Negotiating IP security

ian-pearce
ian-pearce used Ask the Experts™
on
I have a stand alone Vista Home edition PC. When I try to connect it to the network (workgroup) it connects, but cannot browse the internet as it cannot connect to the DNS server. When I ping the DNS server, it comes up with "negotiation ip security" four times and never gets a response from the target. Actually it happens if I try to ping any other IP address on the network
It is my understanding this is related to IPsec, however i have no policy set on this PC as far as I know, and since it is home edition there is no secpol.msc file.  Any sugestions why this might be happening?
Thank you.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Can you use gpedit.msc?

if so, check out

Computer config/windows settings/security settings/ip security policies

regards

Author

Commented:
Ignatious
Thank you for the reply, no cannot use it, it does not come with vista home edition
How about running mmc then adding the "ip security policies" snap-in?
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I did that, but there are no IP security policies defined, any sugestions what could i do?
if so, look through this article - says it applies even to vista home basic

http://support.microsoft.com/kb/942964 

Is it possible the issue lies not with the client, but that you've configured the servers to "require" ipsec rather than to "request" it?  Vista home would be unable to handle this (i suspect) as ipsec generally authenticates either using kerberos (you're not a domain member) or certificates (you'd know all this already if you'd managed to set ipsec up with certificates)

Anything interesting if you type the following?

netsh ipsec dynamic show all

Author

Commented:
Thanks for all that, I will look into it, at the moment I am bit lost, but will let you know

Author

Commented:
Ok here is the output of the command, but I cannot make anything out of it
C:ping 10.0.0.1

Pinging 10.0.0.1 with 32 bytes of data:
Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.

Ping statistics for 10.0.0.1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\netsh ipsec dynamic show all
No currently assigned Policy

Mainmode Policies not available.


Quickmode Policies not available.


Generic Mainmode Filters not available.


Specific Mainmode Filters not available.


Generic Quickmode Filters not available.


Specific Quickmode Filters not available.


IPsec MainMode Security Associations not available.


IPsec QuickMode Security Associations not available.


IPsec Configuration Parameters
------------------------------
StrongCRLCheck         : 1
IPsecexempt            : 3


IKE Statistics
--------------

Main Modes                  : 0
Quick Modes                 : 0
Soft SAs                    : 0
Authentication Failures     : 0
Active Acquire              : 0
Active Receive              : 0
Acquire fail                : 0
Receive fail                : 0
Send fail                   : 0
Acquire Heap size           : 0
Receive Heap size           : 0
Negotiation Failures        : 0
Invalid Cookies Rcvd        : 0
Total Acquire               : 0
TotalGetSpi                 : 0
TotalKeyAdd                 : 0
TotalKeyUpdate              : 0
GetSpiFail                  : 0
KeyAddFail                  : 0
KeyUpdateFail               : 0
IsadbListSize               : 0
ConnListSize                : 0
Invalid Packets Rcvd        : 0


IPsec Statistics
----------------

Active Assoc                : 0
Offload SAs                 : 0
Pending Key                 : 1
Key Adds                    : 0
Key Deletes                 : 1
ReKeys                      : 0
Active Tunnels              : 0
Bad SPI Pkts                : 0
Pkts not Decrypted          : 0
Pkts not Authenticated      : 0
Pkts with Replay Detection  : 0
Confidential Bytes Sent     : 0
Confidential Bytes Received : 0
Authenticated Bytes Sent    : 0
Authenticated Bytes Received: 0
Transport Bytes Sent        : 0
Transport Bytes Received    : 0
Bytes Sent In Tunnels       : 0
Bytes Received In Tunnels   : 0
Offloaded Bytes Sent        : 0
Offloaded Bytes Received    : 0

Open in new window

text.txt
It certainly looks like no policy is defined.

Have you confirmed that 10.0.0.1 doesn't have an ipsec policy assigned?
The problem went away, however I am not sure why it happened to start with

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial