Monitoring Quick Mode
Monitoring Quick Mode
Quick Mode (also known as Phase 2) IKE negotiation establishes a secure channel between two computers to protect data. Because this phase involves the establishment of security associations (SAs) that are negotiated on behalf of the IPsec service, the SAs created during Quick Mode are called the IPsec SAs. During Quick Mode, keying material is refreshed or, if necessary, new keys are generated. A protection suite that protects specific IP traffic is also selected. A protection suite is a defined set of data integrity or data encryption settings. Quick Mode is not considered a complete exchange because it is dependent on a Main Mode exchange.
Monitoring Quick Mode SAs can provide information about which peers are currently connected to this computer, which protection suite was used to form the SA, and other information.
Generic filters
Generic filters are IP filters that are configured to use any of the IP address options as either a source or destination address. IPsec allows you to use keywords, such as My IP Address, DNS Server, DHCP Server, WINS Servers, and Default Gateway, in the configuration of filters. When keywords are used, generic filters show the keywords in the IP Security Monitoring snap-in. Specific filters are derived by expanding keywords into specific IP addresses.
Adding, removing, and sorting columns
You can add, remove, rearrange, and sort by these columns in the results pane:
Name
Source (the IP address of the packet source)
Destination (the IP address of the packet destination)
Source Port (the TCP or UDP port of the packet source)
Destination Port (the TCP or UDP port of the packet destination)
Source Tunnel Endpoint (the tunnel endpoint nearest the local computer, if one was specified)
Destination Tunnel Endpoint (the tunnel endpoint nearest the destination computer, if one was specified)
Protocol (the protocol specified in the filter)
Inbound Action (whether inbound traffic is Allowed, Blocked, or uses Negotiate Security action)
Outbound Action (whether outbound traffic is Allowed, Blocked, or uses Negotiate Security action)
Negotiation Policy (the name of the Quick Mode negotiation policy, or cryptographic settings.)
Connection Type (the type of connection that this filter is applied to, either local network (LAN), remote access, or all network connection types)
Specific filters
Specific filters are expanded from Generic filters by using the IP addresses of the source or destination computer for the actual connection. For example, if you have a filter that used My IP Address option as the source address and the DHCP Server option as the destination address, then when a connection is formed using this filter, a filter that has your computer's IP address and the IP address of the DHCP server that this computer uses is created.
Adding, removing, and sorting columns
You can add, remove, rearrange, and sort by these columns in the results pane:
Name
Source (the IP address of the packet source)
Destination (the IP address of the packet destination)
Source Port (the TCP or UDP port of the packet source)
Destination Port (the TCP or UDP port of the packet destination)
Source Tunnel Endpoint (the tunnel endpoint nearest the local computer, if one was specified)
Destination Tunnel Endpoint (the tunnel endpoint nearest the destination computer, if one was specified)
Protocol (the protocol specified in the filter)
Inbound Action (whether inbound traffic is Allowed, Blocked, or uses Negotiate Security action)
Outbound Action (whether outbound traffic is Allowed, Blocked, or uses Negotiate Security action)
Negotiation Policy (the name of the Quick Mode negotiation policy, or cryptographic settings.)
Weight (the priority the IPsec service gives to the filter)
Weight is derived from a number of factors. For more information about filter weights, see the February 2005 Cable Guy article, IPsec Filter Ordering, on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=62212).
Note
The weight property is no longer relevant on computers running Windows Vista® or Windows Server® 2008; this property is always set to 0 on these computers.
Negotiation policies
The Negotiation policy is the security method preference order that the two peer computers agree to use when communicating with each other during Quick Mode negotiations.
Statistics
This table displays the statistics available from the Quick Mode Statistics view:
IPsec Statistic | Description |
---|---|
Active Security Associations |
The number of active IPsec SAs. |
Offloaded Security Associations |
The number of active IPsec SAs offloaded to hardware. |
Pending Key Operations |
The number of IPsec key operations in progress. |
Key Additions |
The total number of successful IPsec SA negotiations. |
Key Deletions |
The number of key deletions for IPsec SAs. |
Rekeys |
The number of rekey operations for IPsec SAs. |
Active Tunnels |
The number of active IPsec tunnels. |
Bad SPI Packets |
The total number of packets for which the Security Parameters Index (SPI) was incorrect. The SPI is used to match inbound packets with SAs. If the SPI is incorrect, it might mean that the inbound SA has expired and a packet using the old SPI has recently arrived. This number is likely to increase if rekey intervals are short and there are a large number of SAs. Because SAs expire under normal conditions, a bad SPI packet does not necessarily mean that IPsec is failing. |
Packets Not Decrypted |
The total number of packets that failed decryption. This failure might indicate that a packet arrived for an SA that had expired. If the SA expires, the session key used to decrypt the packet is also deleted. This does not necessarily indicate that IPsec is failing. |
Packets Not Authenticated |
The total number of packets for which data could not be verified. This failure is most likely caused by an expired SA. |
Packets With Replay Detection |
The total number of packets that contained a valid Sequence Number field. |
Confidential Bytes Sent |
The total number of bytes sent using the ESP protocol. |
Confidential Bytes Received |
The total number of bytes received using the ESP protocol. |
Authenticated Bytes Sent |
The total number of bytes sent using the AH protocol. |
Authenticated Bytes Received |
The total number of bytes received using the AH protocol. |
Transport Bytes Sent |
The total number of bytes sent using IPsec Transport Mode. |
Transport Bytes Received |
The total number of bytes received using IPsec Transport Mode. |
Bytes Sent in Tunnels |
The total number of bytes sent using IPsec Tunnel Mode. |
Bytes Received in Tunnels |
The total number of bytes received using IPsec Tunnel Mode. |
Offloaded Bytes Sent |
The total number of bytes sent using hardware offload. |
Offloaded Bytes Received |
The total number of bytes received using hardware offload. |
Note
Some of these statistics can be used to detect network attack attempts.
Security associations
This view displays the active SAs with this computer. An SA is the combination of a negotiated key, security protocol, and SPI, which together define the security used to protect the communication from sender to receiver. Therefore, by looking at the security associations for this computer, you can determine which computers have connections with this computer, which type of data integrity and encryption is being used for that connection, and other information.
This information can be helpful when you are testing IPsec policies and troubleshooting access issues.
Adding, removing, and sorting columns
You can add, remove, rearrange, and sort by these columns in the results pane:
Me (this is the local computer IP address)
Peer (the remote computer or peer IP address)
Protocol (the protocol specified in the filter)
My Port (the TCP or UDP port of the local computer used in the filter)
Peer Port (the TCP or UDP port of the remote computer used in the filter)
Negotiation Policy (the name of the Quick Mode negotiation policy, or cryptographic settings)
AH Integrity (the AH protocol-specific data integrity method used for peer communications)
ESP Confidentiality (the ESP protocol-specific encryption method used for peer communications)
ESP Integrity (the ESP protocol-specific data integrity method used for peer communications)
My Tunnel Endpoint (the tunnel endpoint nearest the local computer, if one was specified)
Peer Tunnel Endpoint (the tunnel endpoint nearest the local computer, if one was specified)