Hi.have problem with ipsec connection from windows vista(business,sp2) to windows server 2003(enterprise,sp2).im try connect from xp(sp3) to windows server 2003, with ipsec and this work, but from vista not work.ipsec channel diplayed in ipsec monitor snap in, but connection not established(ping as example - not reached display).Wireshark display errors in captured data : vista -> server |isakmp identity protection (Main Mode) | Header checksum: 0x0000 [incorrect, should be 0x4841] vista -> server | isakmp quick mode | Header checksum: 0x0000 [incorrect, should be 0x485e] vista oakey.log (192.168.0.7 - vista , 192.168.0.15 - windows server) : [1]04EC.0138::01/30/1601-23:37:01.054 [ikeext] 0|192.168.0.15| [1]04EC.0138::01/30/1601-23:37:01.054 [ikeext] 0|192.168.0.15|Received IKE Acquire Acquire context 253 Local address: 192.168.0.7 Remote address: 192.168.0.15 Mode: Transport Mode Filter ID: 0x000000000001d15b Remote Port: 0x0000 mmTargetName: (null) emTargetName: (null) Tokens: 2 -- 0 -- Type: Impersonation Principal: Local Mode: Main Token: 1003 -- 1 -- Type: Impersonation Principal: Local Mode: Extended Token: 1003 explicitCredentials: 0x00000000 logonId: 0x00000000 Flags: 0x00000000 [1]04EC.0138::01/30/1601-23:37:01.054 [ikeext] 0|192.168.0.15| [1]04EC.0138::01/30/1601-23:37:01.054 [ikeext] 0|192.168.0.15|Received AUTHIP Acquire Acquire context 253 Local address: 192.168.0.7 Remote address: 192.168.0.15 Mode: Transport Mode Filter ID: 0x000000000001d15b Remote Port: 0x0000 mmTargetName: (null) emTargetName: (null) Tokens: 2 -- 0 -- Type: Impersonation Principal: Local Mode: Main Token: 1003 -- 1 -- Type: Impersonation Principal: Local Mode: Extended Token: 1003 explicitCredentials: 0x00000000 logonId: 0x00000000 Flags: 0x00000000 [1]04EC.1A48::01/30/1601-23:37:01.055 [ikeext] 0|192.168.0.15|Processing acquire with ipsec context 595, keyMod 0 [1]04EC.1A48::01/30/1601-23:37:01.055 [ikeext] 0|192.168.0.15|QM localAddr: 192.168.0.7.0 Protocol 0 [1]04EC.1A48::01/30/1601-23:37:01.055 [ikeext] 0|192.168.0.15|QM peerAddr: 192.168.0.15.0 Protocol 0 [1]04EC.1A48::01/30/1601-23:37:01.055 [ikeext] 0|192.168.0.15|Acquire flags 1 [1]04EC.1A48::01/30/1601-23:37:01.055 [ikeext] 0|192.168.0.15|Peer State 0 [1]04EC.1A48::01/30/1601-23:37:01.055 [ikeext] 0|192.168.0.15|IkeBeginMMInitiator: Setting acquire 062BFCA8 as prime acquire for MM SA 02A52BE8 [1]04EC.1A48::01/30/1601-23:37:01.055 [ikeext] 0|192.168.0.15|Looking up MM policy for IKE [1]04EC.218C::01/30/1601-23:37:01.055 [ikeext] 0|192.168.0.15|Processing acquire with ipsec context 595, keyMod 1 [1]04EC.218C::01/30/1601-23:37:01.055 [ikeext] 0|192.168.0.15|QM localAddr: 192.168.0.7.0 Protocol 0 [1]04EC.218C::01/30/1601-23:37:01.055 [ikeext] 0|192.168.0.15|QM peerAddr: 192.168.0.15.0 Protocol 0 [1]04EC.218C::01/30/1601-23:37:01.055 [ikeext] 0|192.168.0.15|Acquire flags 1 [1]04EC.218C::01/30/1601-23:37:01.056 [ikeext] 0|192.168.0.15|FwpmFilterEnum0 returned no matching filters [1]04EC.218C::01/30/1601-23:37:01.056 [user] |192.168.0.15|IkeMatchFwpmFilter failed with Windows error 13825(ERROR_IPSEC_IKE_NO_POLICY) [1]04EC.218C::01/30/1601-23:37:01.056 [user] |192.168.0.15|IkeMatchFwpmFilter failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY) [1]04EC.218C::01/30/1601-23:37:01.056 [user] |192.168.0.15|IkeFindQMPolicy failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY) [1]04EC.218C::01/30/1601-23:37:01.056 [ikeext] 0|192.168.0.15|Completing Acquire for ipsec context 253 [1]04EC.218C::01/30/1601-23:37:01.056 [ikeext] 0|192.168.0.15|IkeFreeAcquireContext: Freeing acquire 062BFD78 [1]04EC.218C::01/30/1601-23:37:01.056 [user] |NULL|IkeProcessAcquireDispatch failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY) [1]04EC.1A48::01/30/1601-23:37:01.058 [ikeext] 0|192.168.0.15|Policy GUID: {bc4752ae-4401-468f-98f5-db7616d3f01f} LUID: 0x8000000000000053 Name: LIPS Description: (null) Flags: 0x00000000 Provider: {aa6a7d87-7f8f-4d2a-be53-fda555cd5fe3} Provider data: Type: IKE Main Mode Soft expiry: 28800 InitiatorImpersonationType: None Auth methods: 1 -- 0 -- Type: Preshared Key Key: 00000000 11 11 11 11 11 11 11 11-11 xxxxxxxxx Proposals: 1 -- 0 -- Cipher algorithm: Type: 3DES Key length: 0 Rounds: 0 Integrity algorithm: Type: MD5 Max lifetime (sec): 28800 DH group: 2 QM limit: 1 Flags: 0x00000000 MaxDynamicFilters: 5 [1]04EC.1A48::01/30/1601-23:37:01.058 [ikeext] 0|192.168.0.15|Construct IKEHeader [1]04EC.1A48::01/30/1601-23:37:01.058 [ikeext] 0|192.168.0.15|Initializing Kerberos SSPI [1]04EC.1A48::01/30/1601-23:37:01.058 [user] |192.168.0.15|IkeFindAuthConfig failed with Windows error 87(ERROR_INVALID_PARAMETER) [1]04EC.1A48::01/30/1601-23:37:01.058 [user] |192.168.0.15|IkeFindAuthConfig failed with HRESULT 0x80070057(ERROR_INVALID_PARAMETER) [1]04EC.1A48::01/30/1601-23:37:01.058 [user] |192.168.0.15|IkeDetermineSspiInfo failed with HRESULT 0x80070057(ERROR_INVALID_PARAMETER) [1]04EC.1A48::01/30/1601-23:37:01.058 [user] |192.168.0.15|IkeCreateSspiIke failed with HRESULT 0x80070057(ERROR_INVALID_PARAMETER) [1]04EC.1A48::01/30/1601-23:37:01.058 [ikeext] 0|192.168.0.15|WFP free sspi 062BFE90 [1]04EC.1A48::01/30/1601-23:37:01.058 [user] |192.168.0.15|IkeGetSspiContext failed with HRESULT 0x80070057(ERROR_INVALID_PARAMETER) [1]04EC.1A48::01/30/1601-23:37:01.058 [ikeext] 0|192.168.0.15|Construct SA [1]04EC.1A48::01/30/1601-23:37:01.059 [ikeext] 0|192.168.0.15|AUTHIP keying module is not enabled for traffic [1]04EC.1A48::01/30/1601-23:37:01.059 [ikeext] 0|192.168.0.15|IKE not sending co-existence Vendor ID [1]04EC.1A48::01/30/1601-23:37:01.059 [ikeext] 0|192.168.0.15|Construct VENDOR type MS NT5 ISAKMPOAKLEY [1]04EC.1A48::01/30/1601-23:37:01.059 [ikeext] 0|192.168.0.15|Construct VENDOR type RFC 3947 [1]04EC.1A48::01/30/1601-23:37:01.059 [ikeext] 0|192.168.0.15|Construct VENDOR type draft-ietf-ipsec-nat-t-ike-02 [1]04EC.1A48::01/30/1601-23:37:01.059 [ikeext] 0|192.168.0.15|Construct VENDOR type FRAGMENTATION [1]04EC.1A48::01/30/1601-23:37:01.059 [ikeext] 0|192.168.0.15|Construct VENDOR type MS-Negotiation Discovery Capable [1]04EC.1A48::01/30/1601-23:37:01.059 [ikeext] 0|192.168.0.15|Construct VENDOR type Vid-Initial-Contact [1]04EC.1A48::01/30/1601-23:37:01.059 [ikeext] 0|192.168.0.15|Construct VENDOR type IKE CGA version 1 [1]04EC.1A48::01/30/1601-23:37:01.059 [ikeext] 0|192.168.0.15| [1]04EC.1A48::01/30/1601-23:37:01.059 [ikeext] 0|192.168.0.15|Sending Packet [1]04EC.1A48::01/30/1601-23:37:01.059 [ikeext] 0|192.168.0.15|iCookie a02c6e34403f16ce rCookie 0000000000000000 [1]04EC.1A48::01/30/1601-23:37:01.059 [ikeext] 