Solving Basic IPSec Problems

These are some methods for resolving basic IPSec-related problems.

IPSec Policy Mismatch Error

If negotiations are failing, it might be due to incompatible IPSec policy settings. Follow these steps to correct the problem:

1. Run Event Viewer and examine the Security Log. Recent events include attempts at IKE negotiation with a description of their success or failure.
2. Check the security log on the computer specified by the IP address in the log message.
3. Determine the cause of policy mismatch and fix:
   • Verify that authentication methods are compatible.
   • Verify that there is at least one compatible security method.

"Bad SPI" Messages in Event Viewer

This error might occur if a key lifetime value is set too low, or the SA has expired but the sender continues to transmit data to the receiver. It is a benign error, and only if a large amount of these messages are being logged should notice be taken. To determine and correct the problem:

1. Run IPSecMon.
2. Examine the number of re-keys.

If the number of re-keys is very large compared to the amount of time the connections have been active, set the key lifetimes in the policy to be longer. Good values for high-traffic Ethernet connections are greater than 50 MB and greater than five minutes.

This might not entirely eliminate bad SPIs, but should significantly reduce the occurrences.

© 1985-2000 Microsoft Corporation. All rights reserved.