ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard displaying IPsec network connection logs and security events
Event ID 4962InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4962 – Microsoft-Windows-Security-Auditing: IPsec Main Mode Security Association Established

Event ID 4962 logs when Windows successfully establishes an IPsec Main Mode security association between two endpoints, indicating secure tunnel creation for network communications.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4962Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Windows Event ID 4962 represents a successful IPsec Main Mode security association establishment within the Windows IPsec implementation. This event occurs during the first phase of IPsec negotiation, where two endpoints authenticate each other and establish a secure channel for subsequent communications.

The Main Mode process involves six message exchanges between the initiator and responder, negotiating security parameters including encryption algorithms (AES, 3DES), integrity algorithms (SHA-256, MD5), authentication methods (certificates, pre-shared keys), and Diffie-Hellman groups for key exchange. Event 4962 logs the successful completion of this negotiation phase.

This event contains crucial forensic information including source and destination IP addresses, security parameter indexes (SPIs), negotiated cryptographic suite details, and authentication method used. The event helps administrators verify that IPsec policies are functioning correctly and provides audit trails for security compliance requirements.

In Windows Server 2025 and Windows 11 24H2, Microsoft enhanced IPsec logging to include additional context about policy sources and negotiation performance metrics, making Event 4962 even more valuable for network security monitoring and troubleshooting.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Successful IPsec policy negotiation between two Windows systems
  • VPN client establishing secure tunnel to Windows Server
  • Domain isolation policy triggering IPsec authentication
  • Manual IPsec configuration completing Main Mode negotiation
  • Network Access Protection (NAP) requiring IPsec authentication
  • DirectAccess client connecting to corporate network
  • Site-to-site VPN tunnel establishment between Windows servers
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the complete event details to understand the IPsec negotiation parameters.

  1. Open Event ViewerWindows LogsSecurity
  2. Filter for Event ID 4962 using the filter option
  3. Double-click the event to view detailed properties
  4. Note the following key fields:
    • Source Network Address - Initiating endpoint
    • Destination Network Address - Responding endpoint
    • Authentication Method - Certificate, Kerberos, or PSK
    • Main Mode Crypto Suite - Negotiated algorithms
    • Security Parameter Index (SPI) - Unique SA identifier
  5. Cross-reference with corresponding Event ID 4960 (negotiation started) for complete timeline
Pro tip: The SPI value helps correlate this Main Mode SA with subsequent Quick Mode events (4978) for the same connection.
02

Query IPsec Events with PowerShell

Use PowerShell to analyze IPsec Main Mode establishment patterns and identify potential issues.

  1. Query recent Event 4962 occurrences:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4962} -MaxEvents 50 | Select-Object TimeCreated, @{Name='SourceIP';Expression={($_.Message -split '\n' | Where-Object {$_ -match 'Source Network Address:'} | ForEach-Object {$_.Split(':')[1].Trim()})}}, @{Name='DestIP';Expression={($_.Message -split '\n' | Where-Object {$_ -match 'Destination Network Address:'} | ForEach-Object {$_.Split(':')[1].Trim()})}}
  2. Analyze IPsec negotiation frequency by endpoint:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4962} -MaxEvents 1000
$Events | ForEach-Object {
    $Message = $_.Message
    $SourceIP = ($Message -split '\n' | Where-Object {$_ -match 'Source Network Address:'} | ForEach-Object {$_.Split(':')[1].Trim()})
    [PSCustomObject]@{
        Time = $_.TimeCreated
        SourceIP = $SourceIP
    }
} | Group-Object SourceIP | Sort-Object Count -Descending
  3. Check for authentication method distribution:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4962} -MaxEvents 200 | ForEach-Object {
    $AuthMethod = ($_.Message -split '\n' | Where-Object {$_ -match 'Authentication Method:'} | ForEach-Object {$_.Split(':')[1].Trim()})
    $AuthMethod
} | Group-Object | Sort-Object Count -Descending
03

Verify IPsec Policy Configuration

Examine the underlying IPsec policies that triggered the Main Mode negotiation to ensure proper configuration.

