none
FwpmIPsecTunnelAdd with IKEv2 does not trigger tunnel setup RRS feed

  • Question

  • Hi MSFT,

    I am stuck trying to get an IKEv2 based tunnel configuration to work, using FwpmIPsecTunnelAdd with the following context and keying types:

    • FWPM_IPSEC_IKEV2_MM_CONTEXT
    • FWPM_IPSEC_IKEV2_QM_TUNNEL_CONTEXT
    • FWPM_KEYING_MODULE_IKEV2

    The configuration is added without error and I can verify it via "netsh wfp show state" - so it is properly configured in the Kernel.

    My trouble is, that when sending packets to the remote configured network, e.g. pinging a remote host, the IPsec tunnel setup is not triggered. No IKEv2 based Main-Mode negotiation is performed and after a short while, the outgoing packets which should be secured via ESP in the tunnel are being dropped by the Kernel via FWPM_NET_EVENT_TYPE_IPSEC_KERNEL_DROP.

    When I use the same configuration based on IKEv1 Main-Mode and Quick-Mode policies with no keying module specified, the tunnel setup works as expected and is created on-demand when sending packets to the remote network.

    I compared my IKEv2 configuration time and again with one created by Windows 7 Agile VPN. Apart from the fact, that the Agile VPN does some additional IP-in-IP tunneling, the overall Main-Mode and Quick-Mode context configuration, keying module and required filters in the appropriate layers are matching up. I strongly think, that Agile VPN is basically using the WFP API FwpmIPsecTunnelAdd as well, but probably does something else to trigger the IKEv2 negotiation?

    • Why does the IKE and AuthIP service not react to the IKEv2 configuration I inject via WFP FwpmIPsecTunnelAdd?
    • Does the Kernel not invoke the appropriate callout or does not know how to tell the IKE and AuthIP service how to start an IKEv2 negotiation?
    • What am I missing here?

    I checked the IKEv2 based configuration in Windows 7 as well as Windows 8.1. Neither system works. The respective documentation for the IKEv2 keying module states that the FWPM_KEYING_MODULE_IKEV2, it is supported for Windows 7 and higher.

    See also this unanswered thread: http://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/e7c7260d-fd72-48b1-b95c-9b1e315103ea/wfp-fwpmipsectunneladd1-ikev2-windows-7?forum=wfp

    Thanks in advance!

    Kind regards

    Henry


    • Edited by Megaposer Monday, September 1, 2014 10:16 AM
    Monday, September 1, 2014 10:11 AM