XP SP2 authenticated IPSEC firewall bypass
Posted on 2005-03-01
I have deployed both IPSEC and Windows XP SP2 on my LAN. My idea was to have the Windows Firewall fully locked-down on client PCs, but allow authenticated IPSEC bypass. This would mean that users in the office would be able to talk to each other, but laptops that travel to other locations would be locked-down, and client PCs would also appear fully locked-down to any guest laptop that might appear in our conference room.
In Group Policy, I have enabled Computer Settings - Administrative Templates - Network - Network Connections - Windows Firewall - Allow authenticated IPSEC bypass, and set the IPSec peers value to:
Since I want all of our XP SP2 computers to follow this policy, the SID is that of "Domain Computers" which contains every computer account. (I retrieved the SID using getsid.exe, as recommended.) After reading the documentation, I'm still not sure if the SID is supposed to specify which computers the policy applies to, or if the policy applies to all computers that receive the group policy but the SID indicates which other computers are permitted to bypass the firewall. If I can get it to work at all, then I can determine this by trial and error.
My problem is, it doesn't work at all; the firewall policy is never bypassed, regardless of which group I set the SID to.
Has anyone gotten this to work? What am I missing?