Information Technology Reference
In-Depth Information
Policy last modified
Policy store, which specifies whether the policy is being stored in Active Directory or
in the Local Security Policy
Policy Path, which specifies the file system or Active Directory path in which the
active policy resides
Organizational Unit, which specifies the OU in which the computer resides, if applicable
Group Policy Object Name
3.
For additional information on IPSec filters that are in place, navigate to Quick Mode\
Generic Filters. Double-click an individual filter to see the details of the filter definition.
4.
For additional information and statistics on the security negotiation process, click the
Quick Mode\Negotiation Policies node.
5.
For IPSec performance statistics, click the Quick Mode\Statistics node.
Using a Command-Line Interface
The following command creates a file named display.txt that contains a detailed description of
the current IPSec configuration:
> netsh ipsec static show all > display.txt
The following command will display debugging information and statistics about the IPSec
negotiation process:
> netsh ipsec dynamic show all
How It Works
When troubleshooting communication issues on a network that has been configured for IPSec,
you need to determine if IPSec itself is the cause of the failure, or if the failure occurs at another
point in the network stack. The quickest way to determine if your IPSec configuration is the
cause of a network failure is to temporarily disable the active IPSec policy to see if it corrects the
issue, although this obviously has the negative side effect of removing IPSec security protec-
tion from your network.
If you've determined that IPSec is creating communications difficulties on your network,
further troubleshooting will be aided by obtaining as much information about your current
IPSec configuration as possible. You can use the tools listed in this recipe to obtain configura-
tion and performance information about the IPSec policy of a computer running Windows
Server 2003.
Using a Graphical User Interface
The IP Security Monitor is an MMC snap-in that is installed by default on Windows Server 2003
computers. It provides a graphical view of IPSec statistics, including the name and description
of the active IPSec policy, the GPO that IPSec has been configured through, and the configura-
tion details of specific filters that are in place.
