5. Determining Which IPsec Policy Is Active
It's possible that IPsec isn't working because incompatible policies have been
assigned to computers on the network. For example, one policy might be trying
to use certificates to authenticate whereas others will accept only shared-key
authentication. There are two ways to determine which IPsec policy currently
holds sway. The first is the IP Security Monitor. The Microsoft Management Console
(MMC) IP Security Monitor snap-in, which Figure
3 shows, replaces the Windows 2000 Ipsecmon.exe utility and can determine
which IPsec policy is active on the current computer.
You can get the same information from the command line by issuing the Netsh command
netsh ipsec dynamic show all | more
which places all the IPsec information on the clipboard. You can then paste
this information into Notepad, as you see in Figure
4. In the text output, you can see that a policy is applied at the local
level (i.e., Client: Respond Only) and through AD (i.e., Server: Request Security).
Once you have this information, you might quickly discover that the reason IPsec
isn't working is that the computer either doesn't have a policy assigned or
has an incompatible policy assigned. After you resolve the policy incompatibilities,
IPsec will probably function correctly. . . .
Register
To restore default IPSec policies
1. Create a console containing IP Security Policies. Or, open a saved console file containing IP Security Policies.
2. In the console tree, click IP Security Policies on Name.
3. Click Action, point to All Tasks, and then click Restore Default Policies.
4. When prompted, click Yes
elesus@mailinator.com August 30, 2006 (Article Rating: