JSI Tip 8715. Modifying a Windows Server 2003 IPSec policy from some Windows XP SP1 Clients, or all Windows 2000 client, will corrupt the IPSec policy?

Jerold Schulman

November 22, 2004

1 Min Read
ITPro Today logo in a gray background | ITPro Today

If you modify a Windows Server 2003 Internet Protocol security policy from a Windows 2000 client, or from a Windows XP SP1 client that does NOT have the 818043 hotfix, you will corrupt the IPSec policy.

NOTE: The problem does NOT occur from Windows XP SP2.

When the policy is corrupted, clients that use IPSec may experience any of the following:

  • Network traffic that should be encapsulated is NOT.

  • If the IPSec policy is configured in required mode, network negotiation will fail and communication will be blocked.

  • Problems accessing shared resources via Windows Explorer.

  • Problems with the NET USE command and functionality.

NOTE: Examine the %systemroot%deproblemOakley.log for evidence of connectivity issues.

Other possible symptoms for client that use IPSec are:

  • No logging that the policy did not apply.

  • When pinging, a client receives Network destination was unreachable (if PING is an IPSec policy protocol).

To fix the corrupted Windows Server 2003 IPSec policy, use any of the following:

  • Use the IPSec policy GUI to import a policy that was exported before the corruption.

  • Perform an authoritative restore of a system state backup that was taken before the corruption.

  • Delete and re-create the policy.

To prevent this behavior:

  • Make sure that all operational personnel know to never use Windows 2000 to modify the policy.

  • Make sure that all Windows XP computers are running SP2 or the 818043 hotfix.

  • Perform frequent system state backups.

  • Export the IPSec policy frequently so it can be imported if corruption occurs.



Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like