Monitoring Main Mode
Monitoring Main Mode
Main Mode Internet Key Exchange (IKE) negotiation establishes a secure channel, known as the Internet Security Association and Key Management Protocol (ISAKMP) security association (SA), between two computers. The ISAKMP SA is used to protect subsequent key exchanges between peer computers, known as Quick Mode negotiation. To establish the secure channel, Main Mode negotiation determines a set of cryptographic protection suites, exchanges keying material to establish the shared secret key, and authenticates computer identities.
Monitoring Main Mode SAs can provide information about which peers are currently connected to this computer, when the SA was formed, which protection suite was used to form the SA, and other information.
Generic filters
Generic filters are IP filters that are configured to use any of the IP address options as either a source or destination address. IPsec allows you to use keywords, such as My IP Address, DNS Server, DHCP Server, WINS Servers, and Default Gateway, in the configuration of filters. When keywords are used, generic filters show the keywords in the IP Security Monitoring snap-in. Specific filters are derived by expanding keywords into specific IP addresses.
Adding, removing, and sorting columns
You can add, remove, rearrange, and sort by these columns in the results pane:
Name
Source (the IP address of the packet source)
Destination (the IP address of the packet destination)
IKE Policy (the name of the IKE policy associated with this generic filter, not the name of the IPsec policy that you created using the IPsec Policy snap-in). The policy details, such as which set of cryptographic algorithms was used, can be viewed in the IKE Policy node.
Authentication Methods (a list of all the authentication methods available to the filter, in order of preference)
Connection Type (the type of connection that this filter is applied to, either local network (LAN), remote access, or all network connection types)
Specific filters
Specific filters are expanded from Generic filters by using the IP addresses of the source or destination computer for the actual connection. For example, if you have a filter that used My IP Address option as the source address and the DHCP Server option as the destination address, then when a connection is formed using this filter, a filter that has your computer's IP address and the IP address of the DHCP server that this computer uses is created.
Note
The IP Security Monitor snap-in can also resolve IP addresses to DNS names for the Specific Filters folder in the Quick Mode folder, but not in the Main Mode folder.
Adding, removing, and sorting columns
You can add, remove, rearrange, and sort by these columns in the results pane:
Name
Source (the IP address of the packet source)
Destination (the IP address of the packet destination)
Direction (inbound or outbound)
IKE Policy (the name of the IKE policy, not the name of the IPsec policy that you created using the IPsec Policy snap-in). The policy details, such as which set of cryptographic algorithms was used, can be viewed in the IKE Policy node.
Authentication Methods (a list of all the authentication methods available to the filter, in order of preference)
Weight (the priority the IPsec service gives to the filter)
Weight is derived from a number of factors. For more information about filter weights, see the February 2005 Cable Guy article, IPsec Filter Ordering, on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=62212).
Note
The weight property is no longer relevant on computers running Windows Vista® or Windows Server® 2008; the property is always set to 0 on these computers.
IKE policies
The IKE policy refers to the integrity or encryption methods that the two peer computers can negotiate with in the Main Mode key exchange.
Statistics
This table displays the statistics available from the Main Mode Statistics view:
Note
Some of these statistics are not relevant on computers running Windows Vista or Windows Server 2008.
