ipsec

Troubleshoot IPSec with these tips | TechRepublic Welcome Log Out My Account FAQ Go Pro! My Profile Contacts Subscriptions My Stuff Preferences Send a Message Log In Join TechRepublic FAQ Go Pro! ZDNet SmartPlanet TechRepublic TechRepublic Home Blogs Downloads Newsletters Q&A Discussions Training Research Library IT Management Development IT Support Data Center Networks Security Leadership Career Compliance IT Consultant ITIL Project Management Business Intelligence Web Development Software Development Mobile Development Help Desk Desktop Applications Mobile Computing Microsoft Windows Apple Linux Cloud Computing Database Administration Servers Storage Virtualization LAN/WAN Wireless Unified Communications VoIP Anti-Malware Compliance IT Risk Management Search All of TechRepublic Publications Library .mad_center {text-align:center;} .mad_center div, .mad_center table, .mad_center iframe, .mad_center a img {margin-left: auto; margin-right: auto;} Home / Blogs / IT Security Follow this blog: RSS Email Alert IT Security Troubleshoot IPSec with these tips By Mike Mullins August 16, 2007, 12:04 PM PDT Running IPSec to secure your network’s communication traffic provides a very strong layer of defense to your network. However, it’s important that you test these policies before deploying them and verify that they’re running properly.В Here areВ some troubleshooting tips for when you run into trouble. Securing your organization’s LAN and WAN traffic from prying eyes is an ongoing struggle. In the past, I’ve written about securing that traffic using IPSec policies. If you followed my recommendations, then good for you! But what if you’ve been experiencing problems with your IPSec implementation? We can usually trace most IPSec problems to difficulties during the Internet Key Exchange (IKE) phase of authentication. Computers go through a process in which they authenticate each other’s identity and form a security association. This identity authentication occurs via a preshared key, a digital certificate, or Kerberos (the default for Windows Server 2003). However, before you begin troubleshooting the authentication process, let’s start at the beginning. First, make sure IPSec is running. The easiest way to determine whether IPSec is running on a computer is to fire up Network Monitor, capture a few packets, and see which protocols are running across your Ethernet interface. If the machine has IPSec configured, you should see only Encapsulating Security Payload (ESP) and Internet Control Message Protocol (ICMP) protocols in your capture. Remember that Windows tends to be very chatty, with a lot of Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) traffic. If you see these two protocols listed in the capture, IPSec probably isn’t running. To restart IPSec, you could reboot the computer. But if you’ve recently made some significant policy changes and can’t afford to reboot the machine, you can stop and restart IPSec via the command line. Simply issue the following commands at the command prompt: net stop policyagent net start policyagent Your IPSec policy should be working, but if you continue to experience problems, you need to keep troubleshooting. Your next step is to look at the authentication method and the policies themselves. Begin by verifying which policy is operating on the machine, and determine whether it has a compatible method for authentication — one policy can’t use Kerberos if the other uses a preshared key. You need to check which policy is active and find out which authentication method the policy is using. To do so, run the Microsoft Management Console (MMC) by going to Start | Run, entering mmc, and clicking OK. Add the IP Security Monitor snap-in by going to File | Add/Remove Snap-in, clicking Add, and selecting its name. This will show you which policy is active as well as the authentication method. Depending on what you find, you might need to just apply the policy or modify the authentication method. Let’s look at some of the possibilities: If your policies use a preshared key, make sure the keys are the same. Type the key in Notepad, and cut and paste it into the policy. If your policies use digital certificates, verify that you’ve installed the certificate and it’s still valid. IPSec policies expire every two years, and they do not automatically renew. If your policies use Kerberos, chances are good that you’re actually having problems with Active Directory (AD), which you need to troubleshoot first. Head on over to the Windows Server 2003 Active Directory Technology Center, and fix your AD problems. At this point, IPSec should be working. If it isn’t, you need to disable IPSec, take your implementation back to the lab, and start from scratch. On of the most common mistakes people make during IPSec policy implementation is setting all of the policies to Client (Respond Only), the default setting on the IPSec policy template. If you’ve set all of your machines to Client (Respond Only), no machine will ever request or require IPSec — and all of your network traffic will remain unencrypted. Change one of the policies to Request or Require, and run Group Policy Update to activate the policy change. Final thoughts Running IPSec to secure your network’s communication traffic provides a very strong layer of defense to your network. Test your policies before you deploy them to the production servers, and verify that they’re running properly. Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center. Worried about security issues? Who isn’t? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems. Get IT Tips, news, and reviews delivered directly to your inbox by subscribing to TechRepublic’s free newsletters. The three elements of access control 10 (+1) reasons to treat network security like home security People who read this... Troubleshoot IPSec with these tips Understanding the Win2K implementation of IPSec Get IT Done: Create custom IPSec configurations for Windows XP Configure IT Quick: The nuts and bolts of IPSec for securing your Windows clients Configuring IPSec on Windows 2000 Professional Vendor HotSpot Here to help you with your Document Management Needs Read the DocuMentor blog now Learn More » The discussion hasn’t started yet. Why don’t you begin it? Subject (Max length: 75 characters) Formatting + Comment BB Codes - Note: HTML is not supported in forums [b] Bold [/b] [i] Italic [/i] [u] Underline [/u] [s] Strikethrough [/s] [q] "Quote" [/q] [ol][*] 1. Ordered List [/ol] [ul][*] · Unordered List [/ul] [pre] Preformat [/pre] [quote] "Blockquote" [/quote] Submit Email me any responses Join the TechRepublic Community and join the conversation! Signing-up is free and quick, Do it now, we want to hear your opinion. Join Login .mad_center {text-align:center;} .mad_center div, .mad_center table, .mad_center iframe, .mad_center a img {margin-left: auto; margin-right: auto;} Keep Up with TechRepublic Five Apps Google in the Enterprise Subscribe Today Discover more newsletters Tablets in the Enterprise Web Designer Subscribe Today Follow us however you choose! Facebook Twitter Linkedin Digg RSS Android iPhone View All Power Users 1 schruppvice 2 watchesomega 3 bootstall Media Gallery PHOTO GALLERY (1 of 18) Cracking Open an ultrabook ancestor the Compaq... PHOTO GALLERY (2 of 18) 20 Windows Phone apps for business (gallery) PHOTO GALLERY (3 of 18) 10 inspiring designs for outdoor and adventure... PHOTO GALLERY (4 of 18) Dinosaur Sighting: Microsoft Plus! Companion... PHOTO GALLERY (5 of 18) Cracking Open the Nokia Lumia 800 PHOTO GALLERY (6 of 18) How to passcode lock Wi-Fi on Kindle Fire (photos) PHOTO GALLERY (7 of 18) The world from space PHOTO GALLERY (8 of 18) Top apps for removing crapware PHOTO GALLERY (9 of 18) Cracking Open the Motorola Xyboard 10.1 PHOTO GALLERY (10 of 18) Dinosaur Sighting: Microsoft Flight Simulator... PHOTO GALLERY (11 of 18) Razer Blade $2,799 gaming laptop at CES 2012 PHOTO GALLERY (12 of 18) Nokia Lumia 900 4G LTE smartphone makes debut... PHOTO GALLERY (13 of 18) Sharp offers up 60, 70, and 80-inch TVs and... PHOTO GALLERY (14 of 18) Ballmer, Microsoft bid CES adieu (photos) PHOTO GALLERY (15 of 18) LG plays it smart with massive TVs, new phones... PHOTO GALLERY (16 of 18) Intel gets touchy as it touts future of... PHOTO GALLERY (17 of 18) Cracking Open: Barnes & Noble Nook Tablet PHOTO GALLERY (18 of 18) Cracking Open: Acer Aspire S3 Ultrabook More Galleries » VIDEO (1 of 14) Cracking Open: Nokia Lumia 800 VIDEO (2 of 14) Apple launches digital textbooks VIDEO (3 of 14) Cracking Open: Motorola Xyboard 10.1 VIDEO (4 of 14) Parrot AR.Drone 2.0 quadricopter takes flight... VIDEO (5 of 14) At CES, Ballmer highlights Windows phone,... VIDEO (6 of 14) Gadgets galore at Sony's press conference VIDEO (7 of 14) CES 2012: Intel looks to 'wow' with concept... VIDEO (8 of 14) Cracking Open: Acer Aspire S3 Ultrabook VIDEO (9 of 14) Top Five Cracking Open teardowns of 2011 VIDEO (10 of 14) Cracking Open: Motorola Droid Razr VIDEO (11 of 14) Cracking Open: Amazon Kindle Touch (2011) VIDEO (12 of 14) TR Dojo: Bloopers for 2011 VIDEO (13 of 14) Cracking Open: Barnes & Noble Nook Tablet VIDEO (14 of 14) Cracking Open: Amazon Kindle Fire More Videos » View All Hot Questions 4 Anti Virus Software 2 Ethical Cell Phone? 8 Does temperature affect network speed? 2 Right click menu on multi file select changes depending on number of files? Ask a Question View All Hot Discussions 88 10 threats to The Golden Age of the Internet 22 Office challenge: What's the easiest way to select a specific cell when you return to a specific sheet? 