IPsecSaContextSetSpi fails for specific SPI values RRS feed

  • Question

  • I am setting up manual IPSec Security associations using the information provided at https://msdn.microsoft.com/en-us/library/windows/desktop/bb736265(v=vs.85).aspx

    Slight difference in my case is that the SPIs are provided to me already and I have to use them for the Security Associations. So I am using IPsecSaContextSetSpi instead of IPsecSaContextGetSpi.

    What I have seen is that for some SPIs for e.g. 256 the function IPsecSaContextSetSpi0 returns error code 0x80320035. This error code represents FWP_E_INVALID_PARAMETER

    My questions:

    1) Is there a restriction on values of SPIs I can pass to IPsecSaContextSetSpi?

    2) For some SPIs I was getting error code 0x1392 which represents ERROR_OBJECT_ALREADY_EXISTS. But when I look into netsh ipsec dynamic show all, I don't see any existing SA. The same applies for netsh ipsec static show all. Is there a better way to view the security associations?

    Thanks in advance.

    Tuesday, September 19, 2017 4:35 PM

All replies

  • Can some one from MS shed more light on this?

    Regarding viewing the SAs, my manually created SAs are not visible even in MMC. How can I view them?


    Wednesday, September 20, 2017 11:22 AM