Estimated reading time: 2 minutes
After rebooting a resource-constrained Terminal Server, Remote Desktop Protocol (RDP) logins became extremely slow. Investigation revealed that the IPSEC Services were not running. Attempts to manually start the service triggered the following error:
“Could not start the IPSEC Services service on Local Computer.
Error 2: The system cannot find the file specified.”
Additionally, the TCP/IP stack entered blocking mode, halting all network traffic. Disabling IPSEC temporarily restored connectivity, but restarting the service caused the issue to recur.
Root Cause
This error typically occurs when the IPSEC registry keys are missing or corrupted—specifically:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\IPsec\Policy\LocalWithout this key, the IPSEC service cannot initialize, leading to Error 2 and blocked TCP/IP traffic.
Step-by-Step Fix: Rebuild IPSEC Policy Store
- Open Registry Editor
PressWin + R, typeregedit, and press Enter. - Navigate to IPSEC Registry Path
Go to:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\IPsec\Policy\Local
If theIPseckey is missing, skip to step 6. - Delete the Corrupted Subkey
Right-clickLocaland choose Delete. Confirm deletion. - Exit Registry Editor
- Re-register the Policy Store DLL
PressWin + R, type:regsvr32 polstore.dll, and press Enter. - Reboot the Server
Video Tutorials
- How to Fix “Can’t Connect to L2TP/IPsec VPN”
- VPN Error 809 – L2TP/IPsec server behind NAT-T
- VPN Not Working in Windows 11/10
- How to Fix “IPSec VPN” on Windows
- Failed to Connect to a Windows Service
- L2TP Connection Failed – VPN Troubleshooting
Glossary
| Term | Definition |
|---|---|
| IPSEC | Internet Protocol Security – a suite of protocols for securing IP traffic |
| Error 2 | Windows system error indicating a missing file or registry entry |
| polstore.dll | DLL used to manage IPSEC policy storage |
| RDP | Remote Desktop Protocol – remote access to Windows machines |
| iLO | Integrated Lights-Out – remote server management interface |
Frequently Asked Questions
| Question | Answer |
|---|---|
| Why does IPSEC block all TCP/IP traffic? | When IPSEC enters block mode, it discards all traffic not explicitly allowed by boot-time policies. This happens when the policy store is missing or corrupted. |
| Is it safe to delete the registry key? | Yes, if the key is corrupted or incomplete. Re-registering polstore.dll restores the default structure. |
| Can this issue recur after reboot? | Yes. If IPSEC is not properly rebuilt, the service may fail again. Ensure the registry is populated and the DLL is registered. |
| Should I disable IPSEC permanently? | Only as a last resort. IPSEC is critical for secure communications. Rebuilding the policy store is the preferred fix. |
Discover more from TechyGeeksHome
Subscribe to get the latest posts sent to your email.
