Modifying an Internet Protocol security (IPSec) policy from a Windows XP SP1-based or Windows 2000-based client may corrupt the IPSec policy (884909)


The information in this article applies to:

  • Microsoft Windows XP Professional
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows XP Tablet PC Edition 2005
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Advanced Server

SYMPTOMS

Clients and domain controllers that are running Microsoft Windows 2000, Microsoft Windows XP Professional, Microsoft Windows XP Tablet PC, or Microsoft Windows Server 2003 will silently error out and cannot apply an Internet Protocol security (IPSec) policy that was saved from a computer that is running Windows 2000 or a computer that is running Windows XP Service Pack 1 (SP1).

Client computers that do not apply an IPSec policy that is specified by a domain administrator may experience the following symptoms because of this problem:
  • Symptom 1: Network traffic that administrators want to help protect through an IPSec policy will not be encapsulated.
  • Symptom 2: Windows 2000-based, Windows XP-based, and Windows Server 2003-based client computers may not be able to access other computers by using an IPSec policy on the network. If the IPSec policy is configured in "required mode," network negotiation will not be completed, and communication will be blocked.
  • Symptom 3: Windows 2000-based, Windows XP-based, and Windows Server 2003-based client computers that access shared folders or printers from Windows Explorer on a computer by using an IPSec policy will experience this problem.
  • Symptom 4: Windows 2000-based, Windows XP-based, and Windows Server 2003-based client computers that access an IPSec policy by accessing shared folders or printers by using an IPSec policy with the NET USE command will experience this problem.
Symptoms 1-4 all occur because of a lack of connectivity. Therefore, you must examine the entries in the Oakley.log file to definitively identify this problem. The Oakley.log file is located in the %systemroot%\deproblem\Oakley log folder.

You may also experience the following symptoms:
  • Symptom 5: Client computers that are supposed to apply an IPSec policy but do not because of this problem will not log any errors in their local deproblem logs or event logs that indicate that the policy did not apply.
  • Symptom 6: A client computer cannot use PING over the network. The client computer receives a "Network destination was unreachable" error message, depending on whether PING is an IPSec policy protocol.

CAUSE

This problem occurs when the Windows Server 2003-based server uses a different schema for the IPSec policy than the schema that is used by computers that are running Windows 2000 and computers that are running Windows XP Service Pack 1 (SP1) or earlier versions. Specifically, Windows Server 2003 added IPSec policy extensions and versioning support that client administration tools that are in Windows 2000-based computers and Windows XP SP1 or earlier-based computers do not support. Saving an IPSec policy from a Windows 2000-based client or a Windows XP SP1 or earlier version-based client after an IPSec policy was saved from a Windows Server 2003 computer will corrupt certain extensions or will corrupt the complete IPSec policy.

Specific conditions for this problem occur when either of the following conditions is true:
  • The IPSec policy is modified or saved from a Windows 2000-based computer after the IPSec policy is created or modified from a Windows Server 2003-based computer.
  • The IPSec policy is modified or saved from a Windows XP-based computer that does not have one of the following updates installed:
    • Windows XP Service Pack 2 (SP2)
    • Hotfix Q818043

      For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

      818043 L2TP/IPSec NAT-T update for Windows XP and Windows 2000

    This behavior occurs after the IPSec policy is created or modified from a Windows Server 2003-based computer.
Note Clicking OK in the IPSec dialog box saves the policy even if you have not made a change to the IPSec policy settings.

RESOLUTION

To resolve this problem for Windows Server 2003-formatted IPSec policy that has been corrupted by a computer that is running Windows XP SP1 or earlier versions, follow these steps:
  1. Use the IPSec policy user interface to import a policy that was exported before corruption occurred.
  2. Auth-restore the necessarily elements of a system state backup that was made before the policy was corrupted.
  3. Delete and then re-create the policy.

WORKAROUND

To work around or to prevent this problem, use one of the following methods:
  • Make Windows XP SP2 or hotfix Q818043 mandatory for all Windows XP deployments, regardless of whether your company has deployed an IPSec policy. Server or policy administrators do not notify administrators of desktop computers of configuration changes. The preferred way to help protect the computer from malicious software is to pre-install either Windows XP SP2 or hotfix Q818043 on existing and future computers. Because computers change roles, install Windows XP SP2 or hotfix Q818043 on all Windows XP-based computers in the organization. Install Windows XP SP2 or hotfix Q818043 as part of your build process for new Windows XP installs. For additional information about how to obtain Windows XP SP2 or the hotfix in article 818043, click the following article numbers to view the articles in the Microsoft Knowledge Base:

    322389 How to obtain the latest Windows XP service pack

    818043 L2TP/IPSec NAT-T update for Windows XP and Windows 2000

  • Administrators, delegated administrators, and help desk administrators should administer IPSec policy from either Windows Server 2003-based or Windows XP SP2-based computers.
  • Communicate operational policy to administrators whose IPSec policy should not be viewed or saved from a Windows 2000-based computer.
  • Communicate operational policy that the IPSec policy should only be modified from Windows Server 2003-based computers or Windows XP-based computers with either Windows XP SP2 or hotfix Q818043 installed. Hotfix Q818043 is available on the Windows Update site as an optional fix. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

    818043 L2TP/IPSec NAT-T update for Windows XP and Windows 2000

  • Frequently perform system state backups so that the Windows Server 2003 IPSec policy can be recovered if it becomes corrupted from a Windows 2000-based computer or a non-compliant Windows XP-based computer.
  • Export the IPSec policy at set intervals so that it can be imported in case it becomes corrupted by a Windows 2000-based computer or a non-compliant Windows XP-based computer.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

If IPSec policy is corrupted, you must restore IPSec policy from backup or re-create IPSec from a Windows Server 2003-based computer.
Modification Type:MinorLast Reviewed:7/8/2005
Keywords:kbnetwork kbSecurity kbpolicy kbadmin kbtshoot kbprb KB884909 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.