Problem with /32 subnet masks and Connection Security Rules

    General discussion

  • We're utilizing Connection Security Rules to build VPN tunnels between a 2008 R2 host and VPN endpoints. Everything works as expected except /32 subnet masks. If we specify a single IP for either of the endpoints, Windows will send a "" subnet mask instead of a "" subnet mask and the tunnel will fail Phase 2 (Quick Mode). I tried specifying both /32 and / but neither works (still sends Also, it only fails if I initiate from the server itself - if the remote endpoint initiates, it works fine. Seems like a bug. From event viewer:

    An IPsec quick mode negotiation failed.

    Local Endpoint:
      Network Address:
      Network Address mask:
      Port: 0
      Tunnel Endpoint: x.x.x.x

    Remote Endpoint:
      Network Address:
      Address Mask:
      Port: 0
      Tunnel Endpoint: x.x.x.x
      Private Address:

    Additional Information:
      Protocol: 0
      Keying Module Name: IKEv1
      Virtual Interface Tunnel ID: 0
      Traffic Selector ID: 0
      Mode: Tunnel
      Role: Initiator
      Quick Mode Filter ID: 82196
      Main Mode SA ID: 28

    Failure Information:
      State: Sent first (SA) payload
      Message ID: 1
      Failure Point: Local computer
      Failure Reason: Error processing Notify payload

    Jeff Graves, ORCS Web, Inc.
    Monday, May 24, 2010 10:45 PM

All replies

  • Hi Jeff Graves - ORCS Web,


    For further investigation, Could you please pause your  connection security rules here?

    Please follow the steps below:

                    In “windows firewall with advanced security” MMC snap-in, right click "connection security rules “which located on left tree, right  click “export list…”.

                    Export to an particular file, and pause the list result here, also please tell us your rule ‘s name.


    Here are some articles about how to troubleshooting IPsec issue, for you reference :


    IPsec Troubleshooting




    IPsec troubleshooting tools






    Tiger Li

    Tuesday, June 01, 2010 12:37 AM
  • Here's the rule as requested:

    Name Enabled Endpoint 1 Endpoint 2 Authentication mode Authentication method Endpoint 1 port Endpoint 2 port Protocol Group 
    VPN Tunnel 1 Yes,,, Require inbound and outbound Custom Any Any Any  

    From Netsh:

    Rule Name:                            VPN Tunnel 1
    Enabled:                              Yes
    Profiles:                             Domain,Private,Public
    Type:                                 Static
    Mode:                                 Tunnel
    LocalTunnelEndpoint:                  x.x.x.x
    RemoteTunnelEndpoint:                 x.x.x.x
    Endpoint2:                  ,,,
    Protocol:                             Any
    Action:                               RequireInRequireOut
    Auth1:                                ComputerPSK
    Auth1PSK:                             xxxxxx
    MainModeSecMethods:                   DHGroup2-3DES-MD5,DHGroup2-AES128-MD5
    QuickModeSecMethods:                  ESP:MD5-None+960min+100000kb,AH:MD5+960min+100000kb,ESP:MD5-3DES+960min+100000kb,ESP:MD5-AES128+960min+100000kb
    ExemptIPsecProtectedConnections:      No
    ApplyAuthorization:                   No

    Jeff Graves, ORCS Web, Inc.
    Tuesday, June 01, 2010 1:10 PM