Windows Server 2012 : Configuring IPsec (part 7) - Configuring connection security rules - Monitoring IPsec

After you create and configure connection security rules, you can use both the Windows Firewall with Advanced Security snap-in and Windows PowerShell to monitor IPsec communications between the local computer and other computers on the network.

As Figure 13 shows, you can select the Connection Security Rules node under the Monitoring node to view all active connection security rules configured on the computer. This includes rules created manually on the computer and rules configured by Group Policy targeting the computer. To view more information about any rule, right-click on the rule and select Properties.

Figure 13. Viewing active connection security rules on the computer.

As Figure 14 shows, you can select the Main Mode node under the Connection Security Rules node to view all active main mode SAs and their endpoints, authentication methods, and other properties.

Figure 14. Viewing active main mode SAs on the computer.

As Figure 15 shows, you can select the Quick Mode node under the Connection Security Rules node to view all active quick mode SAs and their endpoints, ports, protocols, and other properties.

Figure 15. Viewing active quick mode SAs on the computer.

You can also use Windows PowerShell to view active SAs on the local computer or a remote computer. For example, you can use the Get-NetIPsecMainModeSA to view a list of active main mode SAs for the local computer as follows:

PS C:\> Get-NetIPsecMainModeSA

Name                                : 246
LocalEndpoint                       : 172.16.11.230
RemoteEndpoint                      : 172.16.11.240
LocalFirstId.Identity               :
LocalFirstId.ImpersonationType      : None
LocalFirstId.AuthenticationMethod   : PresharedKey
LocalFirstId.Flags                  : None
RemoteFirstId.Identity              :
RemoteFirstId.ImpersonationType     : None
RemoteFirstId.AuthenticationMethod  : PresharedKey
RemoteFirstId.Flags                 : None
LocalSecondId.Identity              :
LocalSecondId.ImpersonationType     :
LocalSecondId.AuthenticationMethod  :
LocalSecondId.Flags                 :
RemoteSecondId.Identity             :
RemoteSecondId.ImpersonationType    :
RemoteSecondId.AuthenticationMethod :
RemoteSecondId.Flags                :
CipherAlgorithm                     : AES128
HashAlgorithm                       : SHA1
GroupId                             : DH2
KeyModule                           : IkeV1
MaxQMSAs                            : 0
LifetimeSeconds                     : 28800
LocalUdpEncapsulationPort           :
RemoteUdpEncapsulationPort          :
ExtendedFilterId                    : 0

As a second example, you can use the Get-NetIPsecQuickModeSA to view a list of active quick mode SAs for the local computer like this:

PS C:\> Get-NetIPsecQuickModeSA

Name                       : 1
LocalEndpoint              : 172.16.11.230
RemoteEndpoint             : 172.16.11.240
TransportLayerFilterName   : HOST4 to HOST7
EncapsulationMode          : Transport
Direction                  : Inbound
LocalPort                  : 0
RemotePort                 : 0
IpProtocol                 : 0
InterfaceAlias             : vEthernet (CONTOSO Virtual Switch)
RealIfProfileId            : 3
LocalUdpEncapsulationPort  :
RemoteUdpEncapsulationPort :
SPI                        : 1339644182
FirstTransformType         : EspAuth
FirstIntegrityAlgorithm    : SHA1
FirstCipherAlgorithm       : None
SecondSpi                  :
SecondTransformType        : None
SecondIntegrityAlgorithm   : None
SecondCipherAlgorithm      : None
Flags                      : NdBoundary, NoExplicitCredMatch, AllowNullTargetNameMatch,
                             NdPeerBoundary, PeerSupportsGuaranteeEncryption
MmSaId                     : 246
PfsGroupId                 : None
PeerV4PrivateAddress       : 0.0.0.0
QuickModeFilterid          : 76478
LifetimeSeconds            : 3600
LifetimeKilobytes          : 100000
LifetimePackets            : 2147483647
IdleDurationSeconds        : 300
NdAllowClearTimeoutSeconds : 10
NapContext                 : 0
QmSaId                     : 2592036190
VirtualIfTunnelId          : 0
TrafficSelectorId          : 0
MmTargetName               :
EmTargetName               :
ExplicitCredentials        :

Name                       : 1
LocalEndpoint              : 172.16.11.230
RemoteEndpoint             : 172.16.11.240
TransportLayerFilterName   : HOST4 to HOST7
EncapsulationMode          : Transport
Direction                  : Outbound
LocalPort                  : 0
RemotePort                 : 0
IpProtocol                 : 0
InterfaceAlias             : vEthernet (CONTOSO Virtual Switch)
RealIfProfileId            : 3
LocalUdpEncapsulationPort  :
RemoteUdpEncapsulationPort :
SPI                        : 928181826
FirstTransformType         : EspAuth
FirstIntegrityAlgorithm    : SHA1
FirstCipherAlgorithm       : None
SecondSpi                  :
SecondTransformType        : None
SecondIntegrityAlgorithm   : None
SecondCipherAlgorithm      : None
Flags                      : NdBoundary, NoExplicitCredMatch, AllowNullTargetNameMatch,
                             NdPeerBoundary, PeerSupportsGuaranteeEncryption
MmSaId                     : 246
PfsGroupId                 : None
PeerV4PrivateAddress       : 0.0.0.0
QuickModeFilterid          : 76478
LifetimeSeconds            : 3600
LifetimeKilobytes          : 100000
LifetimePackets            : 2147483647
IdleDurationSeconds        : 300
NdAllowClearTimeoutSeconds : 10
NapContext                 : 0
QmSaId                     : 2592036190
VirtualIfTunnelId          : 0
TrafficSelectorId          : 0
MmTargetName               :
EmTargetName               :
ExplicitCredentials        :

Applications and Services Logs/Microsoft/Windows/Windows Firewall with
Advanced Security/ConnectionSecurity