Re: "There are 0 filters" using IPSec via GPO

From: Michael J. Reynolds (reynolds_at_u.washington.edu)
Date: 09/13/04 

Date: Mon, 13 Sep 2004 11:35:25 -0700

Thanks for taking the time to write. Unfortunately, the steps you suggested
didn't help. I tried:

1)Deleting all IPSec policies in the GPO
2)Doing "restore default policies"
3)Doing "check policy integrity"
4)Doing "secedit /refreshpolicy machine_policy /enforce"

ipsecmon shows no connections being run thru ipsec, "netdiag /test:ipsec /v
/debug" still says "There are 0 filters"

I also tried:

1)Deleting all IPSec policies in the GPO
2)Deleting all IPSec policies in Local Security Settings
3)Doing "restore default policies" in Local Security Settings
4)Assigning "request security" policy in Local Security Settings, verifying
(ipsecmon, netdiag) that policies are working
5)Exporting IPSec policies from Local Securint Settings to a file, importing
them into the GPO IPSec gui (and choosing the "delete existing policies"
checkbox, just for good measure)
6)Assigning the "request security" policy in the GPO
7)Doing "secedit /refreshpolicy machine_policy /enforce"
8)Verifying (event log, \winnt\debug\usermode\userenv.log) that policy has
been downloaded

Again, ipsecmon shows no connections being run thru ipsec, "netdiag
/test:ipsec /v /debug" still says "There are 0 filters"

In case anyone's curious, here are relevant status lines from userenv.log
after doing the latter procedure above:

USERENV(100.2f8) 11:20:34:148 ProcessGPOs: Processing extension IP Security
USERENV(100.2f8) 11:20:34:148 CompareGPOLists: One list is empty
USERENV(100.2f8) 11:20:34:148 ProcessGPOList: Entering for extension IP
Security
USERENV(100.2f8) 11:20:34:210 ProcessGPOList: Extension IP Security returned
0x0.

Unless someone has any suggestions how to fix, I'm going to resort to just
importing policies to Local Security Settings on each server individually.
Maybe when I get my DC's upgraded to Server 2003 this'll work better?

