You will need ipsec if you are not going to use PPTP. Make sure that the
ipsec service is set to be automatic for startup type and that the Remote
Procedure Call service is started as shown in services.msc. It can be
complicated to track down ipsec problems and your best resort probably would
be a repair install as I mentioned before though hopefully you are not using
a dial up connection. I don't know offhand what the error message means.
Below is information from a Microsoft guide on troubleshooting ipsec that
pertains to service problems. Also be sure to scan your computer for malware
and spyware as such could cause ipsec service to fail as can any process
that uses ports that ipsec uses. I wish I had a simpler answer but that is
not the nature of this beast.
Steve
http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/ipsecch7.mspx
Troubleshooting the IPsec Service
The IPsec service does not need to be running to use the IPsec Policy
Management MMC snap-in. However, if an administrator then assigns a local
policy, the Policy Assigned column will display an error.
The following common problems can cause the IPsec service to fail during
startup:
. The computer was started in Safe Mode or Active Directory Recovery
Mode. In these cases, the IPsec driver will provide stateful outbound
communication by default if there is an IPsec policy assigned. Inbound
connectivity will be blocked unless there is a bootexemption configured.
. IKE cannot obtain exclusive control of UDP port 500 and port 4500.
Use netstat -bov to show the processes and code modules for each port. The
command portqry -local -v provides even greater detail. Some Winsock Layered
Service Providers (LSP) may be installed that are interfering with IPsec.
For more information about LSPs and IPsec, refer to the "Troubleshooting
Application Related Issues" section later in this chapter.
. IPsec Policy corruption. The assigned IPsec policy cannot be read
entirely or applied entirely, which causes the IPsec service to report a
number of errors. These errors do not cause the service itself to fail, but
may cause communications to fail in many ways, such as by blocking Group
Policy and the IPsec service from retrieving corrected policies. In Windows
XP and Windows Server 2003, attention should be paid to the design of
persistent policy or local policy as a "safe" policy to be applied in case
of errors that occur when domain-based policy is applied. Both persistent
policy and computer startup policy (bootmode exemptions) should be part of
the troubleshooting investigation. These policies should permit remote
access to the computer by other means in case they are the only policies
applied because of to other failure conditions.
The Windows 2000 IPsec implementation uses a module called the IPsec Policy
Store (polstore.dll) so that the IPsec Policy Agent and the IPsec Policy
Management MMC snap-in can use one module to access all three supported
policy storage locations: local, remote computer, and Active Directory. This
design is changed and improved in Windows XP and Windows Server 2003 with
the addition of new IPsec policy types (startup policy and persistent
policy) and the Security Policy Database (SPD) component, which maintains
the run-time state of IPsec policy for IPsec monitor queries and IKE
queries. This architectural change means that the text of logged IPsec
events in Windows 2000 has changed in Windows XP and Windows Server 2003.
This architectural change also means that significant changes had to be made
in the RPC interfaces that are used for remote management. For Windows
Server 2003, the RPC interfaces were again significantly updated.
Consequently, the IPsec Policy Management MMC snap-in is not able to connect
to remote computers that do not have the same operating system version
installed. In addition, the security model for Windows XP SP2 and Windows
Server 2003 SP1 was fundamentally changed to limit remote RPC connections
and to activate Windows Firewall by default. For more information, see
Changes to Functionality in Microsoft Windows XP Service Pack 2 - Part 2:
Network Protection Technologies.
Because of these changes, the remote RPC interfaces for the IPsec service
were disabled as a safety measure. Therefore the IPsec Monitor and IPsec
Policy Management MMC snap-ins are not able to perform remote monitoring on
these computers. Remote management for IPsec should be performed using
Remote Desktop (Terminal Server) connections, which execute the IPsec MMC
snap-ins as local processes.
In Windows 2000, the IPsec driver is loaded by default at the end of the
startup process by the Policy Agent service. The IPsec driver is not part of
IP packet processing until the first time the Policy Agent informs the IPsec
driver of an active policy. If there is no active IPsec policy, the IPsec
driver is not included in inbound and outbound IP traffic processing. In
Windows XP and Windows Server 2003, this design was improved so that the
IPsec driver is loaded by the TCP/IP driver during the startup process. The
driver does not process packets until it has filters loaded by the IPsec
service.
In Windows 2000, errors may be logged by the IPsec Policy Agent for problems
with service startup. These errors include the following:
. IP Security Policy Agent could not be started. No IP Security policy
will be enforced. This error is probably caused by problems the IPsec Policy
Agent encountered when registering itself with the RPC subsystem. It may
also be caused by IKE failing to initialize because of third-party Winsock
LSPs.
. Policy Agent RPC Server failed to...
