Internet Protocol Security |
This section covers tools and procedures that can be used to determine if IPSec is active and to make sure IPSec-secured communication is successful.
This procedure determines if standard, unsecured communication can take place. This allows you to separate network problems from IPSec issues.
ping <IP address>
where <IP address> is the IP address of the computer with which you are trying to communicate.
You should receive four replies to the ping. This verifies that you can communicate with your partner. Note that if you are using the default policies, unmodified, ping will not be blocked by IPSec. However, if you have created custom policies and have not exempted the ICMP protocol used by Ping, it may erroneously fail.
If you do not receive a response from the ping command, see "TCP/IP Troubleshooting" in this book for more information about determining the problem.
You can use the following procedures to verify that the assigned policy is active.
ipsecmon <computername>
When IPSec Monitor opens, you will see a message in the lower-right corner indicating whether IPSec is enabled on the computer. For IPSec to be enabled, a policy must be assigned. However, no policies are listed in the IPSec Monitor Security Association list unless an SA with another computer is currently active.
The IPSec Policy Agent makes entries to the System Log to indicate the source of its policy. It also indicates the polling interval as specified by the active policy for checking for policy changes in the Active Directory. Administrators who edit the active IPSec policy on the local computer cause the changes to take effect immediately.
You can also see whether the computer is using local policy or policy from the Active Directory by viewing the Event Log. Specifically, examine the System Log informational entry by the IPSec Policy Agent.
By displaying the properties for Internet Protocol (TCP/IP), you can see the active IPSec policy. If the computer is running local IPSec policy, the name is displayed in an editable form. If the computer is running policy assigned through the Active Directory Group Policy, the name and dialog is displayed as grayed out, and is not editable. See Windows 2000 Help for instructions on displaying TCP/IP properties.