Re: IPsec sticks around forever

From: x y (jamescagney90210@excite.com)
Date: 06/04/02 

From: "x y" <jamescagney90210@excite.com>
Date: Tue, 4 Jun 2002 16:21:19 -0400

I could be wrong, but my belief is that when you remove a policy, it allows
you to change the settings, but does not remove the settings for you, you
still have to do that manually [or through a policy]. The behaviour you
describe is the same I usually see as well. For example, if you make a
policy that removes everyone from having rights to your hard drive, the
usual suggestion from Microsoft is not to unassign or remove that policy,
but to apply another policy that restores the original settings.

"James" <james.news@reather.com> wrote in message
news:OBNYoi$CCHA.1764@tkmsftngp05...
>
> "Ingmar Koecher" <ingmar.newsgroup@netikus.spam.net> wrote in message
> news:adj0vs$k9t$1@msunews.cl.msu.edu...
> > I create an IPsec policy for a certain OU in our domain that would force
> all
> > computers in that OU to encrypt all ip based traffic sent to a certain
ip
> > range.
> >
> > This worked just fine, a computer in that OU would negotiate IPsec with
> the
> > servers (which were configured to respond when requested) and traffic
> would
> > be encrypted.
> >
> > Then I moved the computer account out of that OU, rebooted and such but
> > realized that it was still using IPsec. Even after a week I realized
that
> > it was still communicating via IPsec.
> >
> > What really topped it though was the fact that this computer (the one
that
> I
> > was talking about) is a dual-boot with Linux. I was not able to connect
> > from the Linux installation (that had the same IP as the Win2k
> > installation) to the servers that the Win2k installation had previously
> had
> > IPsec used with. But the Linux box could talk to everybody else just
fine,
> > just not to those Win2k servers that insisted on IPsec being used.
> >
> > So the Win2k servers obviously had this information somewhere cached it
> > seems - and that kind of scares me.
> >
> > I am planning on using IPsec more widely but the fact that I can't undo
it
> > freaks me out a little. We actually had another laptop that we had to
> > unjoin and then re-join the domain.
> >
> > Has anybody had a similar experience? I know it sounds strange but
that's
> > what's happening ...
>
> To remove the effects of group policy, don't you have to *unassign* the
> policy and let that take effect *before* removing the computer from the
> domain? Otherwise the policy persists forever....
>
>

Relevant Pages

  • Re: Configured IPSec Policy is not working.
    ... As for the RRAS filters themselves, they're fairly basic, requiring ipsec ... and encryption will depend on the security settings of the connection. ... why exactly do you want to use l2tp without any ipsec protection rather ... > What is the default filter rule and filter policy ...
    (microsoft.public.win2000.ras_routing)
  • Re: Microsoft IPSec via group policy
    ... I have tried setting IPSec up in group policy however I'm running into some ... I go to the XP client and do ...
    (Security-Basics)
  • Re: Microsoft IPSec via group policy
    ... I have tried setting IPSec up in group policy however I'm running into some ... I go to the XP client and do ...
    (Security-Basics)
  • Re: IPSec and Group Policy
    ... Using netdiag I can now see the IPSec policies applied from the AD GP. ... reveal that the Group Policy and IPSec policy are in place. ... Further when I run the first test between the two computers (logged in as ...
    (microsoft.public.win2000.security)
  • Re: IPsec sticks around forever
    ... a policy refresh, it's still pointing back at the policy it got from the old ... but it sounds like you don't want any IPSec policy for this new OU. ... offending section in the registry ... > you to change the settings, but does not remove the settings for you, you ...
    (microsoft.public.win2000.security)