Microsoft KB Archive/231587

= Using the IP Security Monitor Tool to View IPSec Communications =

PSS ID Number: 231587

Article Last Modified on 11/21/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q231587



SUMMARY
Administrators can use the IP Security Monitor tool to confirm whether IP Security (IPSec) communications are successfully secured. The tool can show how many packets have been sent over the Authentication Header (AH) or Encapsulating Security Payload (ESP) security protocols and how many security associations and keys have been generated since the computer was last started.

To start IP Security Monitor for your computer, click Start, click Run, type ipsecmon, and then click OK.

To use the IP Security Monitor to manage a remote computer, click Start, click Run, type ipsecmon, and then click OK.



MORE INFORMATION
IP Security Monitor shows only active security associations with other computers. For a log of successful and unsuccessful security associations, see the Netlogon events in the security log in Event Viewer. The refresh rate is the only configurable option. By default, the statistics are updated every 15 seconds. The statistics are accumulated with each communication that uses IPSec since the computer was last started. The following statistics are recorded by IP Security Monitor.
 * Active Associations - The number of active security associations with the computer being monitored.
 * Confidential Bytes Sent - The total number of bytes sent with Confidentiality, indicating that the packets were sent using the Encapsulating Security Payload (ESP) security protocol (decimal ID 50).
 * Confidential Bytes Received - The total number of bytes received with Confidentiality, indicating that the packets were sent using the Encapsulating Security Payload (ESP) security protocol (decimal ID 50).
 * Authenticated Bytes Sent - The total number of bytes sent with the authentication property enabled.
 * Authenticated Bytes Received - The total number of bytes received with the authentication property enabled.
 * Bad SPI Packets - The total number of packets for which the Security Parameters Index (SPI) was invalid. This probably indicates that the security association (SA) has expired or is no longer valid.

The SPI is a unique identifying value in the SA that allows the receiving computer to select the SA under which a packet will be processed.
 * Packets Not Decrypted - The total number of packets the receiving IPSec driver was unable to decrypt. This may indicate that the security association (SA) has expired or is no longer valid, authentication did not succeed, or integrity checking did not succeed.
 * Packets Not Authenticated - The total number of packets that could not be successfully authenticated to the IPSec driver. This may indicate that the security association (SA) has expired or is no longer valid. The information in the security association is required for the IPSec driver to process the packets.

It may also indicate that the two computers have incompatible authentication settings. Verify that the authentication method specified for each computer is the same.
 * Key Additions - The total number of keys that ISAKMP (the ISAKMP/Oakley mechanism) sent to the IPSec driver. This indicates that the ISAKMP Phase II security associations were successfully negotiated.
 * Oakley Main Modes - The total number of successful security associations established during ISAKMP Phase I. This indicates that the key information exchange was successful. Identities were authenticated and common keying material was established.
 * Oakley Quick Modes - The total number of successful security associations established during ISAKMP Phase II. This indicates that the negotiation for protection services during the data transfer was successful.
 * Soft Associations - The total number of ISAKMP Phase II negotiations that resulted in the computers agreeing only to a clear-text data transfer (no encryption or signing of the packets).
 * Authentication Failures - The total number of times authentication of the computer identities did not succeed. Verify that the authentication method settings for each computer are compatible. This may also indicate that the security association has expired.

NOTE: The number of communications with no IPSec (soft associations) is also noted with a value of "None" in the Negotiation Policy column.

IP Security Monitor also indicates whether or not IP Security is enabled on a given computer. This information is located in the lower-right corner of the window. To reset the statistics in IP Security Monitor, restart the IP Security Policy Agent located in the Computer Management snap-in (Compmgmt.msc).

Keywords: kbhowto KB231587

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000DataServ kbwin2000DataServSearch kbwin2000Pro kbwin2000ProSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbWinAdvServSearch kbWinDataServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.