How to fix corrupted IPSec policy on W2K3 DC

On Windows Server 2003 DC, if the IPSEC policy was corrupted, the server machine couldn’t determine what traffic was allowed and what traffic wasn’t, so it took the safe route and discarded all traffic that wasn’t permitted by the highly restrictive boot-time policy exemptions.

In order to fix it, we need to fix some registry keys from the command line:

  REG DELETE HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\
   Policy\Local /F

  REG ADD HKLM\System\CurrentControlSet\Services\IPSEC /V
   Start /T REG_DWORD /F /D 1

  regsvr32 -s polstore.dll

When the policy file corrupted and couldn’t be read, IPSec will be defaulted to “Block” mode, it will blocks most traffic except DHCP, which the computer would need to start up. By deleting the local policy, reconfiguring the IPSec service and re-registering the policy store (it will recreates the default local policy), we can solve the problem.

For more info, you can reference this MS web page:

One thought on “How to fix corrupted IPSec policy on W2K3 DC

  1. Hello,

    I would like to thank you for this procedure.
    By one of my customer the IPSec was totally corrupted.
    I was ready to restage the server and have a long night…
    Hopefully I have found your blog and applied this procedure. It works fine now.

Leave a Reply

Your email address will not be published. Required fields are marked *