HOW TO: Use IPSec Monitor in Windows Server 2003 (324269)


The information in this article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
This article was previously published under Q324269
For a Microsoft Windows 2000 version of this article, see 313195.

IN THIS TASK

SUMMARY

Windows Server 2003 supports the use of Internet Protocol security (IPSec) to secure communications between computers. IPSec is a cross-platform protocol. Windows Server 2003-based computers use IPSec policies to control which communications must use IPSec. A computer may need for IPSec to secure all communications or only a subset of all communications. You use IPSec filters to control when IPSec is applied.

To test the IPSec policies, use IPSec Monitor. IPSec Monitor (Ipsecmon.exe) provides information about which IPSec policy is active and whether a secure channel between computers is established.

back to the top

Start IPSec Monitor

In Microsoft Windows XP and Windows Server 2003, the IP Security Monitor is implemented as a Microsoft Management Console (MMC) snap-in. To add the IP Security Monitor snap-in, follow these steps:
  1. Click Start, click Run, type MMC, and then click OK.
  2. In the MMC, click File, click Add/Remove Snap-in, and then click Add.
  3. Click IP Security Monitor, and then click Add.
  4. Click Close, and then click OK.
NOTE: To save the console settings, click Save on the File menu.

To add a computer to the IP Security Monitor snap-in, follow these steps:
  1. Create a console that contains IP Security Monitor. Or, open a saved console file that contains IP Security Monitor.
  2. In the console tree, right-click IP Security Monitor, and then click Add computer.
  3. In the Add Computer dialog box:
    • For the local computer, click This computer.

      -or-
    • For a remote computer, click The following computer, and then type the name of the remote computer. Or, click Browse to find it on the network.
To see how IPSec Monitor functions, you need two Windows Server 2003-based computers that are members of the same Windows Server 2003 domain. One computer is the IPSec client computer and the other computer is the IPSec server. The following two sections describe how to configure the IPSec client computer and IPSec server to test a security policy.

back to the top

IPSec Client Computer

  1. Click Start, point to Settings, and then click Control Panel.
  2. Double-click Administrative Tools, and then double-click Local Security Policy.
  3. Click the IP Security Settings on Local Computer node in the left pane, and then double-click Client (Respond Only) policy in the right pane.
  4. Click to clear the Dynamic check box, and the click Add.
  5. In the Security Rule Wizard, click Next.
  6. In the Tunnel Endpoint dialog box, click This rule does not specify a tunnel, and then click Next.
  7. In the Network Type dialog box, click All network connections, and then click Next.
  8. In the Authentication Method dialog box, click Active Directory default (Kerberos V5 protocol), click Next, and then click Finish.
  9. In the IP Filter List dialog box, click All ICMP Traffic, and then click Next.
  10. In the Filter Action dialog box, click Require Security, and then click Next.
  11. Click Apply, and then click OK.
  12. Click Close.
back to the top

IPSec Server

  1. Click Start, point to Settings, and then click Control Panel.
  2. Double-click Administrative Tools, and then double-click Local Security Policy.
  3. Click the IP Security Settings on Local Computer node in the left pane, and then double-click the Secure Server (Require Security) policy in the right pane.
  4. Click to clear the All IP Traffic and the Dynamic check boxes, and then click to select the All ICMP Traffic check box.
  5. Double-click the All ICMP Traffic rule.
  6. Click the Filter Action tab, and then click Require Security.
  7. Click Apply, and then click OK.
  8. Click Close.
  9. On the IPSec client computer, start IPSec Monitor.
  10. From a command prompt, type ping -t ipsec_server_ip_address.

    For the first few seconds, a "Negotiating IPSec Policy" message is displayed, and then you receive Internet Control Message Protocol (ICMP) echo replies. When you bring IPSec Monitor to the foreground, you see that the IPSec security association is established and the filter name is listed as ICMP.
  11. Close the command window to stop the ping command.

    Note that the IPSec security association continues for a short time before timing out.
To restore the default IPSec policies on each computer:
  1. Right-click the IP Security Policies node in the left pane, point to All Tasks, and then click Restore Default Policies.
  2. Click Yes when you receive the "Are you sure?" message.
  3. Click OK to confirm that the default policies have been returned to their default values.
back to the top
Modification Type:MajorLast Reviewed:6/6/2003
Keywords:kbSecurityServices kbhowto kbHOWTOmaster KB324269 kbAudITPro
©2002 Microsoft Corporation. All rights reserved.