This security policy setting determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.

Event volume: High

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

• 4978: During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
• 4979: IPsec Main Mode and Extended Mode security associations were established. (Note: This event provides event data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint, Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, and Extended Mode Information.)
• 4980: IPsec Main Mode and Extended Mode security associations were established. (Note: This event provides event audit data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint. Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information)
• 4981: IPsec Main Mode and Extended Mode security associations were established. (Note: This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, and Extended Mode Information.)
• 4982: IPsec Main Mode and Extended Mode security associations were established. (Note: This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information.)
• 4983: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. (Note: This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, and Failure Information.)
• 4984: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. (Note: This event provides event audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information.)