Windows 2003 Server Going Unbidden Into IPSec Block Mode

[Guest]

The IPSec driver has entered Block mode. IPSec will discard all inbound and outbound TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions. User Action: To restore full unsecured TCP/IP connectivity, disable the IPSec services, and then restart the computer. For detailed troubleshooting information, review the events in the Security event log

The above text from Event Viewer presages the computer failing to communicate with all other devices on its subnet. Manually stopping and disabling the IPSec service solves the problem. It appears that some event during bootstrap caused the IPSec service to start. This has happened twice in the past month. I have done nothing to configure IPSec to ON through Group Policy or any other means (if any).

The total breakdown of network communications is sorry notification that some software component has decided to be safe versus sorry with only an obscure event log entry to record the decision. I wonder what is causing this to happen. Any idea?

 

[Christopher Black [MSFT]]

The IPsec driver will go into 'block' mode when it (as a basic network
security provider) cannot guarantee that it can provide security; this is
indeed a case of being safe rather that sorry. It is very unusual for the
driver to enter block mode; it is as a result of the IPsec system detecting
that it is being subverted.

The most common reason that we have seen for the driver entering block mode
is 3rd part LSPs. These LSPs inadvertently (or not) do not allow the IPsec
IKE component to have the network access required to function; the IPsec
component sees this as an attack.

-- Chris

 

[Guest]

By LSP you refer to "Layered Service Provider" which is jargon for a component that is inserted between layers of the TCP/IP stack. It appears that certain ubiquitous downloads silently install such components to further their commercial aims, thereby risking destabilizing the operating system and opening holes in security. Should not such attempts be monitored by the operating system and reported to the user? This sort of thing is great fun and the foundation of a commercial bonanza, but it can mean trouble for the purchaser of the server software.