Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Get Quote

 
  

Internet Protocol Security (IPSec) protects communications over IP networks using cryptographic security.

Audit IPsec Main Mode is a security policy setting that enables you to audit events generated by Internet Key Exchange protocol (a protocol used for setting up a secure and authenticated communication channel between two parties) and Authenticated Internet Protocol (a second authentication protocol that boosts the security and deployability of IPsec VPNs) during Main Mode negotiations. It generates a high volume of events.

Why enable Audit IPsec Main Mode?

Enabling this policy setting can help troubleshoot and monitor the Main Mode operations. For example, if a device constantly records event ID 4976, it signifies invalid negotiation packages. This could be caused by a network issue, or even a potential external attempt to modify packets. Therefore, it is important to monitor such IPsec events.

How to enable Audit IPsec Main Mode?

  • Open Server Manager on your Windows server.
  • Under the Manage tab, select Group Policy Management to view the Group Policy Management Console.
  • Navigate to Forest -> Domain -> Your Domain -> Domain Controllers.
  • Either create a new group policy object or you can edit an existing GPO.
  • In the group policy editor, navigate to Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration.

Expand the node and select Logon/Logoff. Click on Audit IPsec Main Mode. Enable auditing for 'Success' and 'Failure'.

The following events are IPSec Main Mode events, and what they indicate, along with their respective event IDs:

  • Event ID 4646: The starting of IKE DoS-prevention mode. This event is generated when the Security ID is returned as %1.
  • Event ID 4650: The establishment of an IPsec Main Mode security association, where the Extended Mode is not enabled and certificate authentication is not used.
  • Event ID 4651: The establishment of an IPsec Main Mode security association, where the Extended Mode is not enabled and a certificate is used for authentication.
  • Event ID 4652: The failure of an IPsec Main Mode negotiation. (Note: This audit event returns detailed audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Additional Information, and Failure Information.)
  • Event ID 4653: The failure of an IPsec Main Mode negotiation. (Note: This audit event returns detailed audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information.)
  • Event ID 4655: The termination of an IPsec Main Mode security association.
  • Event ID 4976: An invalid negotiation packet received during IPSec Main Mode negotiation. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
  • Event ID 5049: The deletion of an IPsec Security Association.
  • Event ID 5453: The failure of an IPsec negotiation with a remote computer due to the IKE and AuthIP IPsec Keying Modules (IKEEXT) service not starting.

Audit IPsec with ADAudit Plus

ADAudit Plus is a real-time Active Directory auditing tool that can track all the changes across the AD network. This tool can therefore monitor audit policy changes on the network. ADAudit Plus will raise an alert if an unauthorized person manages to modify the audit policy changes. For reports on group policy modifications in ADAudit Plus:
  • Log on to the web console of ADAudit Plus.
  • Navigate to Reports -> GPO Settings Changes.
  • Select the Windows Settings Changes report.
This report provides the following information:
  • The name of the GPO that was modified
  • The user who modified it
  • The name of the domain controller
  • The time of the modification
  • The exact modification that was made

The ADAudit Plus difference

Download ManageEngine's ADAudit Plus, a real-time Active Directory auditing tool, that offers reports and instant email alerts. It is a useful tool to understand employee behavior with regards to IT, and thwart insider and outsider attacks. It can also be used to keep track of all changes to GPO settings and audit policies.

More related links

     

Native auditing becoming a little too much?

Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.

Try ADAudit Plus for free

 

ADAudit Plus Trusted By