Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 401
  • Last Modified:

XP SP2 authenticated IPSEC firewall bypass

I have deployed both IPSEC and Windows XP SP2 on my LAN. My idea was to have the Windows Firewall fully locked-down on client PCs, but allow authenticated IPSEC bypass. This would mean that users in the office would be able to talk to each other, but laptops that travel to other locations would be locked-down, and client PCs would also appear fully locked-down to any guest laptop that might appear in our conference room.

In Group Policy, I have enabled Computer Settings - Administrative Templates - Network - Network Connections - Windows Firewall - Allow authenticated IPSEC bypass, and set the IPSec peers value to:


Since I want all of our XP SP2 computers to follow this policy, the SID is that of "Domain Computers" which contains every computer account. (I retrieved the SID using getsid.exe, as recommended.) After reading the documentation, I'm still not sure if the SID is supposed to specify which computers the policy applies to, or if the policy applies to all computers that receive the group policy but the SID indicates which other computers are permitted to bypass the firewall. If I can get it to work at all, then I can determine this by trial and error.

My problem is, it doesn't work at all; the firewall policy is never bypassed, regardless of which group I set the SID to.

Has anyone gotten this to work? What am I missing?

  • 2
1 Solution
ghjmAuthor Commented:
Oh, one other thing: I know that IPSEC is working. I have set up a firewall rule that permits port 500 udp traffic, to allow isakmp to operate; and I have verified using the IP Security Monitor management console that IPSEC is actually being established between the two peers. When I permit an exception in Windows Firewall, everything works, and I get IPSEC packet counts, etc. I haven't actually run network captures, but I am pretty confident that the two computers are speaking IPSEC to each other. The problem appears to be that the bypass policy isn't being applied, or doesn't work the way I think it should.

ghjmAuthor Commented:
Ok, the answer was: In my IPSEC policy, "Enable certificate to account mapping" was not checked. This is required so that the IPSEC engine can look up group memberships on the computer account.
Closed, 500 points refunded.

Community Support Moderator
Experts Exchange

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now