Home > Articles > Microsoft > MCTS

Top Ten Things You Should Know About IPSEC in Order to Pass a Microsoft Exam

Because security is a major role in Microsoft certifications, it isn’t surprising that IP Security (IPSEC) appears often on the exams. Unfortunately, IPSEC isn’t straight forward; for example, when do you choose tunnel versus transport mode? What about Main versus Quick mode? How are group policies deployed? What are the most important command line tools? In this article, David Leaver reviews some key points of IPSEC to keep in mind while preparing for your Microsoft exams.
Like this article? We recommend

It will quickly become apparent once you begin studying for your chosen Microsoft accreditation that security plays a major role within all topic areas. One key weapon in Microsoft’s security armoury is IP Security (IPSEC), which is a joint Microsoft/Cisco venture designed to protect network communications between clients as they traverse both the private and the public network infrastructures. However, in terms of studying IPSEC for your Microsoft exams, it can be a little tricky to grasp all of its settings and acronyms. In order to hopefully make the topic a bit clearer, I have listed the top ten things you should keep in mind when studying IPSEC for your Microsoft networking exams.

1. When to choose tunnel mode or transport mode

Before you begin setting up an IPSEC policy, you need to establish which mode of IPSEC transport is required. There aren’t any guarantees on what may or may not come up as a question in a Microsoft exam, but if an IPSEC-related question appears without making reference to transport mode or tunnel mode, I would be amazed. Microsoft is very keen to test whether you know which method you should apply to a given scenario.

The transport mode is the default mode and should be used on local network deployments. A common exam scenario is that you have an accounting server on the local network (LAN) that requires all client communications to be authenticated and/or encrypted. It is appropriate here to mention that you have the option when creating an IPSEC policy to ensure a packets integrity, using the Authentication Header (AH) or integrity and encryption using the Encapsulating Security Payload (ESP). Without trying to confuse matters, the AH and ESP operate differently according to whether you use transport or tunnel mode. I will explain the main differences next.

The tunnel mode option is used for external connection types—for example, site-to site-connections over the internet or client-to-site connections over a VPN. The main reason that tunnel mode is more suitable is that like transport mode, it uses AH and ESP for encapsulating the IP packet but then encapsulates the entire packet header and trailer again in tunnel mode for additional security.

The simplest way to differentiate between the two modes is to know transport mode is for the LAN and tunnel mode is for external connections. And for your exams, it is essential to know the finer points of how each IP packet header is encapsulated with the required headers and footers, and the AH and ESP methods used. To a lesser extent, you should know the specific authentication protocols (SHA1 and MD5) and the encryption protocols (DES and 3DES) and the varying levels of security they provide to a policy.

2. What makes up an IPSEC policy

The key facts to remember here is that an IPSEC policy is made up of five variables. These are the filter list, the filter action (sometimes referred to as the filter rule), the authentication method, the tunnel endpoint, and the connection type. As you begin to build up your IPSEC policy, you pass through each of these areas and set them on your policy accordingly. The IP security console isn’t short of a wizard or three when it comes to setting each sub-area of the policy up, but for the purpose of the exam, it’s worth knowing how to navigate your way around the policy setup wizard-free as well.

By default, Microsoft supplies three IPSEC policies, which is nice of them! You should know these default policies very well for the exam. The client (respond only) policy is designed to respond to IPSEC requests and reply as required. So for example, if the next level IPSEC policy was assigned to a server, the request security policy, then the client policy will attempt to negotiate a security method with the server; but if no agreement is made, they will continue to communicate unsecured. If the server was assigned the require security policy, the client policy will respond securely with the server if a security method is negotiated. If an agreement isn’t made, the communications will stop as the server required that security was used. As I mentioned earlier, you should be very familiar with these policies, including the authentication methods used, and the granular security settings they have in regards to the encryption and integrity. Quite often, at least one if not all these policies are referred to in the exam.

3. What makes up an IPSEC policy, part two

I feel that I should give you a bit more detail on the five variables I touched on earlier. The amount of options and detail available to you here is too much for me to cram into a single paragraph... but I’ll try. Your filter list establishes what exactly is going to have a filter rule applied to it. In most cases, this is a destination IP or subnet, but there are other variables too, and the policies can be applied to inbound and outbound traffic. The filter rule or action establishes whether traffic is permitted, blocked, or whether security negotiation needs to take place. The first two in that list need little explanation, but negotiating security has a number of additional security options, briefly covered above in regards to the three default policies. You should note that when multiple filters are applied, they are applied in order of the most specific first. I discuss authentication in more detail below. The connection type refers to whether you are applying the policy to the LAN or to a dial up connection. I have obviously limited the detail required here, but your Microsoft materials will cover the more granular detail required.

