If you can't find what you need using the site search on the toolbar above, or if you need more detailed help or just need to be pointed in the right direction, post your question to the newly opened kadaitcha.cx forums. Membership is free.

Troubleshoot VPN, L2TP & IPSec

This page deals with VPN troubleshooting. You can find other network troubleshooting resources here:



This step-by-step article describes how to configure a virtual private network (VPN) connection to your corporate network in Microsoft Windows XP Professional. A VPN connection is a connection that uses both private and public networks to create a network connection.
    


This step-by-step article describes how to create a new VPN connection in Microsoft Windows XP.
    


By default, Netbios Proxy is enabled for incoming Remote Access Service (RAS) or virtual private network (VPN) connections on Windows XP and Windows Server 2003-based systems. This setting permits RAS clients to resolve the Netbios name on the local area network (LAN) that the RAS client is connected to. If you run the Ipconfig /all command from the command shell on the computer that is configured as the RAS or VPN server, this returns the information that the WINS Proxy Enabled value is set to Yes. In some cases, you may want to disable this setting.


Windows XP includes support for Internet Connection Sharing (ICS), which provides the ability to share an internet connection with other computers on a local network. ICS in Windows XP allows services to be mapped to hosts on the internal network, so that requests coming from the internet and destined for a particular service will be redirected by Windows XP to the appropriate computer on the internal network.

For example, you may want to place a Point-to-Point Tunnelling Protocol (PPTP) server on the internal network and configure Windows XP ICS to forward the Virtual Private Networking (VPN) traffic to the PPTP server. This article describes the process that is required to map PPTP back to an internal host, so that an incoming VPN connection can pass through the Windows XP ICS computer. For the purposes of this article, it is assumed that the PPTP server is already configured properly and is able to accept PPTP connections from clients on the local network.
    
 
   


The Windows Kerberos authentication package is the default authentication package in Microsoft Windows Server 2003, in Microsoft Windows XP, and in Microsoft Windows 2000. It coexists with the NTLM challenge/response protocol and is used in instances where both a client and a server can negotiate Kerberos. Request for Comments (RFC) 1510 states that the client should send a User Datagram Protocol (UDP) datagram to port 88 at the IP address of the Key Distribution Center (KDC) when a client contacts the KDC. The KDC should respond with a reply datagram to the sending port at the sender's IP address. The RFC also states that UDP must be the first protocol that is tried.

A limitation on the UDP packet size may cause the following error message at domain logon:

Event Log Error 5719
Source NETLOGON

No Windows NT or Windows 2000 Domain Controller is available for domain Domain. The following error occurred:

There are currently no logon servers available to service the logon request.

Additionally, the Netdiag tool may display the following error messages:

Error message 1

DC list test........... : Failed [WARNING] Cannot call DsBind to
COMPUTERNAMEDC.domain.com (159.140.176.32).
[ERROR_DOMAIN_CONTROLLER_NOT_FOUND]

Error message 2
Kerberos test........... : Failed [FATAL] Kerberos does not have a ticket for
MEMBERSERVER$.]

The Windows XP event logs which are symptoms of this issue are SPNegotiate 40960 and Kerberos 10.

By default, Kerberos uses connectionless UDP datagram packets. Depending on a variety of factors including security identifier (SID) history and group membership, some accounts will have larger Kerberos authentication packet sizes. Depending on the virtual private network (VPN) hardware configuration, these larger packets have to be fragmented when going through a VPN. The problem is caused by fragmentation of these large UDP Kerberos packets. Because UDP is a connectionless protocol, fragmented UDP packets will be dropped if they arrive at the destination out of order.
    


Increasingly, users of wireless mobile devices require access to the functionality of their desktop computers. Windows XP and Windows 2000 permit you to do this. By using the Handheld PC or the Pocket PC, you can connect to an application server and run programs just as if you were sitting at the server computer itself. Connections to application servers can be made across wireless local area networks (LANs), or across the Internet by using virtual private networking (VPN).
    


