|
 |
 |
 |
|
Microsoft Knowledge Base Article
This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms
of Use |
Trademarks
Article ID: 955540 - Last Review: October 8, 2011 - Revision: 2.0 A hotfix is available that enables support for dynamic filters for IPsec communication on Windows Server 2008 or Windows Vista SP1-based computersConsider the following scenario that occurs in Internet
Protocol security (IPsec) communications on Windows Server 2008-based computers
or on Windows Vista SP1-based computers:
- You have several filters on the IPsec Responder (the server
side). One filter is a generic filter, and the other filters are more specific
and more strict.
The following code is an example of filters that
meet these criteria://Rules added on the server:
netsh adv consec add rule name="anyToany" endpoint1=any endpoint2=any auth1=computerpsk auth1psk=â€Password123456!†action=requestinrequestout
netsh adv consec add rule name="80Toany" endpoint1=any endpoint2=any protocol=tcp port1=80 port2=any auth1=computerpsk auth1psk=â€Password123456!†action=requireinrequestout qmsecmethods=ESP:SHA1-AES128,ESP:SHA1-3DES
netsh adv consec add rule name="anyTo80" endpoint1=any endpoint2=any protocol=tcp port1=any port2=80 auth1=computerpsk auth1psk=â€Password123456!†action=requireinrequestout qmsecmethods=ESP:SHA1-AES128,ESP:SHA1-3DES
- You also have only a generic filter on the IPsec Requester
(the client-side). The following code is an example of a filter that meets this
criterion:
//Rule added on the client:
netsh adv consec add rule name="anyToany" endpoint1=any endpoint2=any auth1=computerpsk auth1psk=â€Password123456!†action=requestinrequestout
In this scenario, if the communication between the client and
the server matches both the generic filter and the specific filter, the
communication fails. In these examples,
if the client tries to access the Web server on the server by using TCP port
80, the communication fails. This is true even though the communication
actually meets the requirement of the generic rule on the server. At the same
time, other communications, such as PING commands, from the client to the
server work correctly. To make communications that meet both the
generic rule and the specific rules work, the specific filters also have to be
added to the clients. Hotfix information A
supported hotfix is available from Microsoft. However, this hotfix is intended
to correct only the problem that is described in this article. Apply this
hotfix only to systems that are experiencing the problem described in this
article. This hotfix might receive additional testing. Therefore, if you are
not severely affected by this problem, we recommend that you wait for the next
software update that contains this hotfix. If the hotfix is available
for download, there is a "Hotfix download available" section at the top of this
Knowledge Base article. If this section does not appear, contact Microsoft
Customer Service and Support to obtain the hotfix. Note If additional issues occur or if any troubleshooting is required,
you might have to create a separate service request. The usual support costs
will apply to additional support questions and issues that do not qualify for
this specific hotfix. For a complete list of Microsoft Customer Service and
Support telephone numbers or to create a separate service request, visit the
following Microsoft Web site: Note The "Hotfix download available" form displays the languages for
which the hotfix is available. If you do not see your language, it is because a
hotfix is not available for that language. Important Windows Vista
and Windows Server 2008 hotfixes are included in the same packages. However,
only one of these products may be listed on the “Hotfix Request†page. To
request the hotfix package that applies to both Windows Vista and Windows
Server 2008, just select the product that is listed on the page. Prerequisites To apply this hotfix on a Windows Vista-based computer, you must
have Windows Vista Service Pack 1 (SP1) installed.
For more information, click the following
article number to view the article in the Microsoft Knowledge Base: 935791Â
(http://kbalertz.com/Feedback.aspx?kbNumber=935791/
)
How to obtain the latest Windows Vista service pack
No prerequisites are required for Windows Server
2008-based computers. Restart requirementYou have to
restart the computer after you apply this hotfix. Hotfix replacement informationThis hotfix does not replace a previously released
hotfix. File information The English version of this hotfix has the file
attributes (or later file attributes) that are listed in the following table.
