Monitoring Secured Communications Through IPSECMON

By: Brien M. Posey, MCSE

If you’ve done much with Windows 2000 security, you’re no doubt aware that the IPSec protocol is used to secure and encrypt IP packets as they flow across your network. Just open any book on Windows 2000, and you’ll find pages and pages discussing the importance of using the IPSec protocol. However, in the dozens of books that I’ve read on Windows 2000, I’ve yet to find one that discusses the importance of checking IPSec’s operational status.

Checking the operational status of IPSec is important. After all, if your data is important enough to warrant enabling IPSec in the first place, wouldn’t you at least like to know if IPSec is doing its job? Fortunately, checking up on IPSec is easier than you might imagine. You can easily check IPSec’s operational status through a Windows 2000 utility called IPSECMON.

To access IPSECMON, simply enter the IPSECMON command at the Run prompt. When you do, Windows 2000 will load the IPSECMON utility, otherwise known as the IP Security Monitor. As you can see in Figure 1, the IP Security Monitor is very simple to use. This utility only has two buttons. One button is used to minimize the utility, while the other button is called Options. The Options button merely controls the refresh rate, which is set to 15 seconds by default.

Figure 1

The IP Security Monitor can tell you whether or not the IPSec protocol is doing its job.

As you can see in the figure, the IP Security Monitor keeps tabs on a number of different factors. Unfortunately space limitations prevent me from discussing all of these measurements in detail. Therefore, I’ll simply touch on some of the more important ones.

If you use the ESP protocol on your network, be sure to check out the Confidential Bytes Sent and Confidential Bytes Received fields. These fields measure the number of packets sent or received with confidentiality. If a packet used confidentiality, it means that ESP was working.

You should also look at the Authenticated Bytes Sent and Authenticated Bytes Received fields. Any bytes that appear in these columns were successfully sent or received using the IPSec protocol.

Finally, you should check the Bad SPI Packets, Packets Not Decrypted, and Packets Not Authenticated fields for non zero values. Non zero values in these fields indicate a problem with IPSec. For example, the Packets Not Authenticated field measures packets that were supposed to be sent with IPSec, but weren’t for one reason or another. You can gain insight as to these reasons by looking at the other two columns that I mentioned. For example, non zero values in the Bad SPI Packets column may indicate that a security association has expired and is no longer valid. A non zero number in the Packets Not Decrypted field means that the sender was able to encrypt and send the IPSec packets, but that the receiver was unable to decrypt them. This may also be due to an expired security association.

If you've found this article helpful then please consider making a donation to help with the cost of keeping this site going. To make a donation, please click on the PayPal link below.