You can use the Windows XP Internet Connection Sharing (ICS) feature for network and dial-up connections to connect your home network or your small-office network to the Internet. For example, you may have a home network in which a Windows XP-based computer connects to the Internet by using a PPPoE broadband connection. If you enable ICS on the computer that uses the PPPoE connection, you can provide network address translation (NAT), addressing, and name resolution services for all of the computers on your network.

If your home office users need to gain access to a corporate network that is connected to the Internet by a tunnel server, the users need to create a virtual private network (VPN) connection to tunnel from the computer on the ICS network to the corporate tunnel server on the Internet. The VPN connection is authenticated and secure, and creating the tunnelled connection allocates proper IP addresses, DNS server addresses, and WINS server addresses for the corporate network.
    


The following VPN client programs are blocked from being installed on a Windows XP-based computer. Note that a hardblock indicates that an upgrade from a previous operating system to Windows XP will be blocked until the client program is uninstalled. A softblock indicates that upgrades will not be blocked, but the installation of the client on a Windows XP-based computer will not be allowed:
  • Cisco 3000 client
    • Version 2.5.2 - Hardblocked
    • Version 3.0.2 - Hardblocked
  • Cisco 5000 client
    • Version 4.0.2.18 - Softblocked
    • Version 5.0.0.12 - Softblocked
  • Nortel Extranet Access Client
    • Versions 2.62d/i - Hardblocked
    • Version 3.70 - Hardblocked


This step-by-step article describes how to edit the registry to change the default maximum transmission unit (MTU) size settings for Point-to-Point Protocol (PPP) connections or for virtual private network (VPN) connections.
    


This article discusses how to configure a preshared key using the Layer Two Tunnelling Protocol (L2TP).
    


After you install Service Pack 1 (SP1) for Windows XP, your computer may drop virtual private network (VPN) connections that are using Point-to-Point Tunneling Protocol (PPTP) after about 55 seconds.
    


You may be unable to install the Cisco virtual private network (VPN) client on your Windows XP-based computer.
    


If you are using an external firewall device or a network address translation (NAT) device on a Microsoft Windows XP-based computer, and you establish a virtual private network (VPN) connection, the VPN connection may be disconnected after about five minutes.


When you try to establish a virtual private network (VPN) connection, you may receive the following error message:

Error 800: Unable to establish connection
    


Consider the following scenario:
  • You try to establish a virtual private network (VPN) connection by using a dial-up connection on a Microsoft Windows XP-based computer.
  • The Windows XP-based computer uses a Cisco VPN client.
  • The Windows XP-based computer uses a security solution that implements an intermediate driver by using a custom filter class. For example, the computer may use a security solution such as Senforce Enterprise Mobile Security Manager.
In this scenario, the VPN client cannot establish the connection and stops responding.
    


You may experience poor sound quality in Microsoft Windows Messenger when you use this component over a virtual private network (VPN) connection.
    


You may not be able to log on to your domain by using a virtual private network (VPN) if you have the Microsoft Proxy 2.0 client or the Microsoft Internet Security and Acceleration (ISA) Server 2000 client installed, and the proxy server can be reached only by using the VPN connection.

This behavior occurs only if you refer to the VPN server by a Domain Name System (DNS) name instead of by the IP address when you create the VPN connection.
    


When you use Connection Manager Administration Kit (CMAK) to create a custom dial-up Connection Manager dialer and a custom virtual private network (VPN) Connection Manager dialer, and you use both dialers on one computer, the dial-up Connection Manager will not work after the VPN Connection Manager dialer has been used.


This article lists the error codes that you may receive when you use Windows 2000, Windows XP, or Windows Server 2003 as a client computer to make a dial-up connection or a VPN connection.

Note: Error codes with numbers higher than 900 will only be seen if you are trying to connect to a Routing and Remote Access Server that is running Windows 2000 or later.
    


After you establish a virtual private network (VPN) connection, your computer stops responding unexpectedly. You receive the following Stop error message:

STOP: 0x000000D1 (0x00000020, 0x00000002, 0x00000000, 0xf5bf0f68)
    


When you connect your Microsoft Windows XP-based computer to a remote server through a virtual private network (VPN) connection, and you use an external firewall device or a network address translation (NAT) device, you may be disconnected after about five minutes.
    


