Implement IPSec on Win2k3: Clients and Servers - Page 2

Monitoring and Verifying IPSec Traffic

Figure 3.
(Click for a larger image)

Once you have set up your trial IPSec configuration, you'll want to be sure that communications between your test workstation and server are indeed encrypted. There are a number of ways of doing this, but perhaps the easiest is to use the IP Security Monitor MMC snap-in. Once you have added the snap-in to an MMC on your server, navigate to the Statistics folder for your system, following the path shown in Figure 3

The statistics provided include the amount of data that has been sent and received in encrypted form, and the number of current security associations. This number represents the IPSec connections that are currently established between this server and other systems. To see details of these connections, click the Security Associations folder as shown in Figure 4.

As you can see, in this test scenario, there is a single IPSec session established between the server (192.168.1.102) and the Windows XP Professional client (192.168.1.100).

Figure 4.
(Click for a larger image)

There are numerous other ways of ensuring that IPSec is being used, such as packet sniffing with a network monitoring application, but if all you are looking to establish is whether IPSec is being used or not, then these are probably the easiest methods available.

So, Is it Worth it?

At the beginning of Part One, we said that we would answer the question of whether implementing IPSec on your network was worth it. Hopefully we have demonstrated that the implementation process is very straightforward, and its operation completely transparent. In fact, it's hard to find fault with IPSec.

However, one consideration is that IPSec adds an extra layer of complexity to network troubleshooting. Every time you experience a connectivity issue, you have to consider whether the problem is with the underlying network structure, or with IPSec. It may be that IPSec is not the cause of the problem, but it's one more thing to consider, when you probably have enough to think about already. Additionally, on larger networks or those with already high network traffic levels, you should consider whether the additional (though minimal) network traffic associated with the setup and maintenance of IPSec connections would be a problem. Chances are it wont be, but it should be considered.

Ultimately, IPSec makes sense if you either feel that the data on your network is at risk, or if you value the security of your data enough to spend a small amount of time configuring your systems. Given that Microsoft provides all the software and tools need to configure and monitor IPSec, you have nothing to lose by giving it a try in a test environment.