NAP+IPSec - IPSec Rules RRS feed

  • Question

  • Good afternoon everyone
    I need some help, I am implementing NAP + IPSec, this is my scenario

    1 DC
    1 Server for NAP
    1 Windows XP computer
    1 Windows 7 Computer

    I used the Step by Step Guide to NAP + IPSec, after correcting some details that come along the way, I made ​​my implementation work but not 100%.

    I configured the two PC's to be compliant I check they have health certificates and everything works fine I have PING RDP and File Sharing.

    but when I turn my computer with Windows 7 noncompliant and ceases to have the health certificate, I can not get the computer with XP responer stop the PING, the RDP and FileSharing, I checked again and again congiruacion rules IPSec but still no success.

    agradecere your help


    Carlos Landaverry

    Thursday, March 14, 2013 10:33 PM

All replies

  • Hi,

    Did you configure legacy IPsec for the XP computer, and connection security rules for the Windows 7 computer?

    Note that connection security rules are ignored by XP. Also see the table at http://technet.microsoft.com/en-us/library/dd125389(v=ws.10).aspx for details on expected behavior. Computers running XP also have some issues. A connection between two computers running XP or between two computers running Windows 7 should work as expected, but when you mix the two operating systems the behavior can be unexpected because you are applying two different kinds of IPsec rules (Vista, Win7, and Win8 use AuthIP but XP does not).


    Monday, March 18, 2013 2:18 AM
  • Tks Greg

    im sorry for my delay for answer, 

    how to i configure legacy ipsec for XP computer?



    Monday, April 1, 2013 6:12 PM
  • Hi Carlos,

    To configure these policies in Group Policy, see http://technet.microsoft.com/en-us/library/dd314176.aspx. There are instructions here for both Vista (which applies to Win7 and Win8 also) and XP. The section for XP is called "Configure the XP IPsec Secure GPO."  The instructions assume you've already created OUs using this procedure: http://technet.microsoft.com/en-us/library/dd314169(v=ws.10).aspx.

    The two places where the different polices are configured in the Group Policy Editor are shown below:



    Monday, April 1, 2013 6:29 PM
  • Hello Greg
    really appreciate your help, I've been reviewing the different documentation that you sent me, but I still have the problem now and I have also reviewed the computers that have Windows 7,

    any idea?


    Wednesday, April 3, 2013 4:40 PM
  • Hi Carlos,

    When a connection is made between two computers using IPsec, this connection can persist. Starting and stopping the IPsec service will prevent established tunnels from persisting when conditions change:

    net stop policyagent and net start policyagent

    To do this in a single command, type: net stop policyagent && net start policyagent

    You can also set up the IPsec security monitor and watch the connection.

    • Click Start, click Run, type MMC, and then click OK.
    • Click File, click Add/Remove Snap-in, and then click Add.
    • Click IP Security Monitor, and then click Add.
    • Click Close, and then click OK.

    See http://technet.microsoft.com/en-us/library/cc787758.aspx

    I hope this helps,


    P.S. Ping will always give confusing results if you are using two computers on the same subnet, because broadcasts occur that affect results. File sharing is the most dependable thing to test.
    Wednesday, April 3, 2013 4:53 PM