JSI Tip 8715. Modifying a Windows Server 2003 IPSec policy from some Windows XP SP1 Clients, or all Windows 2000 client, will corrupt the IPSec policy?

If you modify a Windows Server 2003 Internet Protocol security policy from a Windows 2000 client, or from a Windows XP SP1 client that does NOT have the 818043 hotfix, you will corrupt the IPSec policy.

NOTE: The problem does NOT occur from Windows XP SP2.

When the policy is corrupted, clients that use IPSec may experience any of the following:

  • Network traffic that should be encapsulated is NOT.

  • If the IPSec policy is configured in required mode, network negotiation will fail and communication will be blocked.

  • Problems accessing shared resources via Windows Explorer.

  • Problems with the NET USE command and functionality.

NOTE: Examine the %systemroot%\deproblem\Oakley.log for evidence of connectivity issues.

Other possible symptoms for client that use IPSec are:

  • No logging that the policy did not apply.

  • When pinging, a client receives Network destination was unreachable (if PING is an IPSec policy protocol).

To fix the corrupted Windows Server 2003 IPSec policy, use any of the following:
  • Use the IPSec policy GUI to import a policy that was exported before the corruption.

  • Perform an authoritative restore of a system state backup that was taken before the corruption.

  • Delete and re-create the policy.

To prevent this behavior:
  • Make sure that all operational personnel know to never use Windows 2000 to modify the policy.

  • Make sure that all Windows XP computers are running SP2 or the 818043 hotfix.

  • Perform frequent system state backups.

  • Export the IPSec policy frequently so it can be imported if corruption occurs.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.