4. Coming to grips with Main mode and Quick mode

In order to understand the workings of an IPSEC policy further, the second stage is to know it is made up of two parts: the Main mode and the Quick mode. Make sure you know that Main mode uses a three-stage negation process—stage one is the negotiation of the security suites to be used, stage two is referred to as the Diffie-Hellman key exchange (Diffie-Hellman is explained in more detail later), and stage three is the authentication stage between the clients using the chosen authentication method (also mentioned later). An important fact to remember is that the strength of the Main mode connection will then dictate the strength of the quick mode negotiations within it once the connection is established.

The Quick mode phase of the connection is used to conduct the actual transfer of data, creating a separate security association (SA) from within the Main mode connection. As a result, the lifespan of Quick mode is much shorter and by default will timeout after just five minutes (3600 seconds) or when the data limit is reached, which by default is 100mb. After this point, the session is renegotiated and the process starts again. Although this isn’t a common topic area covered in the exam, you should be aware of two issues when IPSEC is deployed on a large scale. The first is that the processing and negotiating of policies does take its toll on the computers involved, so either limit your deployment or consider a network card that allows IPSEC processing to be offloaded. Secondly, if you are not using PFS (perfect forward secrecy—which would also add to your processing load), the Quick mode negotiations will use the Main mode keys to generate its session keys. Any attacker that is monitoring your network could use the Quick mode keys to build up a picture of your Main mode session key.

5. Authentication methods

The choice you make here is dictated by what type of IPSEC connection you have in place. However, this choice is further narrowed when in the context of a Microsoft exam, as you need to apply best practice as well. If we were to do it by the book, then you should use Kerberos when you need to provide authentication on the local network, usually when operating a tunnel mode connection. This makes sense, as no further configuration is required provided that the clients and servers you are looking to secure communications between authenticate on the same domain. If you are using IPSEC over the internet using IPSEC tunnel mode, then you would need to use an external authentication method, namely a Public Key Infrastructure (PKI). This could be in the form of a third-party certification provider or via the Microsoft certification authority built into Microsoft Server operating systems. The bottom of the pile in terms of authentication methods is the pre-shared key. If we were to take the real world stance on this, we would likely adopt this method for authentication for budgetary or practicality reasons. However, this isn’t a preferred method within Microsoft’s best practice, as it is the weakest in comparison to PKI and Kerberos because it uses symmetric key encryption, making it more vulnerable to being compromised. However, that being said, the topic of pre-shared keys is a common exam question, mainly to point out its weaknesses. It is for that reason that you should make sure you know when you would use a PSK over the more secure authentication methods, and the extra lengths you should go to to make your PSK is a strong one (using varying case sizes of alpha-numerics and special characters, and making it at least 15 characters long).

6. IPSEC interoperability

When it comes to Microsoft exam questions, you can bet your last dollar that there will be at least one question which tests your knowledge on how different Microsoft products work or—as is sometimes the case—don’t work, on their different operating system packages. Within regards to IPSEC, there are a few cases where you need to be aware of some interoperability issues. First of all is the deployment of IPSEC via the command line. Within Windows Server 2008 and 2003 editions, you would use the netsh utility. This is a very powerful tool within Windows servers that is not reserved for IPSEC alone; but one of its many features is using it to setup and deploy server-based IPSEC policies. In regards to client operating systems, if you are using any version from XP onwards, you will be using the IPSECCMD. In regards to the Windows Server 2003 examination track, it is also worth knowing that the Windows Server 2000 command line tool of choice for IPSEC deployment is IPsecpol.

There are also further considerations when it comes to choosing the top levels of encryption. The use of 3DES (pronounced triple-DES) is only available to Windows Server 2003 operating systems upwards (including Windows XP upwards for the client operating systems). If a question arises where you have a number of Windows 2000 clients on a network communicating with a server that is using 3DES encryption strength, then without at least Service Pack 2 and the High Security Pack installed, they will only communicate at the DES level, which is much less secure.

Finally, it is worth noting for that possible sneaky exam question that may include a home-based operating system on your network that is failing to communicate using IPSEC. Non-domain clients do not support the use of Kerberos, and so any IPSEC policy that is deployed with Kerberos as its authentication method will fail here.

7. Deploying IPSEC

As with any network deployment, it is usually the scale that dictates the deployment method you use. For the Microsoft exams you will need to know the three main methods of deployment—locally using the IPSEC management console, using the IPSECCMD or netsh (usually in a batch file), and finally through group policy.

