Unable to Configure IP Security Using the Unattend.exe Utility (227339)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Datacenter Server
This article was previously published under Q227339

SYMPTOMS

When you automate the installation of Windows 2000 using the unattended installation method, you are unable to configure the Transport Control Protocol/Internet Protocol (TCP/IP) Internet Protocol security (IPSec) settings.

CAUSE

This issue occurs if IPSec parameters were not created for the Unattend.txt answer file used by the Unattend.exe utility.

RESOLUTION

To work around this issue, manually configure IPSec on the Windows 2000-based computer.

MORE INFORMATION

This section describes how to install IPSec and provides other related information.

NOTE: Before you configure IPSec to be used for communication between computers, you must test basic TCP/IP connectivity between the computers with a tool such as Ping.exe. Basic TCP/IP connectivity must be functioning before IPSec can be successfully implemented.
  1. Add the IPSec Snap-in to the MMC:

    1. Click Start, click Run, type mmc.exe, and then press ENTER.
    2. Add IP Security Policy Management to the console, and then select Local Computer when prompted.
  2. Create an IPSec Policy

    1. In the right pane, right-click IP Security Policy on Local Machine, click Create IP Security Policy, and then press ENTER.
    2. Enter a policy name, and then press ENTER.
    3. Accept the default settings for the Requests for Secure Connection screen by leaving the default response rule check box checked, and then click Next.
    4. Accept the default response rule for Kerberos authentication, and then click Next.
    5. Make sure the Edit Properties check box is checked, and if it is not, click to select it.
    6. Click Finish. The properties box appears, do not close it.
  3. Add a New Rule

    1. At the bottom of the Properties dialog box, click to clear the Use Add Wizard check box.
    2. On the Rules tab of the Properties dialog box, click Add. The New Rule Properties dialog box appears.
  4. Add a Filter to the Rule

    1. Click Add, and then enter a filter name.
    2. Click to clear the Use Add Wizard check box.
    3. On the IP Filter List tab, click Add.
    4. In the Filter Properties box, change the Source Address to Specific IP Address, and then add the IP address of your computer.
    5. Change Destination Address to Specific IP Address, and then add the IP address of the destination computer.
    6. Click OK, verify that your filter has been added in the filters box of the IP Filter List dialog box, and then click Close.
    7. On the IP Filter List tab, activate the filter by clicking the option next to the filter list you just added.
  5. Specify a Filter Action for the Rule

    1. Click the Filter Action tab, and then click to clear the Use Add Wizard check box.
    2. Click Add to create a filter action.
    3. On the Security Methods tab, ensure that Negotiate Security is selected.
    4. Verify that Allow Unsecured Communication with Non IPSec Aware Computer is not selected.
    5. Click Add to choose a security method.
    6. Select Medium (AH), and then click OK.
    7. Click OK to close the new Filter Action properties.
    8. To activate the filter, click the option next to the filter you just created.
  6. Set the Authentication Method

    1. Click the Authentication Method tab, click Add, and then click Pre-shared Key.
    2. Type a pre-shared password key in the text box, and then click OK.
    3. Choose Pre-shared Key in the list, and then click Move Up so it appears first in the list.
    4. Click the Tunnel Settings tab, and verify that This rule does not specify an IPSec tunnel is selected.
    5. Click the Connection Type tab, and verify that All Network Connections is selected.
    6. Click Close, and verify that this new rule is selected in the list box.
    7. In the right pane of the MMC, right-click the policy name you just created, and then click Assign. The Policy Assigned column value should now be YES.
    8. Enable the IP security policy on both computers.
For additional information about IP security, click the article number below to view the article in the Microsoft Knowledge Base:

231585 Overview of Secure IP Communication with IPSec in Windows 2000

Modification Type:MajorLast Reviewed:11/21/2003
Keywords:kbnetwork kbprb KB227339
©2003 Microsoft Corporation. All rights reserved.