  1. Check active IPsec policies using netsh:
    netsh ipsec static show all
  2. Review current IPsec security associations:
    netsh ipsec dynamic show all
  3. For Windows Firewall with Advanced Security policies:
    Get-NetIPsecRule | Where-Object {$_.Enabled -eq 'True'} | Select-Object DisplayName, Profile, Direction, Action
  4. Check IPsec Main Mode policies:
    Get-NetIPsecMainModeRule | Format-Table DisplayName, Enabled, MainModeCryptoSet
  5. Examine authentication methods configured:
    Get-NetIPsecAuthProposal | Format-Table
  6. Verify certificate-based authentication if applicable:
    Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.EnhancedKeyUsageList -match 'IP security IKE intermediate'}
Warning: Modifying IPsec policies can disrupt network connectivity. Always test changes in a controlled environment first.
04

Analyze IPsec Performance and Troubleshoot Issues

Investigate IPsec performance metrics and identify potential negotiation problems using advanced monitoring techniques.

  1. Enable detailed IPsec logging in the registry:
    Set-ItemProperty -Path 'HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent\Parameters' -Name 'EnableLogging' -Value 1 -Type DWord
  2. Monitor IPsec service performance:
    Get-Counter '\IPSec IKEv1 IPv4\Active Main Mode SAs', '\IPSec IKEv1 IPv4\Main Mode Negotiations/sec' -SampleInterval 5 -MaxSamples 12
  3. Check for failed negotiations preceding successful ones:
    $StartTime = (Get-Date).AddHours(-4)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4961,4962; StartTime=$StartTime} | Sort-Object TimeCreated | Select-Object Id, TimeCreated, @{Name='EventType';Expression={if($_.Id -eq 4961){'Failed'}else{'Success'}}}
  4. Analyze negotiation timing patterns:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4960,4962} -MaxEvents 100
$Pairs = @{}
$Events | ForEach-Object {
    $SourceIP = ($_.Message -split '\n' | Where-Object {$_ -match 'Source Network Address:'} | ForEach-Object {$_.Split(':')[1].Trim()})
    $Key = "$SourceIP-$($_.TimeCreated.ToString('yyyyMMddHHmmss'))"
    if($_.Id -eq 4960) { $Pairs[$Key] = @{Start=$_.TimeCreated} }
    elseif($_.Id -eq 4962 -and $Pairs[$Key]) { $Pairs[$Key].End = $_.TimeCreated }
}
$Pairs.Values | Where-Object {$_.End} | ForEach-Object {[PSCustomObject]@{Duration=($_.End - $_.Start).TotalSeconds}}
  5. Review Windows IPsec service logs:
    Get-WinEvent -LogName 'Microsoft-Windows-PolicyAgent/Operational' -MaxEvents 50 | Where-Object {$_.LevelDisplayName -eq 'Error' -or $_.LevelDisplayName -eq 'Warning'}
05

Advanced IPsec Monitoring and Compliance Reporting

Implement comprehensive IPsec monitoring for security compliance and advanced troubleshooting scenarios.

  1. Create a custom IPsec monitoring script:
    # IPsec Main Mode Monitoring Script
$LogName = 'Security'
$EventID = 4962
$Hours = 24

$Events = Get-WinEvent -FilterHashtable @{LogName=$LogName; Id=$EventID; StartTime=(Get-Date).AddHours(-$Hours)}

$Report = $Events | ForEach-Object {
    $Message = $_.Message
    $SourceIP = ($Message -split '\n' | Where-Object {$_ -match 'Source Network Address:'} | ForEach-Object {$_.Split(':')[1].Trim()})
    $DestIP = ($Message -split '\n' | Where-Object {$_ -match 'Destination Network Address:'} | ForEach-Object {$_.Split(':')[1].Trim()})
    $AuthMethod = ($Message -split '\n' | Where-Object {$_ -match 'Authentication Method:'} | ForEach-Object {$_.Split(':')[1].Trim()})
    
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SourceIP = $SourceIP
        DestinationIP = $DestIP
        AuthenticationMethod = $AuthMethod
        RecordId = $_.RecordId
    }
}

$Report | Export-Csv -Path "C:\Temp\IPsec_MainMode_Report_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
  2. Set up automated alerting for IPsec policy violations:
    Register-WmiEvent -Query "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.LogFile = 'Security' AND TargetInstance.EventCode = 4961" -Action {
    $Event = $Event.SourceEventArgs.NewEvent.TargetInstance
    Send-MailMessage -To 'admin@company.com' -From 'ipsec-monitor@company.com' -Subject 'IPsec Main Mode Failure' -Body "Failed negotiation detected at $(Get-Date)" -SmtpServer 'mail.company.com'
}
  3. Configure Windows Event Forwarding for centralized IPsec monitoring:
    wecutil cs subscription.xml
    Where subscription.xml contains IPsec event collection configuration
  4. Use Group Policy to standardize IPsec logging across domain:
    • Navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
    • Enable Audit IPsec Main Mode and Audit IPsec Quick Mode
    • Configure Success and Failure auditing as required
Pro tip: In Windows Server 2025, use the new IPsec Analytics ETW provider for real-time performance monitoring: Get-WinEvent -ListProvider Microsoft-Windows-IPsec-Analytics

