HOW TO: Clear Existing IPSec Security Associations in Windows 2000 (313236)


The information in this article applies to:

  • Microsoft Windows 2000 Server
This article was previously published under Q313236

IN THIS TASK

SUMMARY

When you troubleshoot Internet Protocol security (IPSec) configuration problems, you may have to clear existing security associations. For example, you may have to clear existing IPSec security associations in any of the following situations:
  • Security Parameters Index (SPI) errors are logged the event logs.
  • IPSec monitor shows no security associations.
  • A situation occurs that requires you to restart the IPSec Policy Agent service.
Typically, secured IPSec communications may not be established if a soft security association already exists between the computers that are participating in the interchange. After the participants have established software security associations, hard security associations cannot be established.

A soft security association tells the IPSec drive not to use security between the two Internet Protocol (IP) addresses. In this situation, unsecured packets are exchanged by the participants. If you modify the existing IPSec policy and you do not break the extant soft association, no packets are secured across the connection. You can create soft security associations by using both IPSec-aware and non-IPSec-aware computers.

To clear existing IPSec security associations, restart the IPSec Policy Agent service. IPSec Policy Agent retrieves IPSec policy information and passes it to the other IPSec policy mechanisms. IPSec Policy Agent is a service that exists on all Windows 2000-based computers. The service retrieves the appropriate IPSec policy from Active Directory or the local security policy. After the policy is retrieved, IPSec Policy Agent sends it to the IPSec driver.

back to the top

How to Clear Existing IPSec Security Associations by Using a Command Prompt

  1. Click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type the following command:

    net stop "ipsec policy agent"

  3. To start IPSec Policy Agent from the command prompt, type the following command at the command prompt:

    net start "ipsec policy agent"

back to the top

How to Clear Existing IPSec Security Associations by Using the GUI

To use the graphical user interface (GUI) to clear existing security associations:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Services.
  2. Right-click IPSec Policy Agent, and then click Restart.
back to the top
Modification Type:MajorLast Reviewed:9/30/2003
Keywords:kbhowto kbHOWTOmaster KB313236 kbAudITPro
©2003 Microsoft Corporation. All rights reserved.