After you install the Cisco Systems VPN Dialer program, you can no longer use the Fast User Switching feature in Microsoft Windows XP. If you try to turn on Fast User Switching, you receive a message stating that a program used CSGina.dll to disable the Fast User Switching and the Windows Welcome screen features.
    


When you try to establish a virtual private network (VPN) connection from your Windows XP or Windows 2000 PPTP client to your corporate network, the connection may not work, and you may receive the following error message:

Error 721: Remote PPP peer is not responding


When you try to connect a virtual private network (VPN) connection in Network Connections, you may receive the following error message:

Error 623
The system could not find the phone book entry for this connection.
    


You experience one of the following symptoms when you try to establish a virtual private network (VPN) connection by using "Layer Two Tunnelling Protocol with IPSec" (L2TP/IPsec) from a Windows client computer to a VPN server.

Symptom 1
The Windows client computer is running Microsoft Windows XP, Microsoft Windows Server 2003, or Microsoft Windows 2000, and you try to connect to a VPN server that is running Windows Server 2008 or Windows Vista. However, you cannot connect to the VPN server. Instead, you receive an error message the resembles the following:

741 The local computer does not support encryption.

Symptom 2
The Windows client computer is running Windows Server 2008 or Windows Vista, and you try to connect to a VPN server that is running Windows XP, Windows Server 2003, or Windows 2000. However, you cannot connect to the VPN server. Instead, you receive an error message the resembles the following:

742 The remote server does not support encryption.
    


On a Windows XP-based or on a Windows Server 2003-based client computer, you try to connect to a virtual private network (VPN) server. The connection is successful. However, when name resolution is performed through the VPN connection, you may be unable to access the network.

This problem may occur randomly if the following conditions are true:
  • You update the routing table of the VPN client.
  • When you update the routing table, you configure the scope of the Dynamic Host Configuration Protocol (DHCP) server to use option 249 in the network environment.
    


You may be unable to use the following components at the same time in Microsoft Windows XP or in Microsoft Windows 2000:
  • A Nortel virtual private network (VPN) client
  • The Internet Protocol security (IPSec) implementation that is built into both Windows XP and Windows 2000
In this situation, you cannot use a VPN tunnel to access resources on an enterprise network on which Domain and Server Isolation policies are deployed.
    


You may be unable to use the following components at the same time in XP, in Microsoft Windows 2000, or in Microsoft Windows Server 2003 Standard Edition with Service Pack 1 (SP1):
  • A Cisco virtual private network (VPN) client
  • The Internet Protocol security (IPSec) implementation that is built into Windows XP, Windows 2000, and Windows Server 2003
In this situation, you cannot use a VPN tunnel to access resources on an enterprise network on which Domain and Server Isolation policies are deployed.


Considering the following scenario:
  • On a Windows XP-based client computer, you connect the computer to the Routing and Remote Access Services server through a virtual private network (VPN) connection.
  • You use a Dynamic Host Configuration Protocol (DHCP) server to provide classful static routes for the VPN client computer by configuring the 249 DHCP scope option.
  • You have configured more than 32 routes together with the corresponding 24-bit subnet masks.
In this scenario, the VPN connection is established successfully. However, only 32 routes are added into the routing table on the Windows XP-based VPN client computer. Therefore, you cannot access some network resources.
    


You may be unable to use the following components at the same time in Microsoft Windows XP or in Microsoft Windows 2000:
  • A version of AT&T Global Network virtual private network (VPN) client that is earlier than version 6.7
  • The Internet Protocol security (IPSec) implementation that is built into both Windows XP and Windows 2000
In this situation, you cannot use a VPN tunnel to access resources on an enterprise network on which Domain and Server Isolation policies are deployed.
    


You connect a Microsoft Windows XP Service Pack 2 (SP2)-based computer to a remote access server by using a virtual private network (VPN) or a dial-up connection. Then you cannot access any remote resources.
    


You may find that mapped drive letters to shared network folders are missing in Windows Explorer when you use the Work online without synchronizing changes over a virtual private network (VPN) connection.
    


