Quick Mode (also known as Phase 2) IKE negotiation establishes a secure channel between two computers to protect data. Because this phase involves the establishment of security associations (SAs) that are negotiated on behalf of the IPsec service, the SAs created during Quick Mode are called the IPsec SAs. During Quick Mode, keying material is refreshed or, if necessary, new keys are generated. A protection suite that protects specified IP traffic is also selected. A protection suite is a defined set of data integrity or data encryption settings. Quick Mode is not considered a complete exchange because it is dependent on a Main Mode exchange.

Monitoring Quick Mode SAs can provide information about which peers are currently connected to this computer, which protection suite was used to form the SA, and other information.

Generic filters

Generic filters are IP filters that are configured to use any of the IP address options as either a source or destination address. IPsec also allows you to use keywords, such as My IP Address, DNS Server, DHCP Server, WINS Servers, and Default Gateway, in the configuration of filters. When keywords are used, generic filters show the keywords in the IP Security Monitoring snap-in. Specific filters are derived from the generic filters by expanding keywords into IP addresses.

Adding, removing, and sorting columns

You can add, remove, rearrange, and sort by these columns in the results pane:

  • Name.

  • Source. This is the IP address of the packet source.

  • Destination. This is the IP address of the packet destination.

  • Source Port. This is the TCP or UDP port of the packet source.

  • Destination Port. This is the TCP or UDP port of the packet destination.

  • Source Tunnel Endpoint. This is the tunnel endpoint nearest the local computer, if one was specified.

  • Destination Tunnel Endpoint. This is the tunnel endpoint nearest the destination computer, if one was specified.

  • Protocol. This is the protocol specified in the filter.

  • Inbound Action. This indicates whether inbound traffic is Allowed, Blocked, or uses the Negotiate Security action.

  • Outbound Action. This indicates whether outbound traffic is Allowed, Blocked, or uses the Negotiate Security action.

  • Negotiation Policy. This is the name of the Quick Mode negotiation policy, or cryptographic settings.

  • Connection Type. This is the type of connection that this filter is applied to, either local area network (LAN), remote access, or all network connection types.

Specific filters

Specific filters are expanded from generic filters by using the IP addresses of the source or destination computer for the actual connection. For example, if you have a filter that used My IP Address option as the source address and the DHCP Server option as the destination address, then when a connection is formed using this filter, a filter that has your computer's IP address and the IP address of the DHCP server that this computer uses is created automatically.

Adding, removing, and sorting columns

You can add, remove, rearrange, and sort by these columns in the results pane:

  • Name.

  • Source. This is the IP address of the packet source.

  • Destination. This is the IP address of the packet destination.

  • Source Port. This is the TCP or UDP port of the packet source.

  • Destination Port. This is the TCP or UDP port of the packet destination.

  • Source Tunnel Endpoint. This is the tunnel endpoint nearest the local computer, if one was specified.

  • Destination Tunnel Endpoint. This is the tunnel endpoint nearest the destination computer, if one was specified.

  • Protocol. This is the protocol specified in the filter.

  • Inbound Action. This indicates whether inbound traffic is Allowed, Blocked, or uses Negotiate Security action.

  • Outbound Action. This indicates whether outbound traffic is Allowed, Blocked, or uses Negotiate Security action.

  • Negotiation Policy. This is the name of the Quick Mode negotiation policy, or cryptographic settings.

  • Weight. This is the priority the IPsec service gives to the filter. Weight is derived from a number of factors. For more information about filter weights, see https://go.microsoft.com/fwlink/?LinkId=62212.

    Note

    The weight property is always set to 0 on computers running Windows Vista®, Windows Server® 2008, or later versions of Windows.

Negotiation policies

The negotiation policy is the security method preference order that the two peer computers agree to use when communicating with each other during Quick Mode negotiations.

Statistics

This table displays the statistics available from the Quick Mode Statistics view:

IPsec StatisticDescription

Active Security Associations

This is the number of active IPsec SAs.

Offloaded Security Associations

This is the number of active IPsec SAs offloaded to hardware.

Pending Key Operations

This is the number of IPsec key operations in progress.

Key Additions

This is the total number of successful IPsec SA negotiations.

Key Deletions

This is the number of key deletions for IPsec SAs.

Rekeys

This is the number of rekey operations for IPsec SAs.

Active Tunnels

This is the number of active IPsec tunnels.

Bad SPI Packets

This is the total number of packets for which the Security Parameters Index (SPI) was incorrect. The SPI is used to match inbound packets with SAs. If the SPI is incorrect, it might mean that the inbound SA has expired and a packet using the old SPI has recently arrived. This number is likely to increase if rekey intervals are short and there are a large number of SAs. Because SAs expire under normal conditions, a bad SPI packet does not necessarily mean that IPsec is failing.

Packets Not Decrypted

This is the total number of packets that failed decryption. This failure might indicate that a packet arrived for an SA that had expired. If the SA expires, the session key used to decrypt the packet is also deleted. This does not necessarily indicate that IPsec is failing.

Packets Not Authenticated

This is the total number of packets for which data could not be verified. This failure is most likely caused by an expired SA.

Packets With Replay Detection

This is the total number of packets that contained a valid Sequence Number field.

Confidential Bytes Sent

This is the total number of bytes sent using the ESP protocol.

Confidential Bytes Received

This is the total number of bytes received using the ESP protocol.

Authenticated Bytes Sent

This is the total number of bytes sent using the AH protocol.

Authenticated Bytes Received

This is the total number of bytes received using the AH protocol.

Transport Bytes Sent

This is the total number of bytes sent using IPsec Transport Mode.

Transport Bytes Received

This is the total number of bytes received using IPsec Transport Mode.

Bytes Sent in Tunnels

This is the total number of bytes sent using IPsec Tunnel Mode.

Bytes Received in Tunnels

This is the total number of bytes received using IPsec Tunnel Mode.

Offloaded Bytes Sent

This is the total number of bytes sent using hardware offload.

Offloaded Bytes Received

This is the total number of bytes received using hardware offload.

Note

Some of these statistics can be used to detect network attack attempts.

Security associations

This view displays the active SAs with this computer. An SA is the combination of a negotiated key, security protocol, and SPI, which together define the security used to protect the communication from sender to receiver. Therefore, by looking at the security associations for this computer, you can determine which computers have connections with this computer, which type of data integrity and encryption is being used for that connection, and other information.

This information can be helpful when you are testing IPsec policies and troubleshooting access issues.

Adding, removing, and sorting columns

You can add, remove, rearrange, and sort by these columns in the results pane:

  • Me . This is the IP address of the local computer.

  • Peer. This is the IP address of the remote computer.

  • Protocol. This is the protocol specified in the filter.

  • My Port. This is the TCP or UDP port of the local computer specified in the filter.

  • Peer Port. This is the TCP or UDP port of the remote computer specified in the filter.

  • Negotiation Policy. This is the name of the Quick Mode negotiation policy, or cryptographic settings.

  • AH Integrity. This is the AH protocol-specific data integrity method used for peer communications.

  • ESP Confidentiality. This is the ESP protocol-specific encryption method used for peer communications.

  • ESP Integrity. This is the ESP protocol-specific data integrity method used for peer communications.

  • My Tunnel Endpoint. This is the tunnel endpoint nearest the local computer, if one was specified.

  • Peer Tunnel Endpoint. This is the tunnel endpoint nearest the local computer, if one was specified.

Additional references