The dates and times for these files are listed in Coordinated Universal Time
(UTC). When you view the file information, it is converted to local time. To
find the difference between UTC and local time, use the Time
Zone tab in the Date and Time item in Control
Panel. Windows Vista and Windows Server 2008 file information notesThe .manifest files and the .mum files that are installed in each
environment are listed separately in the "Additional file information for
Windows Server 2008 and for Windows Vista" section. These files and their
associated .cat (security catalog) files are critical to maintaining the state
of the updated component. The .cat files are signed with a Microsoft digital
signature. The attributes of these security files are not listed. For all supported 32-bit versions of Windows Server 2008 and of Windows VistaCollapse this tableExpand this table | File name | File version | File
size | Date | Time | Platform |
|---|
| Netio.sys | 6.0.6001.22237 | 223,288 | 06-Aug-2008 | 04:12 | x86 | | Bfe.dll | 6.0.6001.22237 | 328,704 | 06-Aug-2008 | 03:55 | x86 | | Fwpkclnt.sys | 6.0.6001.22237 | 101,432 | 06-Aug-2008 | 04:12 | x86 | | Fwpuclnt.dll | 6.0.6001.22237 | 595,456 | 06-Aug-2008 | 03:56 | x86 | | Ikeext.dll | 6.0.6001.22237 | 438,272 | 06-Aug-2008 | 03:57 | x86 | | Wfp.mof | Not
Applicable | 814 | 18-Dec-2007 | 21:11 | Not
Applicable | | Wfp.tmf | Not
Applicable | 175,508 | 06-Aug-2008 | 02:00 | Not
Applicable | | Tcpip.sys | 6.0.6001.22237 | 891,960 | 06-Aug-2008 | 04:08 | x86 |
For all supported 64-bit versions of Windows Server 2008 and of Windows VistaCollapse this tableExpand this table | File name | File version | File
size | Date | Time | Platform |
|---|
| Netio.sys | 6.0.6001.22237 | 347,192 | 06-Aug-2008 | 04:13 | x64 | | Bfe.dll | 6.0.6001.22237 | 458,240 | 06-Aug-2008 | 04:00 | x64 | | Fwpkclnt.sys | 6.0.6001.22237 | 168,504 | 06-Aug-2008 | 04:13 | x64 | | Fwpuclnt.dll | 6.0.6001.22237 | 779,776 | 06-Aug-2008 | 04:01 | x64 | | Ikeext.dll | 6.0.6001.22237 | 454,656 | 06-Aug-2008 | 04:02 | x64 | | Wfp.mof | Not
Applicable | 814 | 18-Dec-2007 | 21:10 | Not
Applicable | | Wfp.tmf | Not
Applicable | 174,680 | 06-Aug-2008 | 02:06 | Not
Applicable | | Tcpip.sys | 6.0.6001.22237 | 1,419,320 | 06-Aug-2008 | 04:11 | x64 | | Fwpuclnt.dll | 6.0.6001.22237 | 595,456 | 06-Aug-2008 | 03:56 | x86 | | Wfp.mof | Not
Applicable | 814 | 18-Dec-2007 | 21:11 | Not
Applicable |
For all supported Itanium-based versions of Windows Server 2008 Collapse this tableExpand this table | File name | File version | File
size | Date | Time | Platform |
|---|
| Netio.sys | 6.0.6001.22237 | 641,592 | 06-Aug-2008 | 03:56 | IA-64 | | Bfe.dll | 6.0.6001.22237 | 781,312 | 06-Aug-2008 | 03:29 | IA-64 | | Fwpkclnt.sys | 6.0.6001.22237 | 264,248 | 06-Aug-2008 | 03:45 | IA-64 | | Fwpuclnt.dll | 6.0.6001.22237 | 1,122,304 | 06-Aug-2008 | 03:31 | IA-64 | | Ikeext.dll | 6.0.6001.22237 | 925,696 | 06-Aug-2008 | 03:31 | IA-64 | | Wfp.mof | Not
Applicable | 814 | 18-Dec-2007 | 21:11 | Not
Applicable | | Wfp.tmf | Not
Applicable | 174,775 | 06-Aug-2008 | 01:46 | Not
Applicable | | Tcpip.sys | 6.0.6001.22237 | 2,924,088 | 06-Aug-2008 | 03:58 | IA-64 | | Fwpuclnt.dll | 6.0.6001.22237 | 595,456 | 06-Aug-2008 | 03:56 | x86 | | Wfp.mof | Not
Applicable | 814 | 18-Dec-2007 | 21:11 | Not
Applicable |
To resolve the issue, apply this fix on the
server. This hotfix adds the IPsecFilterMatchByPass feature. To turn
on this feature, fellow these instructions:
- On the server-side, add the following regsitry entry:
Collapse this tableExpand this table | Registry Subkey | Type | Value | | HKEY_LOCAL_MACHINE\system\CCS\Services\IPsec\EnableIPsecFilterMatchByPass | DWORD | 1 |
- On the client-side, add the following regsitry entry:
Collapse this tableExpand this table | Registry Subkey | Type | Value | | HKEY_LOCAL_MACHINE\system\CCS\Services\IKEEXT\Parameters\IKEFlags | DWORD | 0x200 |
Microsoft
has confirmed that this is a problem in the Microsoft products that are listed
in the "Applies to" section. For more information about
software update terminology, click the following article number to view the
article in the Microsoft Knowledge Base: 824684Â
(http://kbalertz.com/Feedback.aspx?kbNumber=824684/
)
Description of the standard terminology that is used to describe Microsoft software updates Additional file information for Windows Server 2008 and for Windows VistaAdditional files for all supported 32-bit versions of Windows Server 2008 and of Windows VistaCollapse this tableExpand this table | File
