Mike's PBX Cookbook

IPSEC Policy missing from registry.
Unable to ping PBX (M1) from CallPilot

Problem Description:

CallPilot ELAN comes up at start of boot and then drops. After that, the CallPilot cannot ping out or in. CallPilot can ping its own IP but nothing else. The following error is seen:

9/25/2006 11:10:22 AM NGen Error Critical 40592 N/A ANCCALLPILOT
Event from Fault Management Service[IPSec] : Event from , Event: ID= 4292, Description:
The IPSec driver has entered Block mode. IPSec will discard all inbound and outbound
TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions. User
Action: To restore full unsecured TCP/IP connectivity, disable the IPSec services, and
then restart the computer. For detailed troubleshooting information, review the events in
the Security event log.

Cause of Problem:

The IPSec driver has entered Block mode. IPSec discards all inbound and outbound TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions. A corrupted file in the policy store causes this problem. An interruption that occurs when the policy is being written to the disk can cause the corruption.

Problem Resolution:

Warning:

1. Back up the registry before you modify it. Ensure that you know how to restore the registry if a problem occurs. For information about how to back up, restore, and modify the registry, search for kb article 256986 to view the article in the Microsoft Knowledge Base at www.microsoft.com.

2. Serious problems can occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems could require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To resolve this issue, delete the following registry subkey and then rebuild the policy:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Local

Perform the following steps:

1. Delete the local policy registry subkey. To do this, follow these steps:

a. Click Start, click Run, type regedit, and then click OK.

b. In Registry Editor, locate and then click the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local

c. On the Edit menu, click Delete.

d. Click Yes to confirm that you want to delete the subkey.

e. Quit Registry Editor.

2. Rebuild a new local policy store. To do this, click Start, click Run, type regsvr32 polstore.dll, and then click OK.

Limitations:

This workaround applies only for Window 2003 systems

Correction:

Once the local policy store has been restored, corrective content to prevent further occurrences has been added to Service Updates:

Any subsequent Service Update PEPs will contain the fix.

UPDATE: IPSec and Firewalls:

To make IPSec work through firewalls, open UDP port 500 and permit IP protocol numbers 50 and 51 on both inbound and outbound firewall filters.