When you try to connect to a Microsoft Windows Server 2003 Network Load Balancing cluster by using a virtual private network (VPN) connection, you may temporarily not be able to connect to a node in the server cluster. You may receive the following error message:

Error 792


When you connect to a network by using either a remote access or virtual private network (VPN) connection, you can browse the network and you can ping servers and receive a reply, but if you try to view the shared resources on a server, you can observe only the files that have been made available offline.

Also, the icon in the bottom right corner of the screen indicates that you are offline.

If you disable offline caching on the client computer, and then connect by means of either a remote access or VPN connection, all the files are visible.
    


You may receive a "0x000000c1" or a "0x000000c2" Stop error message when network traffic is initiated and a filter driver is loaded. For example, this error may occur when you are using firewall software or virtual private network (VPN) software in the following situations:
  • You connect a wireless network adapter by using 802.1X authentication
  • Your firewall is using a filter driver
  • You try to use Microsoft NetMeeting over a VPN connection
    


Consider the following scenario:
  • You are running Microsoft Windows XP.
  • You try to create a new connection for a virtual private network (VPN), for a remote access connection, or for a broadband connection. You want this connection to be available to all users.
  • To create the new connection, you use an account that is a member of the Network Configuration Operators group.
In this scenario, you find that the Anyone's use option is not available. The option appears dimmed in the New Connection Wizard, and you cannot make the new connection available for all users.
    


When you attempt to connect to a Microsoft Windows NT 4.0 or Microsoft Windows 2000-based Routing and Remote Access server through a dial-up or virtual private network (VPN) connection, you may receive one of the following error messages:

Error 619, "The port was disconnected."

Or

Error 645, "Dial-Up Networking could not complete the connection to the server."
    


If you log on with cached credentials (for example, you establish a Virtual Private Network (VPN) connection to your corporate network) and you try to connect to a network resource, you may receive the following error message and you are continuously prompted for your user name and password:

The system cannot log you on now because the domain DomainName is not available.


When you use a dial-up or a virtual private network (VPN) connection to connect to a Routing and Remote Access server, the list of Domain Name System (DNS) servers is stored on the client computer in reverse order.

For example, when you connect to the Routing and Remote Access server, Dynamic Host Configuration Protocol (DHCP) sends the DNS IP addresses in the preferred order:

10.200.200.200
10.201.201.201

However, if you view the TCP/IP protocol properties on the client computer, the DNS IP addresses appear in the following order:

10.201.201.201
10.200.200.200
    


When you attempt to connect to a Remote Access Service (RAS) server by using the TCP/IP protocol, you may receive the following error message:

Error 720: No PPP control protocols configured.
    


When you use the ping command to ping a client by name, that client name may be resolved and an IP address is returned although the client computer is offline.

This behaviour occurs when virtual private network (VPN) clients, such as Microsoft Windows XP-based computers, register records with the WINS server when they connect. When the VPN client disconnects, the client does not mark the WINS records as released. Multiple VPN clients can end up registered in WINS with the same IP address. When this behaviour occurs, if you ping a client that is offline by name, WINS resolves the name and returns the IP address of another client that now has that IP address.
    


You may experience a problem after you change the binding order for [Remote Access connections] by moving it to the top of the connections list. You would do so in the Advanced Settings dialog box of the Network and Dial-up Connections tool. After you do so, network utilities that resolve host names by using the Domain Name Service (DNS) server that is associated with a dial-up networking connection, do not default to the DNS server that is associated with the dial-up connection. NSLookup is an example of a network utility that resolves host names by using the Domain Name Service (DNS) server that is associated with a dial-up networking connection.

This symptom occurs although you expect the network utility to use as the default DNS server that is associated with the network device that has the highest binding order in the list of network connections.

Note This symptom may also occur with Virtual Private Networking (VPN) connections. A client computer may not use the DNS server from a VPN connection if the default gateway is set to the remote connection.
    


If you try to establish a virtual private network (VPN) connection by using a smart card where the provider name of a custom Cryptographic Service Provider (CSP) contains extended characters, you may receive the following error message:

Error 0x80090019: The keyset is not defined


After you log on to a network over the Internet and then start Microsoft Office Outlook 2003, if you click Send/Receive or if Outlook 2003 automatically checks for new e-mail messages, you are prompted to reenter your Microsoft Exchange server name and your user account name.

