Parameters key, Select New, and choose DWORD Value.
In the right pane, change the default name of the new value to DisableTaskOffload.
Double-click the new value, or right-click and select Modify.
In the Edit DWORD Value dialog box, under Value data, type 1 and click the OK button.
Close the Registry Editor.

To disable IPSec hardware acceleration, follow these steps:
Open the Registry Editor by selecting Start | Run, typing regedit or regedt32, and clicking OK.
Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\IPSec.
Right-click the IPSec key, select New, and then choose DWORD Value.
In the right pane, change the default name of the new value to EnableOffload.
Double-click the new value, or right-click and select Modify.
In the Edit DWORD Value dialog box, under Value data, type 0 and click the OK button.
Close the Registry Editor.

After making these modifications, you will need to restart the computer.