--Mike Reynolds
  Libraries ITS
  University of Washington

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:M6t0d.279948$8_6.179130@attbi_s04...
>I have not seen that myself but if you have not tried this yet, delete all
>the policies in the GPO and then select Ipsec Security Policies in the left
>pane of security policy, right click and select all tasks - restore default
>policies. You also can try check policy integrity while there. If none of
>that helps it would be interesting to see what would happen if you exported
>the polices from a local policy that works fine and then import those into
>the GPO you are using after deleting the existing default policies
>irst. --- Steve
>
>
> "Michael J. Reynolds" <reynolds@u.washington.edu> wrote in message
> news:O2xSqL5lEHA.3156@TK2MSFTNGP12.phx.gbl...
>> I'm using group policy (all DC's are Win2k) to apply IPSec group policy
>> to Win2k servers in an OU. "netdiag /test:ipsec /v /debug" returns the
>> following:
>>
>> ===============================================================
>> IP Security test . . . . . . . . . : Passed
>> Directory IPSec Policy Active: 'Server (Request Security)'
>> IP Security Policy Path:
>> LDAP://CN=ipsecPolicy{72385230-70FA-11D1-864C-14A30
>> 0000000},CN=IP Security,CN=System,DC=xxx,DC=xxx,DC=xxx
>>
>> There are 0 filters
>> ===============================================================
>>
>> Note the problem: "there are 0 filters". If I then open Local Security
>> Policy (I get the "domain policy overrides this one" warning) and assign
>> the very same policy (status says "assigned, but DS policy overriding),
>> netdiag returns:
>>
>> ===============================================================
>> IP Security test . . . . . . . . . : Passed
>> Directory IPSec Policy Active: 'Server (Request Security)'
>> IP Security Policy Path:
>> LDAP://CN=ipsecPolicy{72385230-70FA-11D1-864C-14A3
>> 0000000},CN=IP Security,CN=System,DC=lib,DC=washington,DC=edu
>>
>> There are 8 filters
>> ICMP
>> Filter Id: {3BA29370-9E58-4A6C-9C44-91ABFE862C53}
>> Policy Id: {E027E173-05A6-4450-B2EF-DC8590EBBB03}
>> Src Addr : xxx.xxx.xxx.xxx Src Mask : 255.255.255.255
>> Dest Addr : 0.0.0.0 Dest Mask : 0.0.0.0
>> Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
>> Protocol : 1 TunnelFilter: No
>> Flags : Outbound
>> <... listing for seven more filters...>
>> ===============================================================
>>
>> so there's nothing wrong in general with using "Server (Request
>> Security)' policy. So why do no filters apply when I assign this policy
>> via a domain GPO?
>>
>> I've checked everything I can think of, have created simple filter lists
>> and tried those, have turned on ipsec debugging and gotten output from
>> userenv.log (no enlightenment there), have turned on "block policy
>> inheritence" and "no override" in my domain group policy editor to keep
>> other GPO's from preventing this one from being applied. I've reset
>> local policy and GPO back to default policy lists, I've blinked IP policy
>> assistant, I've done many, many "secedit /refereshpolicy machine_policy
>> /enforce" commands after unassigning, disabling, deleting, and otherwise
>> changing policy, and each time, if I assign any IPSec policy via GPO from
>> DC, I always get maddening "There are 0 filters" problem. I've tried
>> moving a different (very clean) server into this OU, thinking maybe
>> something was corrupt on this particular client, but get same result on
>> that server. I've added the user I'm doing this as to the domain "Group
>> Policy Creator Owners" group.
>>
>> I'm certain that in fact the filters are not "active" because ipsecmon
>> shows none present and because I've done test IPSec rules disabling ICMP
>> or various network protocols and tests always indicate the IPSec policy
>> works if done locally from Local Security Policy, but if done via domain
>> GPO IPSec policy has no effect.
>>
>> I've spent two days searching via google, Technet, and this newsgroup and
>> found no mention of anyone else having this problem, am ready to give up
>> and just manually configure IPSec locally on all of our servers, but I
>> really hate not using group policy for this just because I can't get it
>> to work. Does anybody have any suggestions on how to fix?
>>
>> Thanks in advance for any advice.
>>
>> Mike Reynolds
>> ITS dept
>> University of Washington Libraries
>> reynolds@u.washington.edu
>>
>
>

Relevant Pages

  • Re: Local GPO refreshes outside of refresh interval
    ... I looked through my GPO's Windows Settings section ... > Some policies, including IE policies, have a checkbox that defines if this ... > it should apply EVEN if the value defined in GPO did not change since the ... we are talking about one particular policy: ...
    (microsoft.public.windows.group_policy)
  • Re: Windows 2003 Server - Group Policy
    ... Group Policies refresh time is 90-minute intervals by default. ... For Windows 2000 Computers see the follow KB: ... Policy Inheritance can be set to this OU it means no policies from higher ... You can also set No Override to a particular GPO. ...
    (microsoft.public.win2000.active_directory)
  • RE: Group Policy: multiple password policies in the same domain?
    ... > it under access to the GPO. ... The conflict only happens when both policies ... results in having the policy denied. ... > user accounts it affects be able to read it and have "apply ...
    (Focus-Microsoft)
  • Local GPO refreshes outside of refresh interval
    ... We are experiencing an unique situation where local group ... we are talking about one particular policy: ... a homepage on users and therefore, we never set this policy on the AD GPO. ... Even though we knew that group policies are refreshed every 90 minutes on ...
    (microsoft.public.windows.group_policy)
  • RE: Microsoft IPSec via group policy
    ... IPsec could accomplish this. ... Microsoft IPSec via group policy ... Requiring ipsec between a client and a DC via GPO is problematic. ...
    (Security-Basics)