You should familiarize yourself with the IPSEC management tools, as they are a likely exam question area. The IP security management console is made up of two snap-ins: the IP security policies and the IP security console. The latter contains the monitoring tools required to observe an IPSEC policy once it is deployed, whereas the IP security policies snap-in lists the three default IPSEC policies supplied by Microsoft (mentioned in point 2). The two console snap-ins are together by default in group policy computer security settings, but you have to make up the console yourself if you are looking to set this up locally, or perhaps set up the policies first before exporting to the group policy template.

8. Command line tools

There are always command-line tools to master at this level of Microsoft configuration, but within IPSEC you do have your work cut out, for depending on which operating system you are using will in turn dictate which command-line tool you use (as described above).

  • Netsh—Used within server operating systems, this is a very powerful tool which can do much more than just IPSEC. However, for the exam, you should know that there are two further sub-commands: netsh ipsec static creates the policies before applying, whereas the netsh ipsec dynamic applies changes to policies which are already in effect. Using the /? switch will give you the further configuration options available
  • IPSECCMD—Like netsh, you can use IPSECCMD.exe in dynamic mode to apply policies or changes to policies already applied. This applies to Windows XP SP2 clients onwards.
  • IPsecpol—You are unlikely to come across this tool any longer in the real world, but just knowing that it is the IPSEC command line tool for Windows 2000 systems is enough for the exam
  • Netdiag—More of a testing tool, the netdiag /test:ipsec command allows you to view the status of any applied policies on Windows Server 2003 systems.
  • Ping—The tool which makes it into pretty much any networking command-line tool kit. When you deploy an IPSEC policy and you want to ensure your clients are still talking, regardless of the IPSEC policy you have just applied, then the ping [IP address] is always the first port of call.

9. Logging and monitoring

There are plenty of logging and monitoring tools to make use of in IPSEC. Within the graphical tools, there is the IP security monitor, which has a very in-depth console-based tool for monitoring your active connections. From here you can see the active policies applied, and then the statistics for both the Main mode and Quick mode for your policy. As painstaking as it may be, it is worth spending the time getting to know what each monitoring statistic means as an exam question with a snapshot of these statistics is quite likely.

The event viewer is a stalwart for any troubleshooting in a Microsoft environment. The security event log lets you see whether or not a policy has been applied as expected. However you must consider the effects of any audit logging on a server, as this will cause a security event log to fill up and by default this will cause the server to shutdown.

For granular logging of IPSEC events, you must know about IKE (Internet Key Exchange) tracing. This is not enabled by default, and in truth you won’t be quizzed on it very hard in the security exams as the logs it produces are beyond the boundaries of knowledge required on the Microsoft network security track. However, you should know how to enable it in the registry on a client PC and the relative netsh command thay is required to turn it on for Server operating systems. The logged files are then retrievable from the %systemroot%\debug\oakley.log file. As an aside, you may wonder what the term Oakley is, as it appears in most exam materials without explanation. In short, Oakley, is the protocol which dictates which security levels within the Diffie-Hellman group will be used during the Main mode phase of negotiations.

10. Troubleshooting IPSEC

We have covered the monitoring and the logs provided for IPSEC; furthermore, we have covered the multitude of command line tools for setting up and managing IPSEC. The first step in troubleshooting an applied IPSEC policy is to stop the IPSEC service in the services console or using the net stop command.

When you are faced with a question that involves tunnel mode communication issues between two networks over a router, this is normally related to NAT issues. Make sure you know why you need a NAT-T (the “T” stands for traversal) when routing IPSEC traffic and the port numbers for NAT-T (UDP 4500), Internet Key Exchange (IKE—UDP 500), AH (TCP 51), and ESP (TCP 50).

Other areas of IPSEC troubleshooting you will be expected to know are related to authentication methods. As mentioned earlier these are Kerberos, PKIs and PSKs. If you are having issues with Kerberos, then this will most likely be down to domain issues such as a home-based client operating system on your network, or having applied an IPSEC policy to a domain controller which is stopping the authentication requests between clients and the domain controller. You should always consider whether the question has followed Microsoft best practice when troubleshooting a Microsoft product. In terms of PKI troubleshooting, you should check that the certificate is valid and that it isn’t on a certificate revocation list (CRL). Ironically, the best way of checking whether your authentication method is working correctly is to use the pre shared key (PSK) authentication method to see if this allows for a successful connection...for testing purposes only, of course!

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020