You can use the following tools to troubleshoot IPSec in Windows XP:
IP Security Policy snap-in
You can use the IP Security Policy snap-in to create, modify, and activate IPSec policies. You can create a console by adding either the IP Security Policies on Local Machine snap-in or the IP Security Policies on Active Directory snap-in. You can also access the IP Security Policies snap-in through Group Policy. For more information, see To start the IP Security Policies snap-in
Active Directory Users and Computers and Group Policy snap-ins
To troubleshoot policy precedence issues and determine the set of policies that are being used by IPSec clients, use the Active Directory Users and Computers and Group Policy snap-ins. Policy precedence is based upon the Group Policy inheritance model. The policy used is the policy assigned at the lowest level of the domain hierarchy for the domain container of which the computer is a member. For example, if there are IPSec policies configured both for the domain and for an organizational unit within the domain, computers that are members of the domain use the domain IPSec policies. The computers that are members of the organizational unit within the domain use the organizational unit IPSec policies. If there are no IPSec policies configured for Active Directory, local policies are used.
For more information about IPSec policy behavior in an Active Directory environment, see Policies stored in Active Directory
IP Security Monitor snap-in
You can use the IP Security Monitor snap-in to view details on the local computer or remote computers about:
You can use IPSecCMD to configure IPSec policies, filters, and filter actions at the command prompt. For more information, see Ipseccmd Ipseccmd can only be used on computers running Windows XP. To configure IPSec policies, filters, and filter actions at the command prompt for computers running Windows 2000, use the ipsecpol command that is provided in the Windows 2000 Server Resource Kit.
You can use the Windows XP Event Viewer snap-in to view the following IPSec-related events:
Enabling audit logging and viewing the events in Event Viewer is the fastest and simplest way to troubleshoot failed main mode or quick mode negotiations.
You can use the Oakley log to view details about the SA establishment process. The Oakley log is enabled in the registry. It is not enabled by default. To enable the Oakley log, set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Oakley\EnableLogging registry setting to 1. The Oakley key does not exist by default and must be created. For more information about adding values to registry keys, see To add a value
After it is enabled, the Oakley log, which is stored in the systemroot\Debug folder, records all ISAKMP main mode or quick mode negotiations. A new Oakley.log file is created each time the IPSec Policy Agent is started and the previous version of the Oakley.log file is saved as Oakley.log.sav.
To activate the new EnableLogging registry setting after modifying its value, stop and start the IPSec Policy Agent and related IPSec services by running the net stop policyagent and net start policyagent commands at the command prompt. If you are restarting the IPSec Policy Agent and related services on a computer running Windows 2000 Server and the Routing and Remote Access service, use the following sequence of commands:
You can use Microsoft Network Monitor to troubleshoot IPSec. Network Monitor 2.0, included with both Windows 2000 Server and Systems Management Server 2.0, features parsers for ISAKMP, AH, and ESP. However, Network Monitor does not parse the encrypted portions of IPSec-protected traffic.
For more information, see Network Monitor