Enabling an IPSec Policy

Enabling an IPSec Policy
In the Local Security Settings console, right-click the policy you want to enable and choose Assign (the IPSec term for enable). That policy is now enabled. If any other policy had been assigned previously, it becomes unassigned.

Modifying an IPSec Policy
As discussed earlier, IPSec policies have rules made up of filter lists, filter actions, authentication methods, tunnel settings, and connection types. Policies, filter lists, and filter actions are entities with names and associated configuration settings. Therefore, you can edit filter lists and filter actions on their own or through the policies that contain them.

In the IP Security On Local Machine folder in the Local Security Settings console, choose Action, Manage IP Filter Lists And Filter Actions to open the dialog box shown in Figure 17-3. Select the filter list or filter action you want to modify, and click Edit. The corresponding properties dialog box opens, in which you can edit the configuration settings. These changes are reflected in each policy that uses the specific filter list or filter action.


Figure 17-3. You can edit filter lists and filter actions directly.
To modify an IPSec policy, select the policy in the Local Security Settings console, and then choose Action, Properties. The policy properties dialog box appears, similar to the one shown in Figure 17-4. Select the rule you want to edit, and then click Edit to display the Edit Rule Properties dialog box. This is the same dialog box you see if you don't use the wizard to create new rules. Each tab in this dialog box contains the setting for one of the five elements of an IPSec rule.


Figure 17-4. You can modify an IPSec policy in its properties dialog box.
Monitoring IPSec
The IP Security Monitor tool displays information for each active security association. IP Security Monitor can also provide statistics about security associations, key usage, bytes sent and received, and other items.

In Windows XP, IP Security Monitor is implemented as an MMC snap-in, as shown in Figure 17-5. To create a console with IP Security Monitor, follow these steps:

At a command prompt, type mmc to open Microsoft Management Console.
Choose File, Add/Remove Snap-In (or press Ctrl+M).
In the Add/Remove Snap-In dialog box, click Add.
Select IP Security Monitor and click Add.
In the Add Standalone Snap-In dialog box, click Close. In the Add/Remove Snap-In dialog box, click OK.
If you want to monitor other network computers running Windows XP, right-click IP Security Monitor in the tree pane, and choose Add Computer.

Figure 17-5. IP Security Monitor in Windows XP appears in MMC.
In Windows 2000, IP Security Monitor is a stand-alone program, as shown in Figure 17-6. To start IP Security Monitor, type ipsecmon at a command prompt.


Figure 17-6. IP Security Monitor in Windows 2000 presents a plethora of statistics about IPSec.