To troubleshoot IPsec, first enable Audit policy, and then verify the results of phase one and phase two exchanges. When you enable Audit policy, security events are logged in the Security log. By examining the Security log, you can determine whether IKE security association negotiation is successful. To enable Audit policy,
Follow these steps:
1. In Group Policy, expand Local Computer Policy.
2. Locate and then click Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy.
3. In the details pane, right-click Audit logon events, and then click Security.
4. Click to select Success, click to select Failure, and then click OK.
5. In the details pane, right-click Audit object access, and then click Security.
6. Click to select Success, click to select Failure, and then click OK.
Note If you are using a domain policy for auditing, the domain policy overwrites your local policy.
Next, type the following command to use the Netdiag.exe command-line tool:
netdiag /test:ipsec /debug
This command displays debugging information about phase two.
Note To use Netdiag.exe, the Windows 2000 Support Tools package must be installed on your computer. To install the Windows 2000 Support Tools, follow these steps:
1. Start Windows 2000.
Note You must log on as a member of the administrator group to install these tools.
2. Insert the Windows 2000 CD into your CD drive.
3. Click Browse this CD, and then open the Support\Tools folder.
4. Double-click Setup.exe, and then follow the instructions that appear on the screen.
You can also use Netdiag.exe to view the policy without an active connection. To do this, type the following command at a command prompt, and then press ENTER:
netdiag /test:ipsec /v
This command displays the current policy and IPsec statistics with regard to phase one.
If the logged events indicate that phase one Main Mode exchange fails, verify the IKE settings and the IKE authentication methods in your IPsec policy properties. To do this,
Follow these steps:
1. Click Start, click Run, type secpol.msc, and then click OK.
2. Click the IPsec rule that you want to click, right-click IPsec rules and then click Properties.
3. Click the General tab, and then verify that the settings are correct.
4. Click Advanced, examine the settings, click Methods, and then examine the settings.
5. Click OK two times.
6. Click Rules tab, click Edit, and then click the Authentication Methods tab.
7. Examine the settings on this tab.
If the logged events indicate that phase two Quick Mode fails, verify the IPsec security methods in the IPsec rules and in your IPsec policy properties. To do this, follow these steps:
1. Click the IPsec rule that you want to verify, click Edit, and then click the Filter Action tab.
2. Click the filter action that is enabled, click Edit, and examine the settings.
1 comment:
I appreciate it very much, at least I know from it someone is reading the contents I have here.
Annuity Quotes
Post a Comment