Consider the following scenario:

  • In a network environment, you have two computers:
    • The first computer is running Windows Vista or Windows Server 2008. This computer does not have a valid Internet Protocol security (IPsec) certificate.
    • The second computer is running Windows XP or Windows Server 2003. This computer has a valid IPsec certificate.
  • You deploy some IPsec policies to the first computer by using Group Policy object (GPO).
  • You enable the “Fallback to clear” functionality on the second computer.
  • On the second computer, you set the value of the following registry entry as 0x14:


  • You try to start a communication from the first computer to the second computer. For example, you try to access a shared folder on the second computer from the first computer, and you try to copy the files in the shared folder to the first computer.

In this scenario, the communication between the two computers is interrupted periodically. Therefore, you cannot copy large files, such as software updates, from the second computer to the first computer.


  • The Simple Policy Update is required to be installed on the second computer that is running Windows XP or Windows Server 2003. The Simple Policy Update is included in Windows Server 2003 Service Pack 2 and Windows XP Service Pack 3.
  • To enable the “Fallback to clear” functionality, create a Negotiate Security filter action, and then enable the following two settings:
    • Allow unsecured communication with non-IPsec-aware computer
    • Accept unsecured communication, but always respond using IPsec
  • If you start the communication from the second computer to the first computer, the “Fallback to clear” functionality works correctly. In this situation, it takes 500 milliseconds (ms) to start the communication.
  • If the value of the IKEFlags registry entry is not set to 0x14, the “Fallback to clear” functionality does not work. In this situation, no communication is established between the two computers.

Leave a Reply