name | Package_for_kb955540_client_1~31bf3856ad364e35~x86~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,641 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | Package_for_kb955540_client~31bf3856ad364e35~x86~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,431 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | Package_for_kb955540_sc_0~31bf3856ad364e35~x86~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,422 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | Package_for_kb955540_sc~31bf3856ad364e35~x86~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,423 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | Package_for_kb955540_server_0~31bf3856ad364e35~x86~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,425 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | Package_for_kb955540_server~31bf3856ad364e35~x86~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,431 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | Package_for_kb955540_winpesrv_0~31bf3856ad364e35~x86~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,422 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | Package_for_kb955540_winpesrv~31bf3856ad364e35~x86~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,430 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | X86_microsoft-windows-netio-infrastructure_31bf3856ad364e35_6.0.6001.22237_none_570b9dc8ce7d2984.manifest | | File version | Not Applicable | | File size | 3,908 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 04:23 | | Platform | Not Applicable | | | File
name | X86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.22237_none_cd94a0dc43ba7a2e.manifest | | File version | Not Applicable | | File size | 127,634 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 04:25 | | Platform | Not Applicable | | | File
name | X86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22237_none_b38e43457f95e31b.manifest | | File version | Not Applicable | | File size | 6,254 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 04:26 | | Platform | Not Applicable | |
Additional files for all supported 64-bit versions of Windows Server 2008 and of Windows Vista
Collapse this tableExpand this table | File
name | Amd64_microsoft-windows-netio-infrastructure_31bf3856ad364e35_6.0.6001.22237_none_b32a394c86da9aba.manifest | | File version | Not Applicable | | File size | 3,916 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 04:27 | | Platform | Not Applicable | | | File
name | Amd64_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.22237_none_29b33c5ffc17eb64.manifest | | File version | Not Applicable | | File size | 127,680 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 04:30 | | Platform | Not Applicable | | | File
name | Amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22237_none_0facdec937f35451.manifest | | File version | Not Applicable | | File size | 6,276 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 04:31 | | Platform | Not Applicable | | | File
name | Package_for_kb955540_client_1~31bf3856ad364e35~amd64~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,651 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | Package_for_kb955540_client~31bf3856ad364e35~amd64~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,439 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | Package_for_kb955540_sc_0~31bf3856ad364e35~amd64~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,430 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | Package_for_kb955540_sc~31bf3856ad364e35~amd64~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,431 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | Package_for_kb955540_server_0~31bf3856ad364e35~amd64~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,433 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | Package_for_kb955540_server~31bf3856ad364e35~amd64~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,439 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | Package_for_kb955540_winpesrv_0~31bf3856ad364e35~amd64~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,430 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | Package_for_kb955540_winpesrv~31bf3856ad364e35~amd64~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,438 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | Wow64_microsoft-windows-netio-infrastructure_31bf3856ad364e35_6.0.6001.22237_none_bd7ee39ebb3b5cb5.manifest | | File version | Not Applicable | | File size | 2,730 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 04:13 | | Platform | Not Applicable | | | File
