IPsec ESP packet drop: STATUS_IPSEC_AUTH_FIREWALL_DROP fix

Quick answer

Disable IPsec authenticated firewall mode or fix the IPsec policy mismatch by running netsh ipsec static set policy name="YourPolicy" assign=yes and verifying firewall rules allow ESP (IP protocol 50) traffic.

What's actually happening here

Error 0XC0360008 means Windows dropped an incoming ESP (Encapsulating Security Payload) packet because the IPsec driver detected a mismatch between the packet's security association (SA) and the firewall's IPsec policy rules. This usually happens on Windows Server 2016/2019/2022 or Windows 10/11 when you have IPsec policies configured but the firewall is set to 'authenticate' IPsec traffic — which requires a valid SA for every ESP packet. The packet arrives, the firewall checks its IPsec policy, doesn't find a matching permit rule, and drops it. You'll see this in netsh trace logs or Windows Event Viewer under System with source 'IPsec'. Triggers include: rebooting after changing IPsec policies, applying GPO updates, or connecting from a client whose IPsec policy doesn't match the server's.

Fix steps

1. Identify the active IPsec policy
   Run netsh ipsec static show policy all in an elevated command prompt. Look for a policy with 'Assigned=Yes'. If none, you have no policy assigned and the drop is likely firewall-rule related.
2. Check the firewall rule that permits ESP
   Run netsh advfirewall firewall show rule name="all" dir=in and filter for anything with 'ipsec' in the name. You're looking for a rule that allows ESP traffic (protocol 50) and has 'auth1' or 'authenticate' enabled. If no such rule exists, create one:

   netsh advfirewall firewall add rule name="Allow ESP" dir=in action=allow protocol=50 localport=any remoteport=any profile=any

   This permits ESP packets without IPsec authentication — which works if you don't need IPsec security for ESP.
3. Fix IPsec policy mismatch
   If a policy exists, verify it matches what the remote end sends. For example, if you require 'Negotiate auth' but the client sends 'Transport mode with ESP', the server drops it. Edit the policy:

   netsh ipsec static set policy name="YourPolicy" assign=yes

   Then check filter actions: netsh ipsec static show filteraction all. Make sure the filter action for ESP packets has 'Permit' (not 'Block' or 'Negotiate').
4. Restart IPsec services
   Run net stop PolicyAgent && net start PolicyAgent && net stop IKEEXT && net start IKEEXT. This resets the SA database and re-reads policies. After this, test the connection.

Alternative fixes if the main one fails

• Disable IPsec authenticated firewall mode
  If you don't need IPsec auth, turn it off: netsh advfirewall set allprofiles settings inboundusenexthop no. This tells the firewall to not require IPsec for inbound traffic. Not recommended if you rely on IPsec for security, but it stops the drops instantly.
• Check for GPO conflicts
  If your machine is domain-joined, run gpresult /h gpo.html and look for any 'IP Security Policies' or 'Windows Firewall with Advanced Security' GPOs. They might override local settings. Unlink or modify the GPO to match your needs.
• Update network driver
  Rare, but some NICs (Realtek, Intel I219) mishandle ESP packets. Update the driver from the OEM's site, not Windows Update.

Prevention tip

Before applying any IPsec policy, test it in a lab with both endpoints running netsh ipsec dynamic set policy name="TestPolicy" assign=yes and monitor drops via netsh ipsec dynamic show drops. This catches mismatches before they hit production.