IPsecSaContextSetSpi0() works in windows 7, fails in windows 10. RRS feed

  • Question

  • Long story short, I need to manually configure IPsec ESP akin to what one would do with setkey on linux. Security discussion aside, I've run into a wall trying to set the inbound SPI(IPsecSaContextSetSpi0) on Windows 10 (FWP_E_INVALID_PARAMETER 0x80320035). If I replace the call with IPsecSaContextGetSpi1, everything works if I adjust the SPI to match on the other end. However, that's not an option for the scenario at hand--the project design from on high requires that each endpoint use the SPI and KEYs provided, and does not allow for out of band messaging to other endpoints.

    Again, security discussion aside, I just need to get IPsecSaContextSetSpi0() working on windows 10.

    Details: Code basically follows the MSDN example at https://msdn.microsoft.com/en-us/library/windows/desktop/bb451820%28v=vs.85%29.asp

    I've changed to using IPSEC_TRAFFIC1 and IPSEC_GETSPI1:

        IPSEC_TRAFFIC1 outboundTraffic;
        memset( &outboundTraffic, 0, sizeof(outboundTraffic) );
        outboundTraffic.ipVersion = FWP_IP_VERSION_V4;
        outboundTraffic.localV4Address = local.value;
        outboundTraffic.remoteV4Address = remote.value;
        outboundTraffic.trafficType = IPSEC_TRAFFIC_TYPE_TRANSPORT;
        outboundTraffic.ipsecFilterId = filters[ PACKET_DIRECTION_OUTBOUND ].luid;


        IPSEC_GETSPI1 inboundTraffic;
        memset( &inboundTraffic, 0, sizeof( inboundTraffic ) );
        memcpy( &inboundTraffic.inboundIpsecTraffic, &outboundTraffic, sizeof( outboundTraffic ) );
        inboundTraffic.inboundIpsecTraffic.ipsecFilterId = filters[ PACKET_DIRECTION_INBOUND ].luid;
        inboundTraffic.ipVersion = FWP_IP_VERSION_V4;

    So far my searches haven't turned up any hits on this behavior. Help?

    Thursday, January 14, 2016 9:56 PM


  • SOLUTION! Increase the supplied SPI so it's >> 2^16. Not a joke.

    I noticed windows always returned values larger than 1000000000 when I used IPsecSaContextGetSpi1(). Much to my chagrin,IPsecSaContextSetSpi0() succeeds if I mimic that behavior.

    Anyone know the source of this limitation or relevant documentation?

    Saturday, January 16, 2016 2:50 AM