Module 10: Monitoring

and Troubleshooting
IPsec
Module Overview
• Monitoring IPsec Activity

• Troubleshooting IPsec
Lesson 1: Monitoring IPsec Activity
• Tools used to Monitor IPsec

• Using IP Security Monitor to Monitor IPsec

• Using Windows Firewall with Advanced Security to Monitor

IPsec
• Demonstration: Monitoring IPsec
Tools Used to Monitor IPsec
Tool Key Points
IP Security Monitor • Used in Windows XP and higher

• MMC snap-in

• Administrators can monitor local and remote IPsec policy

usage
IPsecmon • Only available in Windows 2000

• Command-line tool

• Reduced level of information available for

troubleshooting
Windows Firewall with New in Windows Vista and Windows Server 2008
Advanced Security
MMC
Detailed IKE tracing • Trace file found in: systemroot\debug\oakley.log
using Netsh
• Enabled in Windows XP and Windows 2000 through
Registry modification
Using IP Security Monitor to Monitor IPsec

Options for using the IP Security Monitor:

• Modify IPsec data refresh interval to update information in the

console at a set interval
• Allow DNS name resolution for IP addresses to provide additional
information about computers connecting with IPsec
• Computers can monitored remotely:
• To enable remote management editing, the
HKLM\system\currentcontrolset\services\policyagent key
must have a value of 1
• To Discover the Active security policy on a computer, examine
the Active Policy Node in the IP Security Monitoring MMC
• Main Mode Monitoring monitors initial IKE and SA:
• Information about the Internet Key Exchange
• Quick Mode Monitoring monitors subsequent key exchanges
related to IPsec:
• Information about the IPsec driver
Using Windows Firewall with Advanced Security
to Monitor IPsec

The Windows Firewall in Windows Vista and Windows Server 2008

incorporates IPsec

• Use the Connection Security Rules

and Security Associations nodes to
monitor IPsec connections
• The Connection Security Rules and
Security Associations nodes will not
monitor policies defined in the
IP Security Policy snap-in
• Items that can be monitored include:
• Security Associations
• Main Mode
• Quick Mode
Demonstration: Monitoring IPsec
In this demonstration, you will see how to:
• Establish and monitor an IPsec connection

• Monitor an IPsec connection using the Windows Firewall

with Advanced security MMC
Lesson 2: Troubleshooting IPsec
• IPsec Troubleshooting Process

• Troubleshooting IKE

• Troubleshooting IKE Negotiation Events

IPsec Troubleshooting Process

Stop the IPsec Policy Agent and use the ping command to
1 verify communications

2 Verify firewall settings

Start the IPsec Policy Agent and use IP Security Monitor

3 to determine if a security association exists

4 Verify that the policies are assigned

5 Review the policies and ensure they are compatible

Use IP Security Monitor to ensure that any changes

6 are applied
Troubleshooting IKE

Identify connectivity issues related with IPsec

 and IKE

 Identify firewall and port issues

 View the Oakley.log file for potential issues

 Determine Main mode exchange issues

Troubleshooting IKE Negotiation Events

Common Security Event log codes:

• Success:
• 541 - IKE Main Mode or Quick Mode established
• 542 - IKE Quick Mode was deleted
• 543 - IKE Main Mode was deleted
• Information Log Entries:
• Largely pertains to monitoring for denial of service attacks
• There might not be any errors but resources will
run low, which affects performance for legitimate clients
• Quick Mode audit failures are denoted with 547 error message
Notes Page Over-flow Slide. Do Not Print Slide.
See Notes pane.
Lab: Monitoring and Troubleshooting IPsec
• Exercise 1: Monitoring IPsec Connectivity

• Exercise 2: Configuring Connection Security

• Exercise 3: Troubleshooting IPsec

Logon information
Virtual machine 6421A-NYC-DC1 and
6421A-NYC-SVR1
User name Administrator
Password Pa$$w0rd

Estimated time: 30 minutes

Lab Review
• Why did the IPsec policy need to be exported from NYC-
DC1 to NYC-SRV1?
• When implementing IPsec using certificates, what
additional type of infrastructure is required to generate
certificates?
Module Review and Takeaways
• Review Questions

• Best Practices
Notes Page Over-flow Slide. Do Not Print Slide.
See Notes pane.