0|192.168.0.15|Exchange type: IKE Main Mode Length 228 NextPayload SA Flags 0 Messid 0x00000000 [1]04EC.1A48::01/30/1601-23:37:01.059 [ikeext] 0|192.168.0.15|Local Address: 192.168.0.7.500 Protocol 0 [1]04EC.1A48::01/30/1601-23:37:01.059 [ikeext] 0|192.168.0.15|Peer Address: 192.168.0.15.500 Protocol 0 [1]04EC.1A48::01/30/1601-23:37:01.059 [ikeext] 0|192.168.0.15|Global IF index epoch ( 1) higher than cache epoch ( 0). Obtaining IF index from stack. [1]04EC.1A48::01/30/1601-23:37:01.073 [ikeext] 0|192.168.0.15|IF-Index: 11 [1]04EC.1A48::01/30/1601-23:37:01.074 [ikeext] 0|192.168.0.15|Created new TimerContext 062BE098, type 0 [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] 0|192.168.0.15| [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] 0|192.168.0.15|Received packet [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] 0|192.168.0.15|Peer Address: 192.168.0.15.500 Protocol 0 [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] d|192.168.0.15|iCookie a02c6e34403f16ce rCookie d5384da576141e77 [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] d|192.168.0.15|Exchange type: IKE Main Mode Length 148 NextPayload SA Flags 0 Messid 0x00000000 [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] d|192.168.0.15|mmSa: 0x02A52BE8 [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] d|192.168.0.15|Process Payload VENDOR ID, SA 02A52BE8 [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] d|192.168.0.15|Received Vendor ID type: MS NT5 ISAKMPOAKLEY [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] d|192.168.0.15|Peer Microsoft version 4 [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] d|192.168.0.15|Process Payload VENDOR ID, SA 02A52BE8 [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] d|192.168.0.15|Received Vendor ID type: FRAGMENTATION [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] d|192.168.0.15|Process Payload VENDOR ID, SA 02A52BE8 [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] d|192.168.0.15|Received Vendor ID type: draft-ietf-ipsec-nat-t-ike-02 [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] d|192.168.0.15|Process Payload SA, SA 02A52BE8 [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] d|192.168.0.15|MM transform num: 1 [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] d|192.168.0.15|OAK_ENCR_ALG: 5 [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] d|192.168.0.15|OAK_HASH_ALG: 1 [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] d|192.168.0.15|OAK_GROUP_DESC: 2 [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] d|192.168.0.15|OAK_AUTH_METHOD: 1 [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] d|192.168.0.15|OAK_LIFE_TYPE: 1 [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] d|192.168.0.15|OAK_LIFE_DUR: 28800 [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] d|192.168.0.15|Accepted proposal. Trans: 1 [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] d|192.168.0.15|Ignoring port float. Incoming packet not on 4500 [1]04EC.1A48::01/30/1601-23:37:01.077 [ikeext] d|192.168.0.15|Construct IKEHeader [1]04EC.1A48::01/30/1601-23:37:01.141 [ikeext] d|192.168.0.15|Construct KE [1]04EC.1A48::01/30/1601-23:37:01.141 [ikeext] d|192.168.0.15|Construct NONCE [1]04EC.1A48::01/30/1601-23:37:01.141 [ikeext] d|192.168.0.15|Construct