If you modify a Windows Server 2003 Internet Protocol security policy from a Windows 2000 client, or from a Windows XP SP1 client that does NOT have the 818043 hotfix, you will corrupt the IPSec policy.
NOTE: The problem does NOT occur from Windows XP SP2.
When the policy is corrupted, clients that use IPSec may experience any of the following:
- Network traffic that should be encapsulated is NOT.
- If the IPSec policy is configured in required mode, network negotiation will fail and communication will be blocked.
- Problems accessing shared resources via Windows Explorer.
- Problems with the NET USE command and functionality.
Other possible symptoms for client that use IPSec are:
- No logging that the policy did not apply.
- When pinging, a client receives Network destination was unreachable (if PING is an IPSec policy protocol).
- Use the IPSec policy GUI to import a policy that was exported before the corruption.
- Perform an authoritative restore of a system state backup that was taken before the corruption.
- Delete and re-create the policy.
- Make sure that all operational personnel know to never use Windows 2000 to modify the policy.
- Make sure that all Windows XP computers are running SP2 or the 818043 hotfix.
- Perform frequent system state backups.
- Export the IPSec policy frequently so it can be imported if corruption occurs.