14 10 things you have to know to be computer literate 12 RIP Compiz Start a Discussion White Papers, Webcasts, and Downloads Webcasts Live Webcast: Top Considerations for Effective Managed Security for 2012 and Beyond Register for this webcast, Top Considerations for Effective Managed Security for 2012 and Beyond, to learn more about what you can do to keep your network protected for years to come. From AT&T Webcasts Live Webcast: Top Considerations for Effective Managed Security for 2012 and Beyond From AT&T White Papers Intel IT Executive Insights: Intel IT's Cloud Computing Strategy From Intel Corporation White Papers Unified Networking Benefits with Intel Ethernet 10 Gigabit From Intel Corporation Blog Archive February 2012 January 2012 December 2011 November 2011 October 2011 September 2011 August 2011 July 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 .mad_center {text-align:center;} .mad_center div, .mad_center table, .mad_center iframe, .mad_center a img {margin-left: auto; margin-right: auto;} .mad_center {text-align:center;} .mad_center div, .mad_center table, .mad_center iframe, .mad_center a img {margin-left: auto; margin-right: auto;} A CNET Professional Brand TechRepublic Search Trending Topics job Wireless and Mobility INTERNET SOFTWARE/WEB DEVELOPMENT Databases DATA MANAGEMENT Microsoft Windows 7 mobile development Servers Wi-Fi Storage mobile Operating systems Microsoft Office Featured TechRepublic Pro Downloads Quick Reference: Linux Commands 500 Things You Need To Know To Succeed In Your IT career 101 Microsoft Windows XP Tips, Tweaks, and Hacks You Need to Know Windows 7: An IT Pro's Overview Explore Blogs Downloads Members Q&A DIscussions Training Store Research Library Photos Videos Services About Us Membership Newsletters RSS Feeds Site Map Site Help & Feedback FAQ Advertise Reprint Policy Popular on CBS sites: US Open | PGA Championship | iPad | Video Game Reviews | Cell Phones © 2012 CBS Interactive. All rights reserved. Privacy Policy | Ad Choice | Terms of Use | Advertise | Jobs A ZDNet Web Site | Visit other CBS Interactive Sites: BNET CBS Cares CBS Films CBS Radio CBS.com CBSInteractive CBSNews.com CBSSports.com CHOW Clicker CNET College Network Find Articles GameSpot Help.com Last.fm MaxPreps Metacritic.com Moneywatch mySimon Radio.com Search.com Shopper.com Showtime SmartPlanet TechRepublic The Insider TV.com UrbanBaby.com ZDNet купить ниппель перех набор гинекологический мрт коленный сустав touch screen доставка напиток kiev apartaments service стимулирующий лотерея 5440.13 (крышка) гидрант сейфовые ячейка врач-гинеколог учет данный автошкола листогибы iridium motorola мужчина выходной отбеливание белье втулка переходный ваза 21102 детский гинеколог кпк опт зиплок охота бюджетирование экг сервис клеить нанесение стальной топкий spartherm охота гончий карбид кальций штамповка здание лмк флеш презентация холодильник уценка электросчетчик гамма проведение лотерея измеритель фаза нуль время владимир перевод испанский фризер облицовка панель крот dr холодильник neff мурано купить видеокарту подбор холодильный камера ziplock 1000 холодильник получение выписка егрп холодный зеркало тонирование стекла снегоуборочный машина фосфоресцирующий краска система перемешивание врач акушер гинеколог hi-fi толщиномер профиль salamander спецобувь заказ вспучивающийся краска гравировальный бур видеослот тестоделитель переработка резина холодильник zanussi короткий нард скачать бесплатный кэрролл дж. страна смеха туба машина аэробика акриловый вкладыш k610 купить пежо 307 кадровый владимир факсимиле стимулирующий лотерея отчетность пбоюл гипсокартон кухонный техник глюкозамин-хондроитиновый комплекс изделие слойка macintosh хлеборезка ахм ночной очки rittal бюгельные зубной протез организация похорон измеритель температры автоинформатор педагогика психология кристофер брэнд хлеборезка ахм ipsec антиобледенительные система итальянский вина дефектоскопия сварной швов 5440.16 (крышка) эрозия шейка матка рак простата кулер глюкозамин-хондроитиновый комплекс краска двухкомпонентный велюкс тестоделитель vps vds бордюр флагшток внутренний использование поставка тройник перех прайс зеркало электроинструмент метабо клеить нанесение бахила оптом асбест а7-450 бюро переводчик нард скачать бесплатный предохранитель пкн сварочный пост фарфор гелусил лак антенна кислородный концентратор лечение папиллома машина r-600 барбекю купить усилитель сдача ielts магнитный решетка ваза 2115 облицовка электрокамин узи сделать силикон прогрессирующий близорукость очки ночной видение сухой мороженый залог кострома универсам красный площадь вино роза 1000 холодильник 5440.15 (крышка) помыть потолок встраиваемый вытяжка цепной конвейер доставка флеш презентация регестрация пбоюл договор суррогатный мать холодильник либхер промышленный аккумулятор урок охота бюро похоронный услуга полиолефиновая пленка купить пароварка дэнас доставка вспучивающийся краска обрезание профессиональный фарфор центр консультирование билет мхат нард скачать купить минимойку электромонтажный стол селин дион билет купить нипель вышивка флаг катушка контактор флеш презентация холодильный камера зона ограничение доступ охота быкова купить мобильник фотопечать срочный перевод бестраншейный облицовка крутой компания тренировка память мигрень доломит багетный мастерский доставка дренаж перевод денег вентеляционная решетка 5004.10 (крышка) квн купить угольник крановый тележка поставка тройник автоматический резка слименд лифт два цвет здание лмк зеркало babyliss огнезащитный покрытие купить k800i индивидуальный банковский ячейка итальянский вина холодильник оптом софт автошкола морозильный ларь кислотостойкий краска lucent definity эфирный антенна бахила зеркало багуа электропечь dimplex model lee rc время ярославль резка покраска аэротенк хендэ соната пленка пэ электрокотел хендэ соната крановый тележка разделы