NatDisc [1]04EC.1A48::01/30/1601-23:37:01.141 [ikeext] d|192.168.0.15|Construct NatDisc [1]04EC.1A48::01/30/1601-23:37:01.141 [ikeext] d|192.168.0.15| [1]04EC.1A48::01/30/1601-23:37:01.141 [ikeext] d|192.168.0.15|Sending Packet [1]04EC.1A48::01/30/1601-23:37:01.141 [ikeext] d|192.168.0.15|iCookie a02c6e34403f16ce rCookie d5384da576141e77 [1]04EC.1A48::01/30/1601-23:37:01.141 [ikeext] d|192.168.0.15|Exchange type: IKE Main Mode Length 252 NextPayload KE Flags 0 Messid 0x00000000 [1]04EC.1A48::01/30/1601-23:37:01.141 [ikeext] d|192.168.0.15|Peer Address: 192.168.0.15.500 Protocol 0 [1]04EC.1A48::01/30/1601-23:37:01.141 [ikeext] d|192.168.0.15|IF-Index: 11 [1]04EC.1A48::01/30/1601-23:37:01.142 [ikeext] d|192.168.0.15|Updating TimerContext 062BE098 [1]04EC.1A48::01/30/1601-23:37:01.216 [ikeext] 0|192.168.0.15| [1]04EC.1A48::01/30/1601-23:37:01.216 [ikeext] 0|192.168.0.15|Received packet [1]04EC.1A48::01/30/1601-23:37:01.216 [ikeext] 0|192.168.0.15|Local Address: 192.168.0.7.500 Protocol 0 [1]04EC.1A48::01/30/1601-23:37:01.216 [ikeext] 0|192.168.0.15|Peer Address: 192.168.0.15.500 Protocol 0 [1]04EC.1A48::01/30/1601-23:37:01.216 [ikeext] d|192.168.0.15|iCookie a02c6e34403f16ce rCookie d5384da576141e77 [1]04EC.1A48::01/30/1601-23:37:01.216 [ikeext] d|192.168.0.15|Exchange type: IKE Main Mode Length 224 NextPayload KE Flags 0 Messid 0x00000000 [1]04EC.1A48::01/30/1601-23:37:01.216 [ikeext] d|192.168.0.15|mmSa: 0x02A52BE8 [1]04EC.1A48::01/30/1601-23:37:01.216 [ikeext] d|192.168.0.15|Process Payload KE, SA 02A52BE8 [1]04EC.1A48::01/30/1601-23:37:01.216 [ikeext] d|192.168.0.15|Process Payload NONCE, SA 02A52BE8 [1]04EC.1A48::01/30/1601-23:37:01.216 [ikeext] d|192.168.0.15|Process Payload NATDISC, SA 02A52BE8 [1]04EC.1A48::01/30/1601-23:37:01.216 [ikeext] d|192.168.0.15|Process Payload NATDISC, SA 02A52BE8 Thanks.

Hi, The meaning of the error code 13825 and 0x80070057 is "No policy configured". Please verify the IPSec policy configured on the computers. The following article could be helpful: Security rules for Windows Firewall and for IPsec-based connections in Windows Vista and in Windows Server 2008 http://support.microsoft.com/kb/942957 Thanks. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for reply. In my case firewall disabled and ipsec policy strictly given via ipsec snap in (sorry, forgot mention in first post).Vista has ipsec policy (protocol esp,identity sha1,encription 3des,ike:integrity:sha1,encryption:esp,diffie-helman:medium(2),auth:psk) identical server policy (default response rule with params such-as vista). Possible, "no policy configured" error occurs because of improper cheksumm net packet.I corrected checksum bug(network card write checksum) : regedit -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableTaskOffload = 1 regedit -> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC\EnableOffload = 0 but it did not help.Channel on vista established(in ipsec mon:confidential bytes send/received, autheticated bytes send/received,transport bytes send/received not null). Now the situation is: (ping.exe with Wireshark as packet sniffer) From server to Vista packets(icmp) getting through, but the vista response to the server does not reach. From vista to server packets do not reach. Thanks for the help.