Troubleshooting toolsYou can use the following tools to troubleshoot IPSec in Windows XP:
IP Security Policy snap-in
Active Directory Users and Computers and Group Policy snap-ins
IP Security Monitor snap-in
IPSecCMD
Audit logging
Oakley log
Network Monitor
IP Security Policy snap-in
You can use the IP Security Policy snap-in to create, modify, and activate IPSec policies. You can create a console by adding either the IP Security Policies on Local Machine snap-in or the IP Security Policies on Active Directory snap-in. You can also access the IP Security Policies snap-in through Group Policy. For more information, see To start the IP Security Policies snap-in.
Note
You cannot administer Active Directory-based IPSec policy from a computer running Windows XP Home Edition.
Active Directory Users and Computers and Group Policy snap-ins
To troubleshoot policy precedence issues and determine the set of policies that are being used by IPSec clients, use the Active Directory Users and Computers and Group Policy snap-ins. Policy precedence is based upon the Group Policy inheritance model. The policy used is the policy assigned at the lowest level of the domain hierarchy for the domain container of which the computer is a member. For example, if there are IPSec policies configured both for the domain and for an organizational unit within the domain, computers that are members of the domain use the domain IPSec policies. The computers that are members of the organizational unit within the domain use the organizational unit IPSec policies. If there are no IPSec policies configured for Active Directory, local policies are used.
For more information about IPSec policy behavior in an Active Directory environment, see Policies stored in Active Directory.
IP Security Monitor snap-in
You can use the IP Security Monitor snap-in to view details on the local computer or remote computers about:
Main mode and quick mode generic filters, specific filters, and security associations.
IKE policies.
Negotiation policies.
IKE and IP security statistics.
For more information, see Monitor IPSec activity. For more information about IP security statistics, see IP Security Monitor statistics.
Note
The IP Security Monitor snap-in can only be used to monitor IPSec on computers running Windows XP. To monitor IPSec on a computer running Windows 2000, use the ipsecmon command at the Windows 2000 command prompt on the computer that is being monitored.
IPSecCMD
You can use IPSecCMD to configure IPSec policies, filters, and filter actions at the command prompt. For more information, see Ipseccmd. Ipseccmd can only be used on computers running Windows XP. To configure IPSec policies, filters, and filter actions at the command prompt for computers running Windows 2000, use the ipsecpol command that is provided in the Windows 2000 Server Resource Kit.
Audit logging
You can use the Windows XP Event Viewer snap-in to view the following IPSec-related events:
IPSec Policy Agent events in the audit log.
IPSec driver events in the system log. To enable IPSec driver event logging, set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC\DiagnosticMode registry setting to 1. You must restart the computer for this change to take effect. The IPSec driver only writes events to the system log once an hour. For additional information about IPSec driver event logging, see the Windows Resource Kits.
IKE events (SA details) in the audit log. To view these events, enable success or failure auditing for the Audit logon events audit policy for your domain or local computer. For more information, see To establish an audit policy.
IPSec policy change events in the audit log. To view these events, enable success or failure auditing for the Audit policy change audit policy for your domain or local computer. For more information, see To establish an audit policy.
Enabling audit logging and viewing the events in Event Viewer is the fastest and simplest way to troubleshoot failed main mode or quick mode negotiations.
Note
Audit policies on a computer running Windows XP Home Edition and cannot be configured, however, success and failure auditing for the Audit logon events and Audit policy change audit policies for the local computer are enabled by default.
Oakley log
You can use the Oakley log to view details about the SA establishment process. The Oakley log is enabled in the registry. It is not enabled by default. To enable the Oakley log, set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Oakley\EnableLogging registry setting to 1. The Oakley key does not exist by default and must be created. For more information about adding values to registry keys, see To add a value.
After it is enabled, the Oakley log, which is stored in the systemroot\Debug folder, records all ISAKMP main mode or quick mode negotiations. A new Oakley.log file is created each time the IPSec Policy Agent is started and the previous version of the Oakley.log file is saved as Oakley.log.sav.
To activate the new EnableLogging registry setting after modifying its value, stop and start the IPSec Policy Agent and related IPSec services by running the net stop policyagent and net start policyagent commands at the command prompt. If you are restarting the IPSec Policy Agent and related services on a computer running Windows 2000 Server and the Routing and Remote Access service, use the following sequence of commands:
Stop the Routing and Remote Access service using the net stop remoteaccess command.
Stop the IPSec services using the net stop policyagent command.
Start the IPSec services using the net start policyagent command.
Start the Routing and Remote Access service using the net start remoteaccess command.
Caution
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
Network Monitor
You can use Microsoft Network Monitor to troubleshoot IPSec. Network Monitor 2.0, included with both Windows 2000 Server and Systems Management Server 2.0, features parsers for ISAKMP, AH, and ESP. However, Network Monitor does not parse the encrypted portions of IPSec-protected traffic.
For more information, see Network Monitor.