"There are 0 filters" using IPSec via GPO

Michael J. Reynolds · Sep 11, 2004

I'm using group policy (all DC's are Win2k) to apply IPSec group policy to
Win2k servers in an OU. "netdiag /test:ipsec /v /debug" returns the
following:

===============================================================
IP Security test . . . . . . . . . : Passed
Directory IPSec Policy Active: 'Server (Request Security)'
IP Security Policy Path:
LDAP://CN=ipsecPolicy{72385230-70FA-11D1-864C-14A30
0000000},CN=IP Security,CN=System,DC=xxx,DC=xxx,DC=xxx

There are 0 filters
===============================================================

Note the problem: "there are 0 filters". If I then open Local Security
Policy (I get the "domain policy overrides this one" warning) and assign the
very same policy (status says "assigned, but DS policy overriding), netdiag
returns:

===============================================================
IP Security test . . . . . . . . . : Passed
Directory IPSec Policy Active: 'Server (Request Security)'
IP Security Policy Path:
LDAP://CN=ipsecPolicy{72385230-70FA-11D1-864C-14A3
0000000},CN=IP Security,CN=System,DC=lib,DC=washington,DC=edu

There are 8 filters
ICMP
Filter Id: {3BA29370-9E58-4A6C-9C44-91ABFE862C53}
Policy Id: {E027E173-05A6-4450-B2EF-DC8590EBBB03}
Src Addr : xxx.xxx.xxx.xxx Src Mask : 255.255.255.255
Dest Addr : 0.0.0.0 Dest Mask : 0.0.0.0
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 1 TunnelFilter: No
Flags : Outbound
<... listing for seven more filters...>
===============================================================

so there's nothing wrong in general with using "Server (Request Security)'
policy. So why do no filters apply when I assign this policy via a domain
GPO?

I've checked everything I can think of, have created simple filter lists and
tried those, have turned on ipsec debugging and gotten output from
userenv.log (no enlightenment there), have turned on "block policy
inheritence" and "no override" in my domain group policy editor to keep
other GPO's from preventing this one from being applied. I've reset local
policy and GPO back to default policy lists, I've blinked IP policy
assistant, I've done many, many "secedit /refereshpolicy machine_policy
/enforce" commands after unassigning, disabling, deleting, and otherwise
changing policy, and each time, if I assign any IPSec policy via GPO from
DC, I always get maddening "There are 0 filters" problem. I've tried moving
a different (very clean) server into this OU, thinking maybe something was
corrupt on this particular client, but get same result on that server. I've
added the user I'm doing this as to the domain "Group Policy Creator Owners"
group.

I'm certain that in fact the filters are not "active" because ipsecmon shows
none present and because I've done test IPSec rules disabling ICMP or
various network protocols and tests always indicate the IPSec policy works
if done locally from Local Security Policy, but if done via domain GPO IPSec
policy has no effect.

I've spent two days searching via google, Technet, and this newsgroup and
found no mention of anyone else having this problem, am ready to give up and
just manually configure IPSec locally on all of our servers, but I really
hate not using group policy for this just because I can't get it to work.
Does anybody have any suggestions on how to fix?

Thanks in advance for any advice.

Mike Reynolds
ITS dept
University of Washington Libraries
(e-mail address removed)

Steven L Umbach · Sep 11, 2004

I have not seen that myself but if you have not tried this yet, delete all the
policies in the GPO and then select Ipsec Security Policies in the left pane of
security policy, right click and select all tasks - restore default policies. You
also can try check policy integrity while there. If none of that helps it would be
interesting to see what would happen if you exported the polices from a local policy
that works fine and then import those into the GPO you are using after deleting the
existing default policies first. --- Steve

Michael J. Reynolds · Sep 13, 2004

Thanks for taking the time to write. Unfortunately, the steps you suggested
didn't help. I tried:

1)Deleting all IPSec policies in the GPO
2)Doing "restore default policies"
3)Doing "check policy integrity"
4)Doing "secedit /refreshpolicy machine_policy /enforce"

ipsecmon shows no connections being run thru ipsec, "netdiag /test:ipsec /v
/debug" still says "There are 0 filters"

I also tried:

1)Deleting all IPSec policies in the GPO
2)Deleting all IPSec policies in Local Security Settings
3)Doing "restore default policies" in Local Security Settings
4)Assigning "request security" policy in Local Security Settings, verifying
(ipsecmon, netdiag) that policies are working
5)Exporting IPSec policies from Local Securint Settings to a file, importing
them into the GPO IPSec gui (and choosing the "delete existing policies"
checkbox, just for good measure)
6)Assigning the "request security" policy in the GPO
7)Doing "secedit /refreshpolicy machine_policy /enforce"
8)Verifying (event log, \winnt\debug\usermode\userenv.log) that policy has
been downloaded

Again, ipsecmon shows no connections being run thru ipsec, "netdiag
/test:ipsec /v /debug" still says "There are 0 filters"

In case anyone's curious, here are relevant status lines from userenv.log
after doing the latter procedure above:

USERENV(100.2f8) 11:20:34:148 ProcessGPOs: Processing extension IP Security
USERENV(100.2f8) 11:20:34:148 CompareGPOLists: One list is empty
USERENV(100.2f8) 11:20:34:148 ProcessGPOList: Entering for extension IP
Security
USERENV(100.2f8) 11:20:34:210 ProcessGPOList: Extension IP Security returned
0x0.