. register protocol sequence
. register interface
. register interface bindings
. register interface endpoint
. register authentication mechanisms
. listen
Any of these errors can be caused by changes to advanced security settings
or problems within the RPC service that cause the IPsec Policy Agent service
to not properly initialize during service startup. Therefore, the IPsec
Policy Agent will not function correctly, may hang, and may shut down.
. Policy Agent failed to start. Failed to connect to SCM Database
Error: <number>. The IPsec service cannot open the service control manager
database, which may occur because the IPsec service was configured to run as
a nonprivileged service account. It must run as local system. Otherwise,
investigate problems with the service control manager.
. Policy Agent failed to connect to the IPSEC Driver. The IPsec driver
could not be successfully loaded and interfaced with the TCP/IP stack.
Windows 2000 is designed to do this when the IPsec service starts. There may
be third-party software inhibiting the connection, or the operating system
may be missing code modules that are required for this functionality.
. Policy Agent failed to load IPSEC policies. An error occurred while
the IPsec Policy Agent was loading all the filters into the IPsec driver.
This error may have been caused by insufficient kernel memory or improper
initialization of the IPsec driver. If the problem persists, contact
Microsoft Product Support Services.
. Policy Agent failed to start ISAKMP service. This error usually
occurs because IKE cannot gain exclusive control over UDP port 500 or port
4500 because another service is already using them. It may also be caused by
third-party security software preventing the network port allocation, or the
IPsec service not running in the local system context.
. Failed to determine SSPI principal name for ISAKMP/Oakley service.
Windows 2000 logs this message when the security support provider interface
(SSPI) function call QueryCredentialsAttributes fails. This failure may
indicate that the computer is not able to successfully log in to the domain.
. Failed to obtain Kerberos server credentials for ISAKMP/Oakley
service. This Windows 2000 error message commonly occurs when the IPsec
service starts (perhaps at computer startup time) on a remote network where
an IPsec policy is assigned (perhaps from registry cache of domain policy)
that requires Kerberos authentication and a domain controller is not
available. Therefore, Kerberos authentication will not function. On the
internal network, this event would be logged on a computer that is not a
member of the domain, or that cannot reach the domain controllers using the
Kerberos protocol during IPsec service initialization.
. A Secure communications policy cannot be enforced because the IP
Security driver failed to start. Contact your system administrator
immediately. This error is caused by a problem with the IPsec driver
loading, binding to the TCP/IP stack, or initializing before attempting to
add policy to it. File corruption or permissions may be the cause. Look for
security settings or third-party security software that may inhibit driver
loading. If FIPS.sys internal signatures cannot be verified during
initialization, it will fail to load and the IPsec driver will also fail to
load. FIPS.sys signature failure requires a replacement of the original
signed binary file or a new binary file from Microsoft. Restart the
computer. If problems persist, then contact Microsoft Product Support
Services.
In Windows XP and Windows Server 2003, the following IPsec service error
events indicate that the service cannot start:
. IPSec Services failed to initialize IPSec driver with error code:
<number>. IPSec Services could not be started. The IPsec driver was unable
to load for some reason. If problems persist, contact Microsoft Product
Support Services.
. IPSec Services failed to initialize IKE module with error code:
<number>. IPSec Services could not be started. Common sources of this
problem are third-party Winsock LSPs, which prevent IKE from using certain
socket options. This error will also be reported when IKE cannot gain
exclusive control of UDP ports 500 and 4500.
. IPSec Services failed to initialize RPC server with error code:
<number>. IPSec Services could not be started. The IPsec service depends
upon the RPC subsystem for interprocess communication between IKE, the SPD,
and the Policy Agent. Use RPC troubleshooting techniques to confirm that RPC
is working properly. After restarting the computer, if problems persist,
contact Microsoft Product Support Services.
. IPSec Services has experienced a critical failure and has shut down
with error code: <number>. Stopped IPSec Services can be a potential
security hazard to the machine. Please contact your machine administrator
to re-start the service. The IPsec service encountered the error indicated
by the <number> in the event text and is no longer running. The IPsec driver
is still loaded and may either be in normal mode (enforcing IPsec policy
filters) or in block mode. A separate event would indicate if the IPsec
driver was put into block mode. If the driver is in normal mode, then permit
and block filter actions still function as expected. Filters with a
negotiate action simply drop traffic because IKE is not available.
. IPSec Services put IPSec driver in block mode due to previous
failures error code <number>. This message is a notification that the IPsec
driver was put into block mode as a failsafe behavior because of errors
encountered processing IPsec policy. This behavior is available only in
Windows Server 2003. Block mode still allows inbound exemptions that were
configured by using the netsh ipsec command.
