IP Security Policies Not Applied / Not Working

[J. Madison]

I have two machines (Windows 2000 Pro & Windows XP Pro). I have an IP
Security Policy set up on my Windows 2000 machine to connect to my company's
VPN, which works perfectly. I have set up the identical policy on the
Windows XP Pro machine where this very same policy does not work.

When I look at the 'Outgoing Connections' log in my Linksys router, the
windows 2000 machine has several entries connecting to the VPN gateway IP,
the Windows XP machine however, shows several entries connecting (rather
trying to connect) to the IP of the machine behind the VPN gateway. It's as
if XP is not even trying to apply the policy.

The only difference I can find in my TCP/IP settings on the 2 machines is on
the TCP/IP Properties -> Advanced -> Options -> Optional Settings. The
windows 2000 machine shows TCP/IP filtering *AND* IP Security, the XP
machine *ONLY* shows TCP/IP filtering. I believe that the problem lies here.

Having spent the about 6 hours over 3 days trying to find the answer in the
MSKB, newsgroups and even XP's online help, I have come up empty. I cannot
for the life of me figure out how to enable IP Security on the XP Pro
machine (yes the service is running).

I even killed my XP installation (in a flurry of bad configuration /
registry changes :), so I re-loaded Win2kPro, which worked fine. Eventually
I upgraded back to XP and I'm right back where I started :(

Please Help :( I'm at a total loss.

Jeremy

(Note: All of the latest service packs / updates are applied... etc)

[Louise Bowman [MSFT]]

J.

Do you initiate your vpn connections via the Neware Connections folder?
If so can you check the Windows 2000 machine for the regkey ProhibitIpsec -
check if its set on the Win2000 box.
regedit -> khlm\system\services\RasMan\Parameters\
or just do a registry search for ProhibitIpsec
If its set on the Win2000 check to see if it's set on the XP box.

Louise Bowman (MSFT)
--
This posting is provided "AS IS" with no warranties, and confers no rights.

"J. Madison" <cam97ss@hNoOtSmPaAiMl.com> wrote in message
news:uZpLQMeRDHA.3132@tk2msftngp13.phx.gbl...

> I have two machines (Windows 2000 Pro & Windows XP Pro). I have an IP
> Security Policy set up on my Windows 2000 machine to connect to my

company's

> VPN, which works perfectly. I have set up the identical policy on the
> Windows XP Pro machine where this very same policy does not work.
>
> When I look at the 'Outgoing Connections' log in my Linksys router, the
> windows 2000 machine has several entries connecting to the VPN gateway IP,
> the Windows XP machine however, shows several entries connecting (rather
> trying to connect) to the IP of the machine behind the VPN gateway. It's

as

> if XP is not even trying to apply the policy.
>
> The only difference I can find in my TCP/IP settings on the 2 machines is

on

> the TCP/IP Properties -> Advanced -> Options -> Optional Settings. The
> windows 2000 machine shows TCP/IP filtering *AND* IP Security, the XP
> machine *ONLY* shows TCP/IP filtering. I believe that the problem lies

here.

>
> Having spent the about 6 hours over 3 days trying to find the answer in

the

> MSKB, newsgroups and even XP's online help, I have come up empty. I cannot
> for the life of me figure out how to enable IP Security on the XP Pro
> machine (yes the service is running).
>
> I even killed my XP installation (in a flurry of bad configuration /
> registry changes :), so I re-loaded Win2kPro, which worked fine.

Eventually

> I upgraded back to XP and I'm right back where I started :(
>
> Please Help :( I'm at a total loss.
>
> Jeremy
>
> (Note: All of the latest service packs / updates are applied... etc)
>
>

[J. Madison]

The VPN connection is made using only an IP Security Policy:

My local machine is on the network 192.168.0.0/24, the destination network
is 192.168.1.0/24. I added an IPSecurity Policy to route any traffic to the
192.168.1.0/24 subnet to the VPN (SonicWall) endpoint IP, and a
corresponding filter for traffic from the 192.168.1.0/24 subnet to my IP.
The filter action is set to 'Require Security', using a Preshared Key as the
Authentication Method.

This actually works very well from the office and from my Windows 2000 box
at home, it's more convenient (not to mention cheaper) than purchasing the
SonicWall clients, as well as being transparent when working.

The Windows XP machine is there I have the problem, it's not even applying
the IPSec Policies. I have even gone so far as to assign the pre-defined
filters that come with XP Pro 'Secure Server (Require Security)' and 'Server
(Request Security)' just to see what happens... nothing.

As for the registry key you mentioned, I did a search on both machines and
found no match.

Also, if it makes any difference... Both of the home machines are on a
workgroup as opposed to a domain.

I'll also include a couple entries from my Linksys Router's Outgoing Access
Log (The VPN IP has been changed) :

--- From the Windows 2000 Pro Machine , Works ---
LAN IP Destination URL / IP Service / Port
Number
--------------------------------------------------------------------------
192.168.0.10 64.59.x.x 500

--- From the Windows XP Pro Machine , Fails---
LAN IP Destination URL / IP Service / Port
Number
--------------------------------------------------------------------------
192.168.0.101 192.168.1.10 445

Thanks in Advance,

Jeremy

"Louise Bowman [MSFT]" <lbowman@microsoft.com> wrote in message
news:OsvHvzxRDHA.2236@tk2msftngp13.phx.gbl...

> J.
>
> Do you initiate your vpn connections via the Neware Connections folder?
> If so can you check the Windows 2000 machine for the regkey

ProhibitIpsec -

> check if its set on the Win2000 box.
> regedit -> khlm\system\services\RasMan\Parameters\
> or just do a registry search for ProhibitIpsec
> If its set on the Win2000 check to see if it's set on the XP box.
>
> Louise Bowman (MSFT)
> --
> This posting is provided "AS IS" with no warranties, and confers no

rights.

>
> "J. Madison" <cam97ss@hNoOtSmPaAiMl.com> wrote in message
> news:uZpLQMeRDHA.3132@tk2msftngp13.phx.gbl...

> > I have two machines (Windows 2000 Pro & Windows XP Pro). I have an IP
> > Security Policy set up on my Windows 2000 machine to connect to my

> company's

> > VPN, which works perfectly. I have set up the identical policy on the
> > Windows XP Pro machine where this very same policy does not work.
> >
> > When I look at the 'Outgoing Connections' log in my Linksys router, the
> > windows 2000 machine has several entries connecting to the VPN gateway

IP,

> > the Windows XP machine however, shows several entries connecting (rather
> > trying to connect) to the IP of the machine behind the VPN gateway. It's

> as

> > if XP is not even trying to apply the policy.
> >
> > The only difference I can find in my TCP/IP settings on the 2 machines

is

> on

> > the TCP/IP Properties -> Advanced -> Options -> Optional Settings. The
> > windows 2000 machine shows TCP/IP filtering *AND* IP Security, the XP
> > machine *ONLY* shows TCP/IP filtering. I believe that the problem lies

> here.

> >
> > Having spent the about 6 hours over 3 days trying to find the answer in

> the

> > MSKB, newsgroups and even XP's online help, I have come up empty. I

cannot

> > for the life of me figure out how to enable IP Security on the XP Pro
> > machine (yes the service is running).
> >
> > I even killed my XP installation (in a flurry of bad configuration /
> > registry changes :), so I re-loaded Win2kPro, which worked fine.

> Eventually

> > I upgraded back to XP and I'm right back where I started :(
> >
> > Please Help :( I'm at a total loss.
> >
> > Jeremy
> >
> > (Note: All of the latest service packs / updates are applied... etc)
> >
> >

>
>