IPSec for Windows
A policy location error message is displayed

Can't ping remote computer even Linksys router displays "Connect"
Could not start the IPSEC Services service on Local Computer
Event id 547 - IKE security association negotiation failed
Event Viewer is displaying "Bad SPI" error message
Event Viewer is displaying error messages related to IPSec
Flags are outbound only on IPSec Tunnels
How to use Ipsecmon to view the policies of IPSec/L2TP
How to use Netdiag to view the policies of IPSec/L2TP
How many IPSec tunnels BEFVP41 supports
How to setup Windows IPsec client
INVALID-ID-INFORMATION
Invalid id!
Invalid ID information in message
IPSec: Can't communicate with secure computers
IPSec: DES is being used when 3DES is needed
IPSec name resolution issue
IPSec negotiation failed when using certificate authenticate
IPSec Permits inbound but outbound
IPSec PolicyAgent Service couldn't be started - Event ID 319
IPSec SA negotiation is failing
IPSec server is unavailable/incompatible with IPSec monitor
IPSec: Traffic is not being secured.
Local computer IPSec policy is not being used
Negotiating IP Security and never receive Reply
L2TP/IPSec Troubleshooting
Other computers can't ping remote computers
The ports need to open for IPSec
The IPSec Policy storage container could not be opened
Time out when using ping command
Troubleshooting IPSec
Unable to assign or unassign an IP Security policy
Windows 7 IPSec/L2TP VPN connection problem

IPSec for Windows

Internet Protocol Security (IPSec) is supported by the Windows 2000, 2003, and XP operating systems and is integrated with the Active Directory service. IPSec policies can be assigned through Group Policy.  Alternatively, if you have ISA 2004 or SBS 2003, you can use ISA to create a site to site IPSec VPN. This link may help,

Can't ping remote computer even Linksys router displays "Connect"

Symptom: You have setup tow Linksys routers as a gateway to gateway VPN. The both routers display the VPN "Connect". However, you can't ping the remote computer by name or ip, and the log doesn't list any errors.

Causes: 1. Incorrected Secure Group settings.
2. Incorrected Dynamic Routing (Gateway mode or Router Mode).

How many IPSec tunnels BEFVP41 supports

Most Linksys routers support only one IPSec connection at any given time. However, it allows up to 70 IPSec tunnels pass through the router.

How to setup Windows IPsec client

To setup windows IPSec client on w2k/xp, run MMC to add IPSec Security Policies. Right-click on it to create a new IP filter. Make sure both server and client have the same settings such as IP subnet, tunnel IP and authentication methods. For consulting service, contact a consultant.

For consultants, refer to IPSec issue page.

IPSec name resolution issue

Symptom: you setup IPSec to connect two LANs and you can ping each other by IP but name.

Cause: You have a name resolution issue and check the DNS and WINS settings.

For consultants, refer to case 110704RL.

IPSec PolicyAgent Service couldn't be started - Event ID 319

Cause: a 3dr party policy is running. For consultants, please refer to TK082004

Flags are outbound only on IPSec Tunnels

Symptoms: When using netdiag /test::ipsec /debug command to test  IPSec settings on w2k/xp, you nay get two outbound flags instead of one inbound and another outbound.

Resolution: make sure you enter correct endpoint for the tunnels.

How to use Ipsecmon to view the policies of IPSec/L2TP

With a IPSec/L2TP connection , you can use the Ipsecmon utility to view the policies that are in effect. For example, you may see items similar to the following sample output for a default L2TP/IPSec connection (client-to-server or server-to-server):

Policy name: L2TP Rule
Security: ESP DES/CBC HMAC MD5
Filter name: No Name - Mirror
Source address: IP address or name of computer
Dest. address: IP address or name of computer
Protocol: UPD
Src. port: 1701
Dest. port: 0
Tunnel endpoint: <none>

How to use Netdiag to view the policies of IPSec/L2TP

Without an active IPSec/L2TP  connection, you can use netdiag to view the policy of IPSec/L2TP, for example, netdiag /test:ipsec /debug.

Note: The Netdiag tool is available after installing the Windows Support Tools package. This package is located in the Support\Tools folder on the Windows CD-ROM. After you install this package, Netdiag is located in the Program Files\Support Tools folder.

Negotiating IP Security and never receive Reply

Symptom: After created a IPSec Policy, you may receive Negotiating IP Security when you do ping remote computer IP. And you never receive the reply.

Cause: 1. Incorrect Tunnel Settings.
2. NAT/Firewall block the traffic.
3. Mismatched key exchange, authentication method, or security method.

For consultants, refer to 101404RL

Other computers can't ping remote computers

Symptom: after created a site to site IPSce connection, you ping the remote computers from the IPSec enabled computer but not other computers.

Resolution: add the routing table for accessing remote computers.

For consultants, refer to 101404RL

The ports need to open for IPSec

IP protocol 51 and 51, and UDP port 500:

Time out when using ping command

Symptom 1:. You have correct windows IPSec client setup and you can ping the remote IP of the VPN without Cisco PIX Firewall. But if your computer behind the PIX, you get time out when attempting to ping the remote IP of the VPN.

Cause 1: the PIX may have the same ip pool as the IP subnet of the remote VPN.

Symptom 2: You are accessing a VPN and is assigned 192.168.1.2. You get time out when attempting to ping the remote computer with IPSec client setup.

Cause 2: The IPSec is using the same IP range as 192.168.1.0. Un-assign IP filter will disable the IPSec.

Symptom 3: After create IPSec policy, you receive Time out when you do ping remote computer.

Cause 3: Incorrect IP Filter List or other IPSec settings.

For consultants, refer to 101404RL

Troubleshooting IPSec

1. Audit Policy: To troubleshoot IPSec when it does not behave the way that you expect it to, first check the results of the Phase One and Phase Two exchanges by enabling Audit Policy, which causes security events to be logged in the security log of the Event Viewer.
2. Netdiag: netdiag /test:ipsec /debug. If both Phases are Outbound or Inbound, check Tunnel Settings.
3. If the logged events indicate that Phase One Main Mode exchange is failing, do both of the following: 1) Check the IKE settings in your IPSec policy properties: Click the General tab, click the Advanced tab, and then click the Methods tab. 2) Check the configured IKE authentication methods in your IPSec policy properties: Select the IP Security rule that you want to check, click Edit, and then click the Authentication Methods tab.
4. If the logged events indicate that Phase Two Quick Mode is failing, check the IPSec security methods configured on your IPSec rules in your IPSec policy properties: Select the IP Security rule that you want to check, click Edit, select the Filter Action tab, select the filter action that is enabled, and then click Edit.
5. IP Security Monitor: The IP Security Monitor can be used to monitor SAs, IPSec, and IKE statistics. To start IP Security Monitor, click Start, click Run, and then type ipsecmon.
6. Checking Oakley Log: To enable Oakley Log, use Registry Editor to locate the following key in the registry, and if it does not exist, create it:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley
Add a REG_DWORD value named EnableLogging with a value of 1 to this key. The Oakley.log file is created in the %SystemRoot%\debug folder. NOTE: A value of 0 for EnableLogging disables logging.
7. Check VPN server log.
8. Netsh: we can use “netsh ipsec static show gpoassignedpolicy” or “netsh ipsec dynamic show all” to view the name of an active IPSec policy and the name of the Group Policy object to which the active IPSec policy is assigned can be useful for troubleshooting policy precedence issues Viewing IPSec policy assignment information.