Modifying an Internet Protocol security (IPSec) policy from a Windows XP SP1-based or Windows 2000-based client may corrupt the IPSec policy

Clients and domain controllers that are running Microsoft Windows 2000, Microsoft Windows XP Professional, Microsoft Windows XP Tablet PC, or Microsoft Windows Server 2003 will silently error out and cannot apply an Internet Protocol security (IPSec) policy that was saved from a computer that is running Windows 2000 or a computer that is running Windows XP Service Pack 1 (SP1).

Client computers that do not apply an IPSec policy that is specified by a domain administrator may experience the following symptoms because of this problem:

• Symptom 1: Network traffic that administrators want to help protect through an IPSec policy will not be encapsulated.
• Symptom 2: Windows 2000-based, Windows XP-based, and Windows Server 2003-based client computers may not be able to access other computers by using an IPSec policy on the network. If the IPSec policy is configured in "required mode," network negotiation will not be completed, and communication will be blocked.
• Symptom 3: Windows 2000-based, Windows XP-based, and Windows Server 2003-based client computers that access shared folders or printers from Windows Explorer on a computer by using an IPSec policy will experience this problem.
• Symptom 4: Windows 2000-based, Windows XP-based, and Windows Server 2003-based client computers that access an IPSec policy by accessing shared folders or printers by using an IPSec policy with the NET USE command will experience this problem.

Symptoms 1-4 all occur because of a lack of connectivity. Therefore, you must examine the entries in the Oakley.log file to definitively identify this problem. The Oakley.log file is located in the %systemroot%\deproblem\Oakley log folder.

You may also experience the following symptoms:

• Symptom 5: Client computers that are supposed to apply an IPSec policy but do not because of this problem will not log any errors in their local deproblem logs or event logs that indicate that the policy did not apply.
• Symptom 6: A client computer cannot use PING over the network. The client computer receives a "Network destination was unreachable" error message, depending on whether PING is an IPSec policy protocol.

This problem occurs when the Windows Server 2003-based server uses a different schema for the IPSec policy than the schema that is used by computers that are running Windows 2000 and computers that are running Windows XP Service Pack 1 (SP1) or earlier versions. Specifically, Windows Server 2003 added IPSec policy extensions and versioning support that client administration tools that are in Windows 2000-based computers and Windows XP SP1 or earlier-based computers do not support. Saving an IPSec policy from a Windows 2000-based client or a Windows XP SP1 or earlier version-based client after an IPSec policy was saved from a Windows Server 2003 computer will corrupt certain extensions or will corrupt the complete IPSec policy.

Specific conditions for this problem occur when either of the following conditions is true:

• The IPSec policy is modified or saved from a Windows 2000-based computer after the IPSec policy is created or modified from a Windows Server 2003-based computer.
• The IPSec policy is modified or saved from a Windows XP-based computer that does not have one of the following updates installed:
  • Windows XP Service Pack 2 (SP2)
  • Hotfix Q818043
    
    For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
    818043� L2TP/IPSec NAT-T update for Windows XP and Windows 2000
  This behavior occurs after the IPSec policy is created or modified from a Windows Server 2003-based computer.

Note Clicking OK in the IPSec dialog box saves the policy even if you have not made a change to the IPSec policy settings.

To resolve this problem for Windows Server 2003-formatted IPSec policy that has been corrupted by a computer that is running Windows XP SP1 or earlier versions, follow these steps:

1. Use the IPSec policy user interface to import a policy that was exported before corruption occurred.
2. Auth-restore the necessarily elements of a system state backup that was made before the policy was corrupted.
3. Delete and then re-create the policy.

To work around or to prevent this problem, use one of the following methods:

• Make Windows XP SP2 or hotfix Q818043 mandatory for all Windows XP deployments, regardless of whether your company has deployed an IPSec policy. Server or policy administrators do not notify administrators of desktop computers of configuration changes. The preferred way to help protect the computer from malicious software is to pre-install either Windows XP SP2 or hotfix Q818043 on existing and future computers. Because computers change roles, install Windows XP SP2 or hotfix Q818043 on all Windows XP-based computers in the organization. Install Windows XP SP2 or hotfix Q818043 as part of your build process for new Windows XP installs. For additional information about how to obtain Windows XP SP2 or the hotfix in article 818043, click the following article numbers to view the articles in the Microsoft Knowledge Base:
  322389� How to obtain the latest Windows XP service pack
  818043� L2TP/IPSec NAT-T update for Windows XP and Windows 2000
• Administrators, delegated administrators, and help desk administrators should administer IPSec policy from either Windows Server 2003-based or Windows XP SP2-based computers.
• Communicate operational policy to administrators whose IPSec policy should not be viewed or saved from a Windows 2000-based computer.
• Communicate operational policy that the IPSec policy should only be modified from Windows Server 2003-based computers or Windows XP-based computers with either Windows XP SP2 or hotfix Q818043 installed. Hotfix Q818043 is available on the Windows Update site as an optional fix. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
  818043� L2TP/IPSec NAT-T update for Windows XP and Windows 2000
• Frequently perform system state backups so that the Windows Server 2003 IPSec policy can be recovered if it becomes corrupted from a Windows 2000-based computer or a non-compliant Windows XP-based computer.
• Export the IPSec policy at set intervals so that it can be imported in case it becomes corrupted by a Windows 2000-based computer or a non-compliant Windows XP-based computer.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

If IPSec policy is corrupted, you must restore IPSec policy from backup or re-create IPSec from a Windows Server 2003-based computer.