If you try to verify your account name, you receive the following error message:

The name could not be resolved. Operation failed.

After you close the error message, Outlook 2003 still tries to process the Send/Receive request and then abruptly quits, and you receive the error code 0x8004011c.

This problem occurs if the following conditions are true:
  • You use virtual private network (VPN) or remote procedure call/Hypertext Transfer Protocol (RPC/HTTP) to log on
  • You use your user principal name (UPN) in the form of
   


When you first start Windows XP after you upgrade from an earlier version of Windows, you may receive the following error message:

Your system is low on virtual memory. Windows is increasing the size of your virtual memory paging file. During this process, memory requests for some applications may be denied.

If you click OK, you may receive an error message that resembles the following error message:

The application failed to initialize properly. 0xc0000017

When you try to run Windows, you may also receive other error messages that resemble the following error message:

IEXVCES.EXE
The exception unknown software exception (0xc00000fd) occurred in the application at location 0x01ac5937.

You do not receive these error messages when you start Windows in safe mode.
    


When you connect to a Point-to-Point Tunnelling Protocol (PPTP) server from a PPTP client computer, the connection may not succeed, and you may receive one of the following error messages, depending on the version of Microsoft Windows that you are running:

Error 650: The Remote Access server is not responding

Error 721: Remote PPP peer is not responding

Error 629: The port was disconnected by the remote machine.

Error 678: There was no answer
    


When you create a remote access policy that forces some remote users to log on the network by using a Layer-2 Tunnelling Protocol (L2TP) connection, they cannot connect to the remote access server.
    


Fixes a problem that may occur if you have an "Incoming Connections" network connection defined. Provides a hotfix to resolve the problem. You must have Windows XP Service Pack 2 installed to apply the hotfix.


After you disconnect from a virtual private network (VPN) connection that was created by using Connection Manager, you cannot connect again if you are not a member of the local Administrators group. This behavior affects connections that dial the Internet and then create a VPN connection. In the Network Connections window, the icon shows that the connection is in the Disconnecting state.
    


This article provides information to help you troubleshoot Layer 2 Tunnelling Protocol (L2TP) and Internet Protocol Security (IPSec) in Windows XP.
    


The Internet Protocol Security (IPSec) feature in Windows 2000, Windows XP and Windows Server 2003 was not designed as a full-featured host-based firewall. It was designed to provide basic permit and block filtering by using address, protocol and port information in network packets.

[...]

As IPSec is increasingly used for basic host-firewall packet filtering, particularly in Internet-exposed scenarios, the affect [sic] of these default exemptions has not been fully understood. Because of this, some IPSec administrators may create IPSec policies that they think are secure, but are not actually secure against inbound attacks that use the default exemptions.

kadaitcha.cx translation: "We made a lot of wild guesses and stuffed up."

Microsoft strongly recommends that network administrators take the steps in this article to remove the default exemptions to IPSec.
    


Crawling is prevented in the following circumstances:
  • If more than 10 computers with shared resources are detected; in this case, no shortcuts are created.
  • When you are using Dial-Up Networking (DUN) or virtual private network (VPN) connections.
  • After the Automatically search for network folders and printers check box is cleared in the Folder Options dialog box in My Network Places.
  • The feature is turned off by a policy (registry key).
    


This article describes how to use the Network Monitor Capture Utility (Netcap.exe) to capture network traffic information on source and destination computers. You can use this information to troubleshoot performance issues that you may experience during the file copy process.

If the client computer accesses the destination file server over a virtual private network (VPN) connection, the virtual interface that is created on the client computer must be monitored to see file copy traffic.


When a computer that is running Windows XP or Windows Server 2003 tries to set up a VPN connection to a remote network, the connection is set up successfully. However, the computer may be unable to access the resources on the remote network.

This problem occurs when the remote network's Dynamic Host Configuration Protocol (DHCP) server uses the 249 Classless Static Routes DHCP scope option.
    


