Description of Internet Protocol Security Troubleshooting Tools

ID: Q234581

The information in this article applies to:
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SUMMARY

This article discusses the Monitoring and Troubleshooting tools that are available for Internet Protocol (IP) Security. There are six tools provided with Windows 2000 you may use to diagnose problems with using IP Security.


MORE INFORMATION

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).

IP Security Monitor (Ipsecmon.exe)

You can start IP Security Monitor (Ipsecmon.exe) from a command prompt. This tool monitors IP Security Associations, rekeying, negotiation errors, and displays other IP Security statistics.

Performance Monitor

Performance Monitor includes IP Security objects and counters.

Event Viewer

Event Viewer records several messages:
  • Policy Agent and IPSec Driver events in the System Log.


  • Oakley events in the Application Log.


  • Internet Security Association key Management Protocol (ISAKMP) events such as Security Association details in the Security Log when auditing is enabled.


Note that Key audits contain descriptions such as "ISAKMP security association established" or "ISAKMP security association ended."

Network Monitor

Network Monitor version 2 includes parsers for Authentication Header, Encapsulating Security Payload, and ISAKMP.

Policy Agent Log

Policy Agent Log (Ipsecpa.log) is a detailed log that can be enabled in the registry. To enable this logging function:
  1. Use Registry Editor to add a REG_DWORD value named Debug with a value of 1 to the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
    NOTE: A value of 0 for Debug turns logging off.


  2. The Ipsecpa.log file is created in the %systemroot%\debug folder.


Security Association Log

Security Association Log (Oakley.log) is another detailed log that can be enabled in the registry. To enable this logging functionality:
  1. Use Registry Editor to locate the following key in the registry, and if it does not exist, create it:


    2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley
  2. Add a REG_DWORD value named EnableLogging with a value of 1 to this key.


  3. The Oakley.log file is created in the %SystemRoot%\debug folder.

    NOTE: A value of 0 for EnableLogging disables logging.


For related information, please see the following article in the Microsoft Knowledge Base:
Q231585 Overview of Secure IP Communication with IPSec in Windows 2000

Additional query words:

Keywords : kbnetwork kbtool
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo


Last Reviewed: February 1, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.