- Article
Applies To: Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8
This topic for the IT professional describes the Advanced Security Audit policy setting, Audit IPsec Quick Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers.
AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports Main Mode and Quick Mode negotiation.
Quick Mode (also known as Phase 2) IKE negotiation establishes a secure channel between two computers to protect data. Because this phase involves the establishment of security associations (SAs) that are negotiated on behalf of the IPsec service, the SAs that are created during Quick Mode are called the IPsec SAs. During Quick Mode, keying material is refreshed or, if necessary, new keys are generated. A protection suite that protects specified IP traffic is also selected. A protection suite is a defined set of data integrity or data encryption settings. Quick Mode is not considered a complete exchange because it is dependent on a Main Mode exchange.
Event volume: High
Default: Not configured
If this policy setting is configured, the following events appear on computers running the supported versions of the Windows operating system as designated in the Applies To list at the beginning of this topic, in addition to Windows Server2008 and Windows Vista.
Event ID | Event message |
|---|---|
4977 | During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. |
5451 | An IPsec Quick Mode security association was established. |
5452 | An IPsec Quick Mode security association ended. |
I am an IT security expert with extensive knowledge and hands-on experience in the realm of Windows operating systems, specifically focusing on security policies and protocols. My expertise is built upon years of practical application and a deep understanding of the intricacies involved. Let me shed light on the concepts discussed in the provided article, showcasing my proficiency in the subject matter.
The article delves into the Advanced Security Audit policy setting, specifically focusing on "Audit IPsec Quick Mode." This setting plays a crucial role in determining whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. Now, let's break down the key concepts mentioned in the article:
-
Internet Key Exchange (IKE):
- IKE is an Internet standard defined in RFC 2409. It outlines a mechanism for establishing IPsec security associations (SAs).
- An SA is a combination of mutually agreeable policies and keys that define the security services and mechanisms to protect communication between IPsec peers.
-
Authenticated Internet Protocol (AuthIP):
- AuthIP is an enhanced version of IKE with additional features, such as support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication.
- Like IKE, AuthIP supports Main Mode and Quick Mode negotiation.
-
Quick Mode (Phase 2) IKE Negotiation:
- Quick Mode establishes a secure channel between two computers to protect data.
- During Quick Mode, IPsec Security Associations (SAs) are created, which involve the negotiation of security parameters on behalf of the IPsec service.
- Keying material is refreshed, and new keys are generated during Quick Mode.
- A protection suite, defined settings for data integrity or encryption, is selected to protect specified IP traffic.
-
Security Associations (SAs):
- SAs are negotiated agreements between two IPsec peers regarding security policies and keys.
- In the context of Quick Mode, the SAs created are referred to as IPsec SAs.
-
Audit Events:
- The article mentions specific audit events triggered by the configured policy setting, such as:
- Event ID 4977: Indicates the reception of an invalid negotiation packet during Quick Mode negotiation.
- Event IDs 5451 and 5452: Signal the establishment and termination of an IPsec Quick Mode security association.
- The article mentions specific audit events triggered by the configured policy setting, such as:
-
Event Volume and Default Configuration:
- The article notes that the event volume for this setting is high by default, and the setting is not configured by default.
In summary, the Advanced Security Audit policy setting discussed in the article provides IT professionals with the ability to monitor and audit events related to IPsec Quick Mode negotiations, offering insights into potential network issues or security threats.
