IPSec negotiation fails after new rule creation

The problem is happening on Windows 2003 server machines. Steps-wise
description as follows:

1. On a Windows 2003 machine (say machine A), create a local(registry)
policy and de-select 'default rule'.
2. Assign the policy.
3. For a destination (this is also a Windows 2003 machine, say machine B, on
which IPSec administration is already done) create rules on the policy which
is already assigned, in tunnel mode and using preshared key authentication.
4. After this, connection between machines A and B is not established until
I de-assign and re-assign the policy on machine A.
5. After this, create rules for another machine say C. Even in this case I
have to de-assign and re-assign policy on A to establish connection to C.

Note: All the above ipsec administration is done using 'netsh ipsec static'
command.

Following is my understanding and same is expected:
In case of local policies which are stored in the registry, any
addition/modification of rules, immediately applied and communication through
these rules happens without the need of de-assign and re-assign of the policy
which is already applied at the time of rule creation/odification.

When I searched in the internet for help I got following information which
is inconsistent.

Info. in link 1:

http://www.microsoft.com/resources/d...cpolassign.asp.
"You can update a persistent policy at any time, as long as the IPSec
service is running. However, changes in persistent policy are not active
immediately. You must restart the IPSec service to load the new persistent
policy settings. "


Info. in link 2:
http://support.microsoft.com/?id=813878
"In situations where the IPSec policy is applied only on the local computer,
you do not have to restart the service."

Thanks in advance,
Raghavendra

The 'netsh ipsec static' commands are intended to modify the policy store
(but not the in memory policy as was originally loaded). So when you
un-assign and re-assign the policy is reloaded and the changes that you make
come into effect.

If you want to modify the currently loaded policy you should used the 'netsh
ipsec dynamic' context.

If you wnat to effect both, then you need to use both the 'netsh ipsec
static' and 'netsh ipsec dynamic' commands.

-- Chris


"Raghavendra PD" <(E-Mail Removed)> wrote in message
news:2C40ADEC-AAE6-41EF-B87E-(E-Mail Removed)...
> The problem is happening on Windows 2003 server machines. Steps-wise
> description as follows:
>
> 1. On a Windows 2003 machine (say machine A), create a local(registry)
> policy and de-select 'default rule'.
> 2. Assign the policy.
> 3. For a destination (this is also a Windows 2003 machine, say machine B,
> on
> which IPSec administration is already done) create rules on the policy
> which
> is already assigned, in tunnel mode and using preshared key
> authentication.
> 4. After this, connection between machines A and B is not established
> until
> I de-assign and re-assign the policy on machine A.
> 5. After this, create rules for another machine say C. Even in this case I
> have to de-assign and re-assign policy on A to establish connection to C.
>
> Note: All the above ipsec administration is done using 'netsh ipsec
> static'
> command.
>
> Following is my understanding and same is expected:
> In case of local policies which are stored in the registry, any
> addition/modification of rules, immediately applied and communication
> through
> these rules happens without the need of de-assign and re-assign of the
> policy
> which is already applied at the time of rule creation/odification.
>
> When I searched in the internet for help I got following information which
> is inconsistent.
>
> Info. in link 1:
>
> http://www.microsoft.com/resources/d...cpolassign.asp.
> "You can update a persistent policy at any time, as long as the IPSec
> service is running. However, changes in persistent policy are not active
> immediately. You must restart the IPSec service to load the new persistent
> policy settings. "
>
>
> Info. in link 2:
> http://support.microsoft.com/?id=813878
> "In situations where the IPSec policy is applied only on the local
> computer,
> you do not have to restart the service."
>
> Thanks in advance,
> Raghavendra
>
>
>
>

The problem happens sporadically. i.e., sometimes administration through
'netsh ipsec static ...' commands is reflected immediately even if
corresponding 'netsh ipsec dynamic ...' commands are not run.

Also, isn't there a single command which refreshes the memory with changes
in the persistant policy.
This becuase to configure a new IPSec destination we have to run 6 commands
in the static mode. It doesn't make sense to run similar six commands in
dynamic mode.(syntax of static and dynamic commands are different).

"Christopher Black [MSFT]" wrote:

> The 'netsh ipsec static' commands are intended to modify the policy store
> (but not the in memory policy as was originally loaded). So when you
> un-assign and re-assign the policy is reloaded and the changes that you make
> come into effect.
>
> If you want to modify the currently loaded policy you should used the 'netsh
> ipsec dynamic' context.
>
> If you wnat to effect both, then you need to use both the 'netsh ipsec
> static' and 'netsh ipsec dynamic' commands.
>
> -- Chris
>
>
> "Raghavendra PD" <(E-Mail Removed)> wrote in message
> news:2C40ADEC-AAE6-41EF-B87E-(E-Mail Removed)...
> > The problem is happening on Windows 2003 server machines. Steps-wise
> > description as follows:
> >
> > 1. On a Windows 2003 machine (say machine A), create a local(registry)
> > policy and de-select 'default rule'.
> > 2. Assign the policy.
> > 3. For a destination (this is also a Windows 2003 machine, say machine B,
> > on
> > which IPSec administration is already done) create rules on the policy
> > which
> > is already assigned, in tunnel mode and using preshared key
> > authentication.
> > 4. After this, connection between machines A and B is not established
> > until
> > I de-assign and re-assign the policy on machine A.
> > 5. After this, create rules for another machine say C. Even in this case I
> > have to de-assign and re-assign policy on A to establish connection to C.
> >
> > Note: All the above ipsec administration is done using 'netsh ipsec
> > static'
> > command.
> >
> > Following is my understanding and same is expected:
> > In case of local policies which are stored in the registry, any
> > addition/modification of rules, immediately applied and communication
> > through
> > these rules happens without the need of de-assign and re-assign of the
> > policy
> > which is already applied at the time of rule creation/odification.
> >
> > When I searched in the internet for help I got following information which
> > is inconsistent.
> >
> > Info. in link 1:
> >
> > http://www.microsoft.com/resources/d...cpolassign.asp.
> > "You can update a persistent policy at any time, as long as the IPSec
> > service is running. However, changes in persistent policy are not active
> > immediately. You must restart the IPSec service to load the new persistent
> > policy settings. "
> >
> >
> > Info. in link 2:
> > http://support.microsoft.com/?id=813878
> > "In situations where the IPSec policy is applied only on the local
> > computer,
> > you do not have to restart the service."
> >
> > Thanks in advance,
> > Raghavendra
> >
> >
> >
> >
>
>
>