Unless someone has any suggestions how to fix, I'm going to resort to just
importing policies to Local Security Settings on each server individually.
Maybe when I get my DC's upgraded to Server 2003 this'll work better?

--Mike Reynolds
Libraries ITS
University of Washington

Steven L Umbach · Sep 13, 2004

Hi Mike.

Well what you are experiencing sounds bizarre. It seems the policy is being applied
but corrupted somehow from the OU level. The gpresult tool can help in determining
what policies are being applied to a computer and when they were last refreshed. From
here I would make sure that the servers you want to apply the policy to are not
having any problems with connectivity to the domain controller or their computer
account/secure channel by running the netdiag support tool on them. If they check out
fine I would create a new GPO for the OU and try that [my guess is you already have].
Another thing to consider as that ipsec policies must exempt domain controllers by
there IP addresses from the policy with a permit action. Domain controller can not
engage in ipsec negotiation policies with domain members since they authenticate
domain computers. The KB link below explains this a bit more. Keep in mind that you
should unassign ipsec policy before deleting them or the GPO that contains them or
the computer will still consider the policy assigned until you assign a new policy to
it.

http://support.microsoft.com/?kbid=254949

Michael J. Reynolds · Sep 13, 2004

Yep, I did try starting with a fresh OU and fresh GPO, same result. Thanks
again for trying. I'm over with this now unless someone else suggests
something to try, will be using local security tool until we upgrade the
DC's to Windows 2003, at which point I'll try again.

I'm aware of the negotiation limitations between DC's and domain members; my
understanding is that this shouldn't apply since I'm only trying to
firewall, not encrypt traffic (all filters set to "no tunnel required", all
filter actions are "permit" except for the deny filter's "deny" action).

Thanks again for your efforts. --Mike

Steven L Umbach said:
Hi Mike.

Well what you are experiencing sounds bizarre. It seems the policy is
being applied but corrupted somehow from the OU level. The gpresult tool
can help in determining what policies are being applied to a computer and
when they were last refreshed. From here I would make sure that the
servers you want to apply the policy to are not having any problems with
connectivity to the domain controller or their computer account/secure
channel by running the netdiag support tool on them. If they check out
fine I would create a new GPO for the OU and try that [my guess is you
already have]. Another thing to consider as that ipsec policies must
exempt domain controllers by there IP addresses from the policy with a
permit action. Domain controller can not engage in ipsec negotiation
policies with domain members since they authenticate domain computers. The
KB link below explains this a bit more. Keep in mind that you should
unassign ipsec policy before deleting them or the GPO that contains them
or the computer will still consider the policy assigned until you assign a
new policy to it.

http://support.microsoft.com/?kbid=254949

Michael J. Reynolds said:

Thanks for taking the time to write. Unfortunately, the steps you
suggested didn't help. I tried:

1)Deleting all IPSec policies in the GPO
2)Doing "restore default policies"
3)Doing "check policy integrity"
4)Doing "secedit /refreshpolicy machine_policy /enforce"

ipsecmon shows no connections being run thru ipsec, "netdiag /test:ipsec
/v /debug" still says "There are 0 filters"

I also tried:

1)Deleting all IPSec policies in the GPO
2)Deleting all IPSec policies in Local Security Settings
3)Doing "restore default policies" in Local Security Settings
4)Assigning "request security" policy in Local Security Settings,
verifying (ipsecmon, netdiag) that policies are working
5)Exporting IPSec policies from Local Securint Settings to a file,
importing them into the GPO IPSec gui (and choosing the "delete existing
policies" checkbox, just for good measure)
6)Assigning the "request security" policy in the GPO
7)Doing "secedit /refreshpolicy machine_policy /enforce"
8)Verifying (event log, \winnt\debug\usermode\userenv.log) that policy
has been downloaded

Again, ipsecmon shows no connections being run thru ipsec, "netdiag
/test:ipsec /v /debug" still says "There are 0 filters"

In case anyone's curious, here are relevant status lines from userenv.log
after doing the latter procedure above:

USERENV(100.2f8) 11:20:34:148 ProcessGPOs: Processing extension IP
Security
USERENV(100.2f8) 11:20:34:148 CompareGPOLists: One list is empty
USERENV(100.2f8) 11:20:34:148 ProcessGPOList: Entering for extension IP
Security
USERENV(100.2f8) 11:20:34:210 ProcessGPOList: Extension IP Security
returned 0x0.

Unless someone has any suggestions how to fix, I'm going to resort to
just importing policies to Local Security Settings on each server
individually. Maybe when I get my DC's upgraded to Server 2003 this'll
work better?

--Mike Reynolds
Libraries ITS
University of Washington

Click to expand...