IKE Statistic | Description |
---|---|
Active Acquire |
An acquire is a request by the IPsec driver to have IKE perform a task. The Active Acquire statistic includes the outstanding request and the number of queued requests, if any. Typically, the number of active acquires is 1. Under a heavy load, the number of active acquires is 1 and the number of requests that are queued by IKE for processing increases. |
Active Receive |
The number of IKE messages received that are queued for processing. |
Acquire Failures |
The number of times that an acquire has failed. |
Receive Failures |
The number of times that the Windows Sockets WSARecvFrom() function has failed while receiving IKE messages. |
Send Failures |
The number of times that the Windows Sockets WSASendTo() function has failed while sending IKE messages. |
Acquire Heap Size |
The number of entries in the acquire heap, which stores active acquires. This number increases under a heavy load and then gradually decreases over time, as the acquire heap is cleared. |
Receive Heap Size |
The number of entries in the IKE receive buffers for incoming IKE messages. |
Authentication Failures |
The total number of identity authentication failures (Kerberos, certificate, and preshared key) that occurred during Main Mode negotiation. If you are having difficulty communicating securely, attempt the communication and refer to this statistic to see if this number increases. If it does, check your authentication settings for either an unmatched authentication method or an incorrect authentication method configuration (for example, the use of preshared keys that do not match). |
Negotiation Failures |
The total number of negotiation failures that occurred during Main Mode (also known as Phase I) or Quick Mode (also known as Phase II) negotiation. If you are having difficulty communicating securely, attempt the communication and refer to this statistic to see if this number increases if this number increases. If it does, check your authentication and security method settings for an unmatched authentication method, an incorrect authentication method configuration (for example, the use of preshared keys that do not match), or unmatched security methods or settings. |
Invalid Cookies Received |
A cookie is a value contained in a received IKE message that is used by IKE to find the state of an active Main Mode. A cookie in a received IKE message that cannot be matched with an active Main Mode is invalid. |
Total Acquire |
The total number of work requests submitted by IKE to the IPsec driver. |
Total Get SPI |
The total number of requests submitted by IKE to the IPsec driver to obtain a unique Security Parameters Index (SPI). |
Key Additions |
The number of outbound Quick Mode SAs added by IKE to the IPsec driver. |
Key Updates |
The number of inbound Quick Mode SAs added by IKE to the IPsec driver. |
Get SPI Failures |
The number of failed requests submitted by IKE to the IPsec driver to obtain a unique SPI. |
Key Addition Failures |
The number of failed outbound Quick Mode SA addition requests submitted by IKE to the IPsec driver. |
Key Update Failures |
The number of failed inbound Quick Mode SA addition requests submitted by IKE to the IPsec driver. |
ISADB List Size |
The number of Main Mode state entries, including negotiated Main Modes, Main Modes in progress, and Main Modes that failed and have not been deleted. |
Connection List Size |
The number of Quick Mode state entries. |
IKE Main Mode |
The total number of successful SAs created during Main Mode negotiations. |
IKE Quick Mode |
The total number of successful SAs created during Quick Mode negotiations. Because there are typically multiple Quick Mode SAs created for each Main Mode SA, this number does not necessarily match the Main Mode number. |
Soft Associations |
The total number of negotiations that resulted in the use of plaintext (also known as soft SAs). This typically reflects the number of associations formed with computers that did not respond to Main Mode negotiation attempts. This can include both computers that are not IPsec-aware and computers that are IPsec-aware but do not have IPsec policy to negotiate security with this IPsec peer. Although soft SAs are not the result of Main Mode and Quick Mode negotiations, they are still treated as Quick Mode SAs. |
Invalid Packets Received |
The number of received IKE messages that are invalid, including IKE messages with invalid header fields, incorrect payload lengths, and incorrect values for the responder cookie (when it should be set to 0). Invalid IKE messages are commonly caused by stale retransmitted IKE messages or an unmatched preshared key between the IPsec peers. |
Note
Some of these statistics can be used to detect network attack attempts.
Security associations
This view displays the active SAs with this computer. An SA is the combination of a negotiated key, security protocol, and SPI, which together define the security used to protect the communication from sender to receiver. Therefore, by looking at the security associations for this computer, you can determine which computers have connections with this computer, which type of data integrity and encryption is being used for that connection, and other information.
This information can be helpful when you are testing IPsec policies and troubleshooting access issues.
Adding, removing, and sorting columns
You can add, remove, rearrange, and sort by these columns in the results pane:
Me (this is the local computer IP address)
My ID (the local computer DNS name)
Peer (the remote computer or peer IP address)
Peer ID (the remote computer or peer DNS name)
Authentication (the authentication method used in creating the SA)
Encryption (the encryption method used by the SA for Quick Mode key exchanges)
Integrity (the data integrity method used by the SA for Quick Mode key exchanges)
Diffie-Hellman (the Diffie-Hellman group used to create the Main Mode SA)