HOW TO: Use IPSec Monitor in Windows 2000 (313195)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q313195

IN THIS TASK

SUMMARY

Windows 2000 supports the use of Internet Protocol security (IPSec) to secure communications between computers. IPSec is a cross-platform protocol. Windows 2000-based computers use IPSec policies to control which communications require the use of IPSec. A computer can require that IPSec secures all communications, or only a subset of all communications can be required to use IPSec. You use IPSec filters to control when IPSec is applied.

To test the IPSec policies, use IPSec Monitor. IPSec Monitor (Ipsecmon.exe) provides information about which IPSec policy is active and whether a secure channel between computers is established.

back to the top

Start IPSec Monitor

  1. Click Start, and then click Run.
  2. In the Open box, type ipsecmon.
  3. Click Options.

    You can change the Refresh interval in the IP Security Monitor Options dialog box.
To see how IPSec Monitor functions, you need two Windows 2000-based computers that are members of the same Windows 2000 domain. One computer is the IPSec client computer and the other computer is the IPSec server. The following two sections describe how to configure the IPSec client computer and IPSec server to test a security policy.

back to the top

IPSec Client Computer

  1. Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.
  2. Click to expand the Security Settings node in the left pane, and then click the IP Security Policies node.
  3. Double-click Client (Responds Only) policy in the right pane.
  4. Click to clear the Dynamic check box, and the click to select the All ICMP Traffic check box.
  5. Double-click the All ICMP Traffic rule, click the Filter Action tab, and then click Require Security.
  6. Click Apply, and then click OK.
  7. Click Close.
back to the top

IPSec Server

  1. Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.
  2. Click to expand the Security Settings node in the left pane, and then click the IP Security Policies node.
  3. Double-click the Secure Server (Require Security) policy in the right pane.
  4. Click to clear the All IP Traffic and the Dynamic check boxes, and then click to select the All ICMP Traffic check box.
  5. Double-click the All ICMP Traffic rule.
  6. Click the Filter Action tab, and then click Require Security.
  7. Click Apply, and then click OK.
  8. Click Close.
  9. On the IPSec client computer, start IPSec Monitor.
  10. From a command prompt, type ping -t ipsec_server_ip_address.

    For the first few seconds, a "Negotiating IPSec Policy" message is displayed, and then you receive Internet Control Message Protocol (ICMP) echo replies. When you bring IPSec Monitor to the foreground, you see that the IPSec security association is established and the filter name is listed as "ICMP."
  11. Close the command window to stop the ping command. Note that the IPSec security association continues for a short period of time before timing out.
To restore the default IPSec policies on each computer:
  1. Right-click the IP Security Policies node in the left pane, point to All Tasks, and then click Restore Default Policies.
  2. Click Yes when you receive the "Are you sure?" message.
  3. Click OK to confirm that the default policies have been returned to their default values.
back to the top
Modification Type:MajorLast Reviewed:11/19/2003
Keywords:kbhowto kbHOWTOmaster KB313195 kbAudITPro
©2003 Microsoft Corporation. All rights reserved.