Monitoring IPsec

Applies To: Windows 7, Windows Server 2008 R2

You can use the IP Security Monitor snap-in to view and monitor IPsec-related statistics and the IPsec policy applied to this computer and other computers. This information can help you troubleshoot IPsec and test the policies you are creating. To change the IPsec policies, use the IP Security Policies snap-in.

If you create a policy using the Windows Firewall with Advanced Security snap-in, you cannot use the IP Security Monitor snap-in to view these rules. You must use the Monitoring item of the Windows Firewall with Advanced Security snap-in.

Note

The IP Security Monitor snap-in can be used to monitor IPsec only on computers running Windows XP and later. To monitor IPsec on a computer running Windows 2000, use the ipsecmon command.
The IP Security Policy snap-in can be used to create IPsec policies that can be applied to computers running Windows Vista®, Windows Server® 2008, and later versions of Windows, but this snap-in does not use the new security algorithms and other new features available in those later versions. To create IPsec polices using the newer algorithms, use the Windows Firewall with Advanced Security snap-in. The Windows Firewall with Advanced Security snap-in does not create policies that can be applied to earlier versions of Windows.

Monitoring tasks

This is a brief list of the most common tasks you might perform using the IP Security Monitor snap-in:

Adding a computer

Before you can monitor IPsec on a remote computer, you must first add the computer to the snap-in. You must have administrator-level access to the remote computer to add it and monitor IPsec.

To add a computer to the IP Security Monitor snap-in

  1. In the console tree, right-click IP Security Monitor, and then click Add computer.

  2. In the Add Computer dialog box, click The following computer, and then type the name of the remote computer. Or, click Browse to find it on the network.

Note

If the IPsec services are not started on the computer that is being monitored, the server icon is displayed as a stopped service. To refresh the IP Security Monitor after the IPsec services on that computer have been restarted, right-click the computer, and then click Reconnect.
On computers running Windows Server 2003 and later, you must set the EnableRemoteMgmt registry key to 1 on the remote computer and restart the IPsec service. Otherwise, you will get an "IPsec service not running" error from the snap-in. The registry key is located at HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\PolicyAgent.

Finding a specific filter

There are two ways to find information about a specific filter, which might be helpful, for example, during troubleshooting: you can sort the Specific Filters view to find the filter or you can search for the filter in the Specific Filter folder of either Main Mode or Quick Mode.

To find a filter in the filter list by browsing

  1. In the Specific Filter folder of either the Main Mode or Quick Mode folders, click the column heading for the property that you want to browse. If you click the column heading again, the list will be sorted in reverse order.

  2. Browse through the list to find the filter.

To find a specific filter by searching

  1. Under either the Main Mode or Quick Mode folder, right-click the Specific Filter folder, and then click Find Matching Filters.

  2. In the Find Matching Filters dialog box, select the criteria you want to search for, and then click Search.

Note

The Find the best match only option will find only one match, the one that best matches the criteria. If you do not see the filter you were searching for, try the search again using the Find all matches option. The source and destination choice Any does not search for any source or destination. Instead, the choice is used to find the "Any" source or destination, as listed in the Specific Filter list view.

Looking for signs of possible attacks

The statistics collected and displayed by the IP Security Monitor snap-in can be useful when looking for possible attacks against this computer or other computers you have added to the snap-in. This information is located in the Statistics folders of both the Main Mode and Quick Mode folders. For more information about the statistics available, see Monitoring Main Mode or Monitoring Quick Mode.

Viewing security associations

A security association (SA) is the combination of a negotiated key, security protocol, and security parameters index (SPI), which together define the security used to protect the communication from sender to receiver. By looking at the SAs for this computer, you can determine which computers have connections with this computer, which type of data integrity and encryption is being used for that connection, and other information.

This information can be helpful when you are testing IPsec policies or troubleshooting access issues.

Changing other settings

You can configure whether the snap-in automatically refreshes the information it provides. You can also configure how often it is refreshed and whether the views display IP addresses or DNS names.

To configure automatic refresh

  1. Under the IP Security Monitor folder, right-click the computer's node, and then click Properties.

  2. In the computer Properties dialog box, select the Enable auto refresh check box.

  3. To change the frequency with which the snap-in updates the information, type the preferred interval.

Note

By default, automatic refresh is enabled with an interval of 45 seconds. Configuring the automatic refresh too frequently might lead to performance problems, especially when you are monitoring multiple computers from the snap-in and you have enabled DNS name resolution.

To view IP addresses as DNS names

  1. Right-click the computer's node in the IP Security Monitor snap-in, and then click Properties.

  2. In the computer Properties dialog box, select the Enable DNS name resolution check box, and then click OK.

Note

DNS name resolution is not enabled by default. It works only in the Quick Mode Specific Filter view and in the Security Associations view for both Main Mode and Quick Mode.
DNS name resolution might affect performance if many items need to be resolved in this view.
To resolve the DNS name from its IP address, the appropriate reverse domains and pointer (PTR) resource records must be configured on your DNS infrastructure. PTR resource records can be configured either manually or through the use of DNS dynamic update. To resolve the NetBIOS computer name of a computer from its IP address, NetBIOS over TCP/IP must be enabled on the computer.

Additional references