name | Wow64_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.22237_none_3407e6b23078ad5f.manifest | | File version | Not Applicable | | File size | 71,155 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 04:13 | | Platform | Not Applicable | |
Additional files for all supported Itanium-based versions of Windows Server 2008Collapse this tableExpand this table | File
name | Ia64_microsoft-windows-netio-infrastructure_31bf3856ad364e35_6.0.6001.22237_none_570d41bece7b3280.manifest | | File version | Not Applicable | | File size | 3,912 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 04:07 | | Platform | Not Applicable | | | File
name | Ia64_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.22237_none_cd9644d243b8832a.manifest | | File version | Not Applicable | | File size | 127,657 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 04:10 | | Platform | Not Applicable | | | File
name | Ia64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22237_none_b38fe73b7f93ec17.manifest | | File version | Not Applicable | | File size | 6,265 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 04:11 | | Platform | Not Applicable | | | File
name | Package_for_kb955540_sc_0~31bf3856ad364e35~ia64~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,425 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | Package_for_kb955540_sc~31bf3856ad364e35~ia64~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,426 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | Package_for_kb955540_server_0~31bf3856ad364e35~ia64~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,429 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | Package_for_kb955540_server~31bf3856ad364e35~ia64~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,434 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | Package_for_kb955540_winpesrv_0~31bf3856ad364e35~ia64~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,426 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | Package_for_kb955540_winpesrv~31bf3856ad364e35~ia64~~6.0.1.0.mum | | File version | Not Applicable | | File size | 1,433 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 18:31 | | Platform | Not Applicable | | | File
name | Wow64_microsoft-windows-netio-infrastructure_31bf3856ad364e35_6.0.6001.22237_none_bd7ee39ebb3b5cb5.manifest | | File version | Not Applicable | | File size | 2,730 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 04:13 | | Platform | Not Applicable | | | File
name | Wow64_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.22237_none_3407e6b23078ad5f.manifest | | File version | Not Applicable | | File size | 71,155 | | Date (UTC) | 06-Aug-2008 | | Time (UTC) | 04:13 | | Platform | Not Applicable | |
APPLIES TO- Windows Vista Service Pack 1, when used with:
- Windows Vista Business
- Windows Vista Enterprise
- Windows Vista Home Basic
- Windows Vista Home Premium
- Windows Vista Ultimate
- Windows Vista Business 64-bit Edition
- Windows Vista Enterprise 64-bit Edition
- Windows Vista Home Basic 64-bit Edition
- Windows Vista Home Premium 64-bit Edition
- Windows Vista Ultimate 64-bit Edition
- Windows Server 2008 Standard
- Windows Server 2008 Enterprise
- Windows Server 2008 Datacenter
- Windows Server 2008 Standard without Hyper-V
- Windows Server 2008 Enterprise without Hyper-V
- Windows Server 2008 Datacenter without Hyper-V
- Windows Server 2008 for Itanium-Based Systems
| kbsurveynew kbautohotfix kbexpertiseinter kbfix kbbug kbqfe KB955540 |
Community Feedback System
Very often, it takes hours to solve a problem. Very often, you've looked high
and low, and have tried a lot of solutions. When you finally found it, chances
are, it was because someone else helped you. Here's your chance to give back.
Use our community feedback tool to let others know what worked for you and what
didn't.
Please also understand that the community feedback system is not warranted to be
correct, it's simply a system that we've built to let people try and help each
other. If something in a feedback response doesn't make sense to you, or you're
not comfortable making changes that the feedback talks about (like registry
edits), please consult a professional.
Thank you for using kbAlertz.com Feedback System.
-- Scott Cate
|
|
 |
|
 |
|
|
|
| |