XP SP2 authenticated IPSEC firewall bypass

Posted on 2005-03-01
Medium Priority
Last Modified: 2012-08-14
I have deployed both IPSEC and Windows XP SP2 on my LAN. My idea was to have the Windows Firewall fully locked-down on client PCs, but allow authenticated IPSEC bypass. This would mean that users in the office would be able to talk to each other, but laptops that travel to other locations would be locked-down, and client PCs would also appear fully locked-down to any guest laptop that might appear in our conference room.

In Group Policy, I have enabled Computer Settings - Administrative Templates - Network - Network Connections - Windows Firewall - Allow authenticated IPSEC bypass, and set the IPSec peers value to:


Since I want all of our XP SP2 computers to follow this policy, the SID is that of "Domain Computers" which contains every computer account. (I retrieved the SID using getsid.exe, as recommended.) After reading the documentation, I'm still not sure if the SID is supposed to specify which computers the policy applies to, or if the policy applies to all computers that receive the group policy but the SID indicates which other computers are permitted to bypass the firewall. If I can get it to work at all, then I can determine this by trial and error.

My problem is, it doesn't work at all; the firewall policy is never bypassed, regardless of which group I set the SID to.

Has anyone gotten this to work? What am I missing?

Question by:ghjm
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Author Comment

ID: 13435736
Oh, one other thing: I know that IPSEC is working. I have set up a firewall rule that permits port 500 udp traffic, to allow isakmp to operate; and I have verified using the IP Security Monitor management console that IPSEC is actually being established between the two peers. When I permit an exception in Windows Firewall, everything works, and I get IPSEC packet counts, etc. I haven't actually run network captures, but I am pretty confident that the two computers are speaking IPSEC to each other. The problem appears to be that the bypass policy isn't being applied, or doesn't work the way I think it should.


Author Comment

ID: 13486545
Ok, the answer was: In my IPSEC policy, "Enable certificate to account mapping" was not checked. This is required so that the IPSEC engine can look up group memberships on the computer account.

Accepted Solution

modulo earned 0 total points
ID: 13491335
Closed, 500 points refunded.

Community Support Moderator
Experts Exchange

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

FIPS stands for the Federal Information Processing Standardisation and FIPS 140-2 is a collection of standards that are generically associated with hardware and software cryptography. In most cases, people can refer to this as the method of encrypti…
Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question