Event ID 5451
An IPsec quick mode security association was established.
An IPsec quick mode security association was established.
Local Endpoint:
Network Address: %1
Network Address mask: %2
Port: %3
Tunnel Endpoint: %4
Remote Endpoint:
Network Address: %5
Network Address Mask: %6
Port: %7
Private Address: %8
Tunnel Endpoint: %9
Protocol: %10
Keying Module Name: %11
Cryptographic Information:
Integrity Algorithm - AH: %12
Integrity Algorithm - ESP: %13
Encryption Algorithm: %14
Security Association Information:
Lifetime - seconds: %15
Lifetime - data: %16
Lifetime - packets: %17
Mode: %18
Role: %19
Quick Mode Filter ID: %20
Main Mode SA ID: %21
Quick Mode SA ID: %22
Additional Information:
Inbound SPI: %23
Outbound SPI: %24
Event 5451 records the successful establishment of an IPsec Quick Mode security association (SA).
Auditing:
Rarely
Security events in the Audit IPsec Quick Mode subcategory are monitored primarily for IPsec Quick Mode troubleshooting. Not recommended for general security monitoring due to volume. Enable only when actively diagnosing IPsec SA negotiation issues, auditing compliance requirements around encrypted host-to-host communication, or forensically reconstructing which hosts established IPsec sessions during a specific timeframe.
Volume:
High
On any system actively using IPsec, a new Quick Mode SA is negotiated for every protected connection and refreshed on key lifetime expiry. On a busy server this can produce hundreds of events per hour.
| Name |
Field |
Insertion String |
OS |
Example |
|
|
|
Local Network Address |
LocalAddress |
%1 |
Any |
10.0.0.10
|
|
|
Local Network Address Mask |
LocalMask |
%2 |
Any |
255.255.255.255
|
|
|
Local Port |
LocalPort |
%3 |
Any |
0
|
|
|
Local Tunnel Endpoint |
LocalTunnelEndpoint |
%4 |
Any |
0.0.0.0
|
|
|
Remote Network Address |
RemoteAddress |
%5 |
Any |
10.0.0.20
|
|
|
Remote Network Address Mask |
RemoteMask |
%6 |
Any |
255.255.255.255
|
|
|
Remote Port |
RemotePort |
%7 |
Any |
0
|
|
|
Remote Private Address |
RemotePrivateAddress |
%8 |
Any |
0.0.0.0
|
|
|
Remote Tunnel Endpoint |
RemoteTunnelEndpoint |
%9 |
Any |
0.0.0.0
|
|
|
Protocol |
Protocol |
%10 |
Any |
0
|
|
|
Keying Module Name |
KeyingModuleName |
%11 |
Any |
IKEv2
|
|
|
Integrity Algorithm - AH |
IntegrityAlgorithmAH |
%12 |
Any |
-
|
|
|
Integrity Algorithm - ESP |
IntegrityAlgorithmESP |
%13 |
Any |
SHA-256
|
|
|
Encryption Algorithm |
EncryptionAlgorithm |
%14 |
Any |
AES-128
|
|
|
Lifetime - seconds |
LifetimeSeconds |
%15 |
Any |
3600
|
|
|
Lifetime - data |
LifetimeData |
%16 |
Any |
0
|
|
|
Lifetime - packets |
LifetimePackets |
%17 |
Any |
0
|
|
|
Mode |
Mode |
%18 |
Any |
%%2566
|
|
|
Role |
Role |
%19 |
Any |
%%2561
|
|
|
Quick Mode Filter ID |
QuickModeFilterId |
%20 |
Any |
84392
|
|
|
Main Mode SA ID |
MainModeSaId |
%21 |
Any |
{A1B2C3D4-E5F6-...}
|
|
|
Quick Mode SA ID |
QuickModeSaId |
%22 |
Any |
{B2C3D4E5-F6A7-...}
|
|
|
Inbound SPI |
InboundSpi |
%23 |
Any |
0x1A2B3C4D
|
|
|
Outbound SPI |
OutboundSpi |
%24 |
Any |
0x5E6F7A8B
|
Values of 0 indicate any port / any protocol in the traffic selector. Non-zero values narrow the SA to specific traffic.
Tunnel endpoint fields are 0.0.0.0 in Transport Mode. They carry real IP addresses only in Tunnel Mode (e.g. VPN gateway scenarios).
Values of 0 indicate any port / any protocol in the traffic selector. Non-zero values narrow the SA to specific traffic.
Tunnel endpoint fields are 0.0.0.0 in Transport Mode. They carry real IP addresses only in Tunnel Mode (e.g. VPN gateway scenarios).
Tunnel endpoint fields are 0.0.0.0 in Transport Mode. They carry real IP addresses only in Tunnel Mode (e.g. VPN gateway scenarios).
Values of 0 indicate any port / any protocol in the traffic selector. Non-zero values narrow the SA to specific traffic.
AH integrity is - on most modern deployments because AH is rarely used; ESP with integrity is the standard.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"IPsec Quick Mode"
LEFT/RIGHT arrow keys for navigation
Back to List