Overview

Event ID 4962 fires when Windows successfully establishes an IPsec Main Mode security association (SA) between two network endpoints. This event appears in the Security log and indicates that the initial phase of IPsec negotiation has completed successfully. Main Mode establishes the secure channel used for subsequent Quick Mode negotiations that protect actual data traffic.

This event is critical for environments using IPsec for network security, VPN connections, or domain isolation policies. The event contains detailed information about the negotiated security parameters, including encryption algorithms, authentication methods, and endpoint identifiers. System administrators monitoring IPsec deployments rely on this event to verify proper tunnel establishment and troubleshoot connectivity issues.

The event typically appears alongside other IPsec-related events in the 4960-4970 range and provides essential audit information for compliance and security monitoring. Understanding this event helps administrators validate IPsec policy enforcement and identify potential security association failures.

Frequently Asked Questions

What does Event ID 4962 mean and why is it important?+
Event ID 4962 indicates successful establishment of an IPsec Main Mode security association between two network endpoints. This event is crucial because it confirms that the initial phase of IPsec negotiation completed successfully, establishing the secure channel needed for subsequent data protection. The event provides audit information about authentication methods, encryption algorithms, and endpoint details, making it essential for security compliance and network troubleshooting in environments using IPsec for VPNs, domain isolation, or network security policies.
How can I correlate Event 4962 with other IPsec events for complete connection tracking?+
Event 4962 should be correlated with Event 4960 (Main Mode negotiation started) and Event 4978 (IPsec Quick Mode established) for complete IPsec connection tracking. Use the Security Parameter Index (SPI) values and source/destination IP addresses to match related events. The timeline typically shows: Event 4960 → Event 4962 → Event 4978. You can also correlate with Event 4961 (Main Mode failure) to identify retry attempts. PowerShell queries filtering on these event IDs within specific time windows help build complete IPsec session timelines for troubleshooting and security analysis.
What authentication methods can trigger Event 4962 and how do I identify them?+
Event 4962 can be triggered by several authentication methods including computer certificates, Kerberos authentication, pre-shared keys (PSK), and user certificates. The authentication method is specified in the event message under 'Authentication Method' field. Certificate-based authentication shows as 'Machine Certificate' or 'User Certificate', Kerberos appears as 'Kerberos', and pre-shared keys display as 'Pre-shared key'. You can analyze authentication method distribution using PowerShell to parse the event messages and group by authentication type, helping identify security policy compliance and potential authentication issues.
Why am I seeing multiple Event 4962 entries for the same connection?+
Multiple Event 4962 entries for the same connection typically occur due to IPsec security association rekeying, policy changes, or connection reestablishment after timeouts. IPsec Main Mode SAs have configurable lifetimes (default 8 hours) and automatically renew before expiration. Network interruptions, policy updates, or service restarts can also trigger new Main Mode negotiations. Check the timestamps and SPI values to distinguish between renewals and new connections. Frequent occurrences might indicate network instability, aggressive timeout settings, or policy conflicts requiring investigation of IPsec configuration and network connectivity.
How do I troubleshoot when Event 4962 is missing but IPsec should be active?+
Missing Event 4962 when IPsec should be active indicates Main Mode negotiation failures or audit policy issues. First, verify IPsec audit policies are enabled in Group Policy under Advanced Audit Policy Configuration → Object Access → Audit IPsec Main Mode. Check for Event 4961 (Main Mode failure) which indicates negotiation attempts that failed. Verify IPsec policies are correctly configured using 'netsh ipsec dynamic show all' and check Windows Firewall IPsec rules. Review network connectivity, certificate validity, time synchronization, and firewall rules allowing IKE traffic on UDP port 500. Enable IPsec service logging for detailed troubleshooting information.
Documentation

References (2)

1
Microsoft Learn - IPsec Security EventsOfficial documentation covering IPsec Main Mode auditing including Event 4962 details and configuration guidance.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
2
Windows Security Auditing Events ReferenceComprehensive reference for Windows security events including IPsec-related events 4960-4970 range with detailed explanations.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4962#ipsec-security#network-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...