Open Software Solutions

Consider the following scenario that occurs in Internet Protocol security (IPsec) communications on Windows Server 2008-based computers or on Windows Vista SP1-based computers:

• You have several filters on the IPsec Responder (the server side). One filter is a generic filter, and the other filters are more specific and more strict.

  The following code is an example of filters that meet these criteria:

  //Rules added on the server:netsh adv consec add rule name=anyToany endpoint1=any endpoint2=any auth1=computerpsk auth1psk=”Password123456!” action=requestinrequestoutnetsh adv consec add rule name=80Toany endpoint1=any endpoint2=any protocol=tcp port1=80 port2=any auth1=computerpsk auth1psk=”Password123456!” action=requireinrequestout qmsecmethods=ESP:SHA1-AES128,ESP:SHA1-3DES netsh adv consec add rule name=anyTo80 endpoint1=any endpoint2=any protocol=tcp port1=any port2=80 auth1=computerpsk auth1psk=”Password123456!” action=requireinrequestout qmsecmethods=ESP:SHA1-AES128,ESP:SHA1-3DES

  Note In this example, anyToany is the generic filter, and anyTo80 and 80Toany are the specific filters.

• You also have only a generic filter on the IPsec Requester (the client-side). The following code is an example of a filter that meets this criterion:

  //Rule added on the client:netsh adv consec add rule name=anyToany endpoint1=any endpoint2=any auth1=computerpsk auth1psk=”Password123456!” action=requestinrequestout

In this scenario, if the communication between the client and the server matches both the generic filter and the specific filter, the communication fails.

In these examples, if the client tries to access the Web server on the server by using TCP port 80, the communication fails. This is true even though the communication actually meets the requirement of the generic rule on the server. At the same time, other communications, such as PING commands, from the client to the server work correctly.

To make communications that meet both the generic rule and the specific rules work, the specific filters also have to be added to the clients.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a Hotfix download available section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:

Note The Hotfix download available form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Important Windows Vista and Windows Server 2008 hotfixes are included in the same packages. However, only one of these products may be listed on the “Hotfix Request” page. To request the hotfix package that applies to both Windows Vista and Windows Server 2008, just select the product that is listed on the page.

Prerequisites

To apply this hotfix on a Windows Vista-based computer, you must have Windows Vista Service Pack 1 (SP1) installed. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

No prerequisites are required for Windows Server 2008-based computers.

Restart requirement

You have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Vista and Windows Server 2008 file information notes

The .manifest files and the .mum files that are installed in each environment are listed separately in the Additional file information for Windows Server 2008 and for Windows Vista section. These files and their associated .cat (security catalog) files are critical to maintaining the state of the updated component. The .cat files are signed with a Microsoft digital signature. The attributes of these security files are not listed.

For all supported 32-bit versions of Windows Server 2008 and of Windows Vista

For all supported 64-bit versions of Windows Server 2008 and of Windows Vista

For all supported Itanium-based versions of Windows Server 2008

To resolve the issue, apply this fix on the server. This hotfix adds the IPsecFilterMatchByPass feature.

To turn on this feature, fellow these instructions:

• On the server-side, add the following regsitry entry:
  Collapse this tableExpand this table

  Registry Subkey	Type	Value
  HKEY_LOCAL_MACHINE system CCS Services IPsec EnableIPsecFilterMatchByPass	DWORD	1

  Then restart the server.

• On the client-side, add the following regsitry entry:
  Collapse this tableExpand this table

  Registry Subkey	Type	Value
  HKEY_LOCAL_MACHINE system CCS Services IKEEXT Parameters IKEFlags	DWORD	0×200

  Then, restart the IKEEXT service.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the Applies to section.

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

Additional file information for Windows Server 2008 and for Windows Vista

Additional files for all supported 32-bit versions of Windows Server 2008 and of Windows Vista

Additional files for all supported 64-bit versions of Windows Server 2008 and of Windows Vista

Additional files for all supported Itanium-based versions of Windows Server 2008