I successfully setup IPsec on windows 2008 R2 server. I copy the ipsec policy file to a windows 7 client, and after configuring the firewall advanced security on both sides, i get IPSec to work beautifully. Now, how do i configure an XP client? does anyone know? i can import the IPSEC policy file to windows xp client just fine, but there is not firewall advanced security feature on XP. Just importing the ipsec policy file isn't good enough to make it work. It doesn't even show up on main mode.

Now, how do i configure an XP client? does anyone know? i can import the IPSEC policy file to windows xp client just fine, but there is not firewall advanced security feature on XP. Just importing the ipsec policy file isn't good enough to make it work. It doesn't even show up on main mode. Have a look here http://technet.microsoft.com/en-us/library/cc771920%28WS.10%29.aspx#BKMK_1_import in particular at the "important" note on the page

hmmm, that's for configuring IPsec on the server side though(windows server 2008), not on the client side(windows xp). Windows xp doesn't have firewall advance configuration

To configure IPSec policies on Windows XP you either use ipseccmd.exe part of the Windows XP Support Tools or use the group policy editor to configure IP Security Policies. Whenever you created a policy it is possible to import and export IPSec policies to other machines using ipseccmd.exe or group policy. /Hasain

i guess i'm not explaining this right. if you are setting up ipsec on windows server 2008 and windows 7 as client, you need to do 3 things. - create local/domain security policy on both server and client - setup advanced firewall configuration settings for incoming traffic on server for ipsec - setup advanced firewall configuration settings for outgoing traffic on server for ipsec. This is the las step i'm having problem with in windows xp. i can do it in windows 7 just fine. i create the policy by importing the policy file i created on my Windows server 2008r2. I use the local security policy mmc plug in in windows xp, which is the same as the ipseccmd.exe command. that's not the problem. My problem is, this ipsec policy i imported from windows 2008 r2, won't work(even after assigning it). when the xp client connect to the server, using the policy imported from 2008 r2, no connection appears in the main mode. If i use windows 7 as client, and import the same policy file, it would WORK. that's because i configured the advanced firewall setting in windows 7. there is no such thing(advanced firewall policy) in xp. so, how do i make configure this extra step(step 3 above)?

Windows 2008/7 and XP does not have the same IPSec implementation when looking at how to configuring IPSec and you can not apply IPsec policy from the advanced firewall in 2008 or 7 to XP. Step 3 is to define IPSec policies in Windows XP using the IP Security Policy Management MMC snap-in. The IPsec policy acts as a container for a set of rules that determine what and how network communications traffic will be allowed. Each of the rules consists of a filter list and an associated action. The filter list contains a grouping of filters. As traffic is matched to a specific filter, the associated filter action is triggered. In addition, the rules define which authentication methods are used between hosts. /Hasain

hmmm, that's for configuring IPsec on the server side though(windows server 2008), not on the client side(windows xp). Windows xp doesn't have firewall advance configuration I was referring to the note related to the version differences between the various IPsec implementations, that is, quoting the note found at that url: Exported policy files contain a version number. Computers that are running Windows Vista without a service pack create policies that are marked version 2.0. Later versions of Windows create policies that are marked with higher version numbers. For example, Windows Vista with Service Pack 1 (SP1) and Windows Server 2008 create policies that are marked version 2.1. If you take export a policy from a computer that supports version 2.1 and import that file to a computer that supports only version 2.0 policies, then any policy elements that are unique to version 2.1 and not supported in version 2.0, such a reference to a Suite B algorithm, are silently dropped. This can result in a policy that is not complete and does not function as expected. We recommend that if you create a policy on a later version of Windows and import it to an earlier version of Windows that you ensure that you reference only features supported by the earlier version of Windows, and that you thoroughly test the imported policy before deploying it. now, I'm not sure if or how the above may play a role, but it may be worth checking

ObiWan, you are absolutely correct. I don't have advance firewall to configure in xp. I tried recreating the policy from scratch in xp, instead of importing, but it's still not working, not even on mainmode, which means the client isn't even trying to establish negotiation.

There are some more differences in IPSec between XP and 2008 R2, please check http://support.microsoft.com/kb/942957 to make sure that IKEv1 policies are created in your 2008 R2 for IPSec compatibility with XP. /Hasain

ObiWan, you are absolutely correct. I don't have advance firewall to configure in xp. I tried recreating the policy from scratch in xp, instead of importing, but it's still not working, not even on mainmode, which means the client isn't even trying to establish negotiation. As for previous suggestions, to let an IPsec policy work on "older platforms" and on new ones, you'll need to create the policy on the older platform and then export it to the newer ones, ensure things are working and apply such a policy to your hosts; this also means that whenever setting up an IPsec policy on a "mixed" network (meaning XP...2008) you'll need to configure the policy to be compatible with the "older" OS and accept the limitation such a thing implies...or either... migrate the older platforms to a newest O/S

THANK YOU OBI WAN!!