When you attempt to establish for the first time a Point-to-Point Tunnelling Protocol (PPTP) connection by means of a Connection Manager profile, you may experience a significant delay before you are able to connect, or you may be unable to connect.
    


After you change your password, you cannot access the workstation if you log off and then try to log on again. This problem occurs after you log on to a workstation that contains cached credentials (password and domain), then change your domain password while you are connected to the domain by using a dial-up or a VPN connection, then log off, and then log on again. However, if you turn off the Automatically use my Windows logon name and password option, you can log on to the workstation.
    


When you start a program in Microsoft Windows Server 2003 or in Microsoft Windows XP, the program may run very slowly if the following conditions are true:
  • You start a program that does not have a Start in property.
  • The network connection to the mapped network share that contains your home folder is slow.
Additionally, when you log on to the computer, the logon process may be slower than expected if the following conditions are true:
  • The client computer must look for system DLL files in your home folder.
  • The network connection to the mapped network share that contains your home folder is slow.
This problem occurs because the program is slowed by a high-latency connection. A program that does not have a Start in property searches for DLL files in the current working folder first, and then the folders that are specified in the system path. The current working folder is typically your home folder. If your home folder is on a mapped network share and if the network connection to that share is a high-latency connection such as a wide area network (WAN) or a virtual private network (VPN), you may experience slow performance.

    


After you try to use a remote Lexmark printer over a virtual private network (VPN) connection, network traffic may increase. The increased network traffic can severely decrease performance on slow network links.


When you try to connect a Windows XP-based computer to a network by using a virtual private network (VPN) connection, you may receive the following error message:

Access denied because username and/or password is invalid on the domain

This problem occurs if one of the following conditions is [sic] true:
  • The password to access the network has expired.
  • The administrator has enabled the User must change password at next logon option for the user account.
    


This article describes a change in the default behaviour of Internet Protocol security (IPSec) network address translation (NAT) traversal (NAT-T) that has been implemented in Microsoft Windows XP Service Pack 2 (SP2).
    


When you view the contents of the Internet Connection Firewall log file (Pfirewall.log), packets for an IP address that is not on the interface where the firewall is enabled may be listed in the log.

The Firewall log records all packets that are dropped, regardless of whether the packet contains a source or destination IP address that is bound to the secured interface. For example, packets that are destined to a local VPN interface may be recorded to the Firewall log if the VPN interface is not bound to the interface where the firewall is enabled.
    


When you try to establish an L2TP connection with a non-Microsoft L2TP server, the connection may be established properly, but you may then immediately lose the connection.
    


When you attempt to establish a Layer 2 Tunneling Protocol (L2TP) connection from a Windows XP-based L2TP client computer to a Windows XP-based Routing and Remote Access Service server, you can receive the following error message:

Error 792: The L2TP connection attempt failed because security negotiation timed out.


Microsoft has released an update package to enhance the current functionality of Layer Two Tunnelling Protocol (L2TP) and Internet Protocol security (IPSec) on computers that run Microsoft Windows 2000, Microsoft Windows XP without service packs installed, and Windows XP with Service Pack 1 (SP1).This functionality is included in Windows XP Service Pack 2 (SP2).
    


Clients and domain controllers that are running Microsoft Windows 2000, Microsoft Windows XP Professional, Microsoft Windows XP Tablet PC, or Microsoft Windows Server 2003 will silently error out and cannot apply an Internet Protocol security (IPSec) policy that was saved from a computer that is running Windows 2000 or a computer that is running Windows XP Service Pack 1 (SP1).

Client computers that do not apply an IPSec policy that is specified by a domain administrator may experience the following symptoms because of this problem:
  •  Symptom 1: Network traffic that administrators want to help protect through an IPSec policy will not be encapsulated.
  • Symptom 2: Windows 2000-based, Windows XP-based, and Windows Server 2003-based client computers may not be able to access other computers by using an IPSec policy on the network. If the IPSec policy is configured in "required mode," network negotiation will not be completed, and communication will be blocked.
  • Symptom 3: Windows 2000-based, Windows XP-based, and Windows Server 2003-based client computers that access shared folders or printers from Windows Explorer on a computer by using an IPSec policy will experience this problem.
  • Symptom 4: Windows 2000-based, Windows XP-based, and Windows Server 2003-based client computers that access an IPSec policy by accessing shared folders or printers by using an IPSec policy with the NET USE command will experience this problem.
Symptoms 1-4 all occur because of a lack of connectivity. Therefore, you must examine the entries in the Oakley.log file to definitively identify this problem. The Oakley.log file is located in the
%systemroot%\deproblem\Oakley log folder.

You may also experience the following symptoms:
  • Symptom 5: Client computers that are supposed to apply an IPSec policy but do not because of this problem will not log any errors in their local deproblem [sic] logs or event logs that indicate that the policy did not apply.
  • Symptom 6: A client computer cannot use PING over the network. The client computer receives a "Network destination was unreachable" error message, depending on whether PING is an IPSec policy protocol.
    


This technical presentation describes how to use Internet Protocol Security (IPSec) to help secure network traffic. The talk discusses the most common IPSec scenarios and demonstrates how to use the Microsoft IPSec implementation to deploy these scenarios. Additionally, general IPSec concepts, configuration options, and implementation techniques will be presented.
    


In a wireless network environment that uses Internet Protocol security (IPSec) network address translation traversal (NAT-T), client computers that are running Microsoft Windows Server 2003 or Microsoft Windows XP cannot connect to a server that is running Windows Server 2003 and Microsoft Live Communications Server 2003. The connections time out. A network trace shows Internet Control Message Protocol (ICMP) "port unreachable" error messages.

This problem occurs on client computers that use a wireless network adaptor that does not support packet ownership. For example, this problem occurs on client computers that use an Agere Systems wireless network adaptor or an Intel wireless network adaptor that does not support packet ownership.
    


Consider the following scenario:
  • You are running a Microsoft Windows XP Service Pack 2 (SP2)-based computer or a Windows XP Service Pack 1 (SP1)-based computer that has the network address translation traversal (NAT-T) update installed.
  • The computer belongs to a domain.
  • You enable an Internet Protocol security (IPSec) policy on the computer.
In this scenario, all policies on the computer are refreshed, not just the IPSec policy. Additionally, if you set a short refresh time for the IPSec policy, network traffic increases in a domain that contains many client computers.


You may experience the following problem on a Microsoft Windows XP-based computer where a network adaptor uses the Internet Protocol security (IPsec) policy to restrict traffic to and from the computer. When you disconnect and then reconnect the network adaptor, the policy is not applied for two to three seconds after the network adaptor is reinitialized. Traffic that typically would be blocked by the IPSec policy may not be blocked.
    


The IPSec Policy Agent (IPsecsvc.dll) manages Internet Protocol security policy. The IPSec Policy Agent starts the ISAKMP/Oakley (IKE) protocol mechanism. The IPSec Policy Agent also starts the Internet Protocol security driver that is available for Microsoft Windows Server 2003 and for Microsoft Windows XP. The IPSec Policy Agent includes a set of remote procedure call (RPC)-based interfaces. These interfaces are used by internal Windows components.

Microsoft has released a hotfix that corrects the behaviour of the IPSec Policy Agent. After you apply this hotfix, the RPC-based interfaces return the correct status code that other Windows components require.
    


This article describes an update that you can apply to simplify the creation and maintenance of Internet Protocol security (IPSec) filters in Microsoft Windows Server 2003. This article also includes description of a hotfix for Microsoft Windows XP that simplifies the creation and maintenance of Internet Protocol security (IPSec) filters in Microsoft Windows XP.

The Windows Server 2003 update and the Windows XP hotfix add functionality to Windows that enables you to use an IPSec "Simple Policy." For most environments, the installation of this update and hotfix lets you reduce the number of IPSec filters that are required for a Server Isolation deployment or for a Domain Isolation deployment. You can reduce the number of IPSec filters from many hundreds of filters to only two filters.
    


