IPSEC Driver reset inbound packet

[Alexander LAW]

Hello,
I've set up VPN Server using Windows 2003.
One computer Windows 2000 SP4 (A) can connect to this VPN server, and other
Windows 2000 SP4 (B) can not.
I use netmon and see that computer A initiates VPN connection with ISAKMP
packet.
But computer B sends packet from UDP port 1701 to UDP port 1701 - L2TP SCCRQ
(I've check AVP's included in this packet and not found anything strange).
My server doesn't respond to computer B. I've enabled ipsec diagnostics, set
this parameter to 7, and see in system log information event:
Source: IPSEC EventID:4290
IPSEC-driver reset inbound packet....

How different computers with Windows 2000 can send different packets? On
both i've setup certificates.
Why my server drops inbound packet?

Thanks,
Alexander

 

[David Beder [MSFT]]

Might computer B have an ipsec policy assigned to it that computer A does
not? or if they both have policies, might they be slightly different?
The netdiag tool or potentially ipsecmon.exe might be able to shed some
light.
I'd also look through the registry for ProhibitIPSec. This is a VPN key used
to disassociate the default ras ipsec policy from L2TP so that users can
invoke a more customized IPSec policy.

 

[Alexander LAW]

Thank you, David!
I found that on computer B long time ago i've add ProhibitIpSec registry
value and completely forgot it. That's why computer B send me unencrypted
UDP packet to port 1701. There were no automatic filters created.
Thank you for answer..
Good Luck!