Hi I'm having someproblems regarding the fallback function.My problem is this.I have let's say 2 machines one Vista SP1and one server 2003 sp2.Both have Ipsec policies thats allows fallback, so it's a request policy on the vista client.and a ipsec policy but for 2003 on the 2003 server that has request.Both policies use certificats as authenitcation method.When the Vista clients dos not havea certificate it seams that the server 2003 want fallback to unsecure traffic. If the Vista client initiate the traffic the fallback will work and they will fallback to unsecure, but if the 2003 server initiate the traffic the fallback will fail, but sometimes it won't.but if the 2003 server dos not have a certificate both will comunicate unsecure./Johan

hi there,i would like you to run the IPSEC diagnostic tool to check for network error if any on both windows 2003 and windwos vistaplease download the toolfrom below link http://www.microsoft.com/downloads/details.aspx?FamilyID=1d4c292c-7998-42e4-8786-789c7b457881&displaylang=enplease let us know if you found any error with the utilitysainath Windows Driver Development

Hi and thank you for your reply.I have ran the ipsec diagnostic tool and it seams a little bit od.here are the diagnostic log for the server 2003.-----------Local Mode Diagnosis:Start - 2009/02/16(22hr:46min:06sec)-----------Log Location: C:\Documents and Settings\Administrator.MAIN\Application Data\IPSecureLogs\LocalMode2009-02-16(22hr-46min-06sec)Local IP: 192.168.0.5, Remote Machine: vistasp1SystemInfo:--Passed: System information(software, hardware,active processes, active network connections) collected. View Output Logs for detailsNetwork Interface Diagnosis:--Passed : Network Interface configured correctlyPing (Remote Reachability) Diagnosis:Passed: Remote machine,"vistasp1", is reachable from hostIPsec Service Diagnosis:--Passed : Policyagent is up and runningLive Debugging: StartOakley Diagnosis:(If you did not repro the issue while the tool was running, ignore Oakley Diagnosis)Information: The host machine is Initiator Information: The authentication method for this negotiation is CertificatesInformation: The Encryption algorithm accepted is 3DESInformation: The Hash algorithm accepted is SHAFailed : Certificates mismatchLive Debugging: EndRegistry and Events Diagnosis:--Passed: System, Application and Security event logs collectedWindows Firewall Diagnosis:--Information : Windows Firewall is not running. Check if system has another firewall active.IPsec filters, SAs Diagnosis:--Passed : Generic MM Filters Configured--Passed :Specific MM Filters Configured--Information: No Specific Tunnel Filters Configured--Passed: Main Mode Policies Configured correctly--Passed: Quick Mode Policies Configured correctly--Failed: No Main Mode SAs exist between 192.168.0.5 and 192.168.0.4--Failed: No Quick Mode SA exists between 192.168.0.5 and 192.168.0.4--Falied : No SA exists between 192.168.0.5 and 192.168.0.4----However filters exist. Refer logs to debug the failure-----------Local Mode Diagnosis:End - 2009/02/16(22hr:47min:03sec)-----------and for the vista client -----------Local Mode Diagnosis:Start - 2009/02/16(22hr:46min:14sec)-----------Log Location: C:\Users\administrator\AppData\Roaming\IPSecureLogs\LocalMode2009-02-16(22hr-46min-14sec)Local IP: 192.168.0.4, Remote Machine: server2003SystemInfo:--Passed: System information(software, hardware,active processes, active network connections) collected. View Output Logs for detailsNetwork Interface Diagnosis:--Passed : Network Interface configured correctlyPing (Remote Reachability) Diagnosis:Passed: Remote machine,"server2003", is reachable from hostIPsec Service Diagnosis:--Passed : IPsec services are up and running----BFE up and running----IKEext/Policyagent up and runningLive Debugging: StartWFPUtil Diagnosis:(If you did not repro the issue while the tool was running, ignore WFPUtil Diagnosis) This Diagnosis report is for negotiation between host and 192.168.0.5Host machine is the Responder and the remote machine, 192.168.0.5, is the initiatorInformation: The log events indicate failed negotiationAnalysis Report: IKE/Authip Main Mode FailureError: 0x00003616, Invalid cookie received.Host machine is indicating error. The authentication method used is UnknownFailed: IKE negotiation failed. SA could not be established--1. Check if both machines have matching filter operations, Encryption options--2. Check if both machines have matching Unknown settings Live Debugging: EndRegistry and Events Diagnosis:--Passed: System, Application and Security event logs collectedWindows Firewall Diagnosis:--Information : Firewall is activeIPsec SA, Filter Diagnosis:--Failed : No Main mode SA exists between 192.168.0.4 and 192.168.0.5--Failed : No Quick mode SA exists between 192.168.0.4 and 192.168.0.5--Information : No Legacy MM policies applied on this system --Information : Found Rules on this system--Passed : One or more rules are active on this system--Information : No legacy MM outbound filters between exist between 192.168.0.4 and 192.168.0.5--Information : No Legacy MM inbound filters between exist between 192.168.0.4 and 192.168.0.5-----------Local Mode Diagnosis:End - 2009/02/16(22hr:47min:03sec)-----------After this it takes about a minute then the soft sa is created and works for 5minutes as it should.But when the client tries to renegotiate they will fail again./Johan

hi there,i saw that there is a certificate mismatch errorFailed : Certificates mismatchPlease check that you are issuing appropriate certificate for authenticationsainath Windows Driver Development

HiYes i would guess thats because the vista client does not have a certificate.Thats the point with this.In a Nap ipsec environment when the vista client get sucked in remidation.the vista client does not have a certificate. So for the client to remidate it could be god if the client could communicate with the server.

hi therewhere are we on this issue ? are you still stuck with the sam issue ?sainath Windows Driver Development

HI. Yes this case has the same status as last time. So I have created a case at MS. And they are working on it. /Johan