Internet Protocol security (IPSec) filtering rules can be used to help protect Windows 2000-based, Windows XP-based, and Windows Server 2003-based computers from network-based attacks from threats such as viruses and worms. This article describes how to filter a particular protocol and port combination for both inbound and outbound network traffic. It includes steps to whether there are any IPSec policies currently assigned to a Windows 2000-based, Windows XP-based, or Windows Server 2003-based computer, steps to create and assign a new IPSec policy, and steps to unassign and delete an IPSec policy.
    


This article describes how to configure Microsoft Windows Server 2003-based and Microsoft Windows XP Professional-based computers to manage Internet Protocol security (IPSec) policies and to monitor IPSec activity for remote computers.

On Windows Server 2003-based and on Windows XP Professional-based computers, you can use the IP Security Policy Management Microsoft Management Console (MMC) snap-in to remotely manage IPSec policies. Additionally, you can use the IP Security Monitor MMC snap-in to remotely monitor IPSec activity.

On Windows Server 2003-based computers, you can also use the Netsh command-line utility to remotely manage IPSec policies and to remotely monitor IPSec activity.

Note Windows XP does not have an IPSec context for the Netsh command. Therefore, the Netsh command cannot be used to configure IPSec on Windows XP-based computers.


This article describes how to configure RPC to use a specific dynamic port range and how to help secure the ports in that range by using an Internet Protocol security (IPSec) policy. By default, RPC uses ports in the ephemeral port range (1024-5000) when it assigns ports to RPC applications that have to listen on a TCP endpoint. This behaviour can make restricting access to these ports challenging for network administrators. This article discusses ways to reduce the number of ports available to RPC applications and how to restrict access to these ports by using a registry-based IPSec policy.
    


In an Active Directory domain environment, the Lsass.exe process may stop responding on a Microsoft Windows Server 2003-based computer or on a Microsoft Windows XP-based computer.

In this situation, you receive the following error message:

System Shutdown - The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost.

This shutdown was initiated by NT AUTHORITY\SYSTEM. Shutdown will begin in <number> seconds.

Shutdown message: The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code <error code>. The system will now shut down and restart.

This problem may occur if the following conditions are true:
  • Some Internet Protocol Security (IPSec) policies are configured to help secure network communication.
  • Security settings are customized for all Group Policy objects (GPOs) that are applied to domain computers. Specifically, the Everyone group and the Authenticated Users group do not have permission to access any GPO. All other groups, such as the Domain Users group and the Domain Computers group, have permission to access the GPOs.
  • On Windows Server 2003-based computers, Windows Server 2003 Service Pack 2 is installed.
  • On Windows XP-based computers, a hotfix is installed. This hotfix has a file version that is either later than or equal to the file version that is described in the following Microsoft Knowledge Base article:
(http://support.microsoft.com/kb/895406/) All policies on a Windows XP-based computer are refreshed when you enable an IPSec policy.
    


You experience intermittent connectivity when you try to connect to a network from a computer that is running Microsoft Windows XP or Microsoft Windows Server 2003. If the computer connects to the network, you may receive the following error message:

The Windows Time Service was not able to find a Domain Controller. A time and date update was not possible.

This problem occurs because Transport Control Protocol/Internet Protocol (TCP/IP) Internet Protocol security (IPSec) frames that pass through NAT-T are not correctly acknowledged by TCP/IP.

This problem has been reported to occur on computers that have one of the following network adapters:
  • Intel Pro/100VE and Intel Pro Wireless LAN 2100 3B Mini
  • Intel Pro/100VE and ORiNOCO Wireless PCI
  • SiS 9000 PCI
  • RealTek 8139
    


The following services depend on the RPC service:
  • Background Intelligent Transfer Service
  • COM+ Event System
  • Distributed Link Tacking Client
  • Distributed Transaction Coordinator
  • Fax Service
  • Indexing Service
  • IPSec Policy Agent
  • Messenger
  • Network Connections
  • Print Spooler
  • Protected Storage
  • Removable Storage
  • Routing Information Protocol (RIP) Listener
  • Routing and Remote Access
  • Task Scheduler
  • Telephony
  • Telnet
  • Windows Installer
  • Windows Management Instrumentation
    


This article contains a list of the Routing and Remote Access service event IDs as they appear in the Event Viewer system log.