Re: "There are 0 filters" using IPSec via GPO
From: Michael J. Reynolds (reynolds_at_u.washington.edu)
Date: 09/13/04
- Next message: Steven L Umbach: "Re: What permission set is required for adding events to Event Viewer?"
- Previous message: Steven L Umbach: "Re: requiring new accounts to have passwords"
- In reply to: Steven L Umbach: "Re: "There are 0 filters" using IPSec via GPO"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 13 Sep 2004 14:23:53 -0700
Yep, I did try starting with a fresh OU and fresh GPO, same result. Thanks
again for trying. I'm over with this now unless someone else suggests
something to try, will be using local security tool until we upgrade the
DC's to Windows 2003, at which point I'll try again.
I'm aware of the negotiation limitations between DC's and domain members; my
understanding is that this shouldn't apply since I'm only trying to
firewall, not encrypt traffic (all filters set to "no tunnel required", all
filter actions are "permit" except for the deny filter's "deny" action).
Thanks again for your efforts. --Mike
"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:X6o1d.86653$3l3.23325@attbi_s03...
> Hi Mike.
>
> Well what you are experiencing sounds bizarre. It seems the policy is
> being applied but corrupted somehow from the OU level. The gpresult tool
> can help in determining what policies are being applied to a computer and
> when they were last refreshed. From here I would make sure that the
> servers you want to apply the policy to are not having any problems with
> connectivity to the domain controller or their computer account/secure
> channel by running the netdiag support tool on them. If they check out
> fine I would create a new GPO for the OU and try that [my guess is you
> already have]. Another thing to consider as that ipsec policies must
> exempt domain controllers by there IP addresses from the policy with a
> permit action. Domain controller can not engage in ipsec negotiation
> policies with domain members since they authenticate domain computers. The
> KB link below explains this a bit more. Keep in mind that you should
> unassign ipsec policy before deleting them or the GPO that contains them
> or the computer will still consider the policy assigned until you assign a
> new policy to it.
>
> http://support.microsoft.com/?kbid=254949
>
>
>
>
> "Michael J. Reynolds" <reynolds@u.washington.edu> wrote in message
> news:OQ4P7BcmEHA.3632@TK2MSFTNGP09.phx.gbl...
>> Thanks for taking the time to write. Unfortunately, the steps you
>> suggested didn't help. I tried:
>>
>> 1)Deleting all IPSec policies in the GPO
>> 2)Doing "restore default policies"
>> 3)Doing "check policy integrity"
>> 4)Doing "secedit /refreshpolicy machine_policy /enforce"
>>
>> ipsecmon shows no connections being run thru ipsec, "netdiag /test:ipsec
>> /v /debug" still says "There are 0 filters"
>>
>> I also tried:
>>
>> 1)Deleting all IPSec policies in the GPO
>> 2)Deleting all IPSec policies in Local Security Settings
>> 3)Doing "restore default policies" in Local Security Settings
>> 4)Assigning "request security" policy in Local Security Settings,
>> verifying (ipsecmon, netdiag) that policies are working
>> 5)Exporting IPSec policies from Local Securint Settings to a file,
>> importing them into the GPO IPSec gui (and choosing the "delete existing
>> policies" checkbox, just for good measure)
>> 6)Assigning the "request security" policy in the GPO
>> 7)Doing "secedit /refreshpolicy machine_policy /enforce"
>> 8)Verifying (event log, \winnt\debug\usermode\userenv.log) that policy
>> has been downloaded
>>
>> Again, ipsecmon shows no connections being run thru ipsec, "netdiag
>> /test:ipsec /v /debug" still says "There are 0 filters"
>>
>> In case anyone's curious, here are relevant status lines from userenv.log
>> after doing the latter procedure above:
>>
>> USERENV(100.2f8) 11:20:34:148 ProcessGPOs: Processing extension IP
>> Security
>> USERENV(100.2f8) 11:20:34:148 CompareGPOLists: One list is empty
>> USERENV(100.2f8) 11:20:34:148 ProcessGPOList: Entering for extension IP
>> Security
>> USERENV(100.2f8) 11:20:34:210 ProcessGPOList: Extension IP Security
>> returned 0x0.
>>
>> Unless someone has any suggestions how to fix, I'm going to resort to
>> just importing policies to Local Security Settings on each server
>> individually. Maybe when I get my DC's upgraded to Server 2003 this'll
>> work better?
>>
>> --Mike Reynolds
>> Libraries ITS
>> University of Washington
>>
>> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
>> news:M6t0d.279948$8_6.179130@attbi_s04...
>>>I have not seen that myself but if you have not tried this yet, delete
>>>all the policies in the GPO and then select Ipsec Security Policies in
>>>the left pane of security policy, right click and select all tasks -
>>>restore default policies. You also can try check policy integrity while
>>>there. If none of that helps it would be interesting to see what would
>>>happen if you exported the polices from a local policy that works fine
>>>and then import those into the GPO you are using after deleting the
>>>existing default policies irst. --- Steve
>>>
>>>
>>> "Michael J. Reynolds" <reynolds@u.washington.edu> wrote in message
>>> news:O2xSqL5lEHA.3156@TK2MSFTNGP12.phx.gbl...
>>>> I'm using group policy (all DC's are Win2k) to apply IPSec group policy
>>>> to Win2k servers in an OU. "netdiag /test:ipsec /v /debug" returns the
>>>> following:
>>>>
>>>> ===============================================================
>>>> IP Security test . . . . . . . . . : Passed
>>>> Directory IPSec Policy Active: 'Server (Request Security)'
>>>> IP Security Policy Path:
>>>> LDAP://CN=ipsecPolicy{72385230-70FA-11D1-864C-14A30
>>>> 0000000},CN=IP Security,CN=System,DC=xxx,DC=xxx,DC=xxx
>>>>
>>>> There are 0 filters
>>>> ===============================================================
>>>>
>>>> Note the problem: "there are 0 filters". If I then open Local Security
>>>> Policy (I get the "domain policy overrides this one" warning) and
>>>> assign the very same policy (status says "assigned, but DS policy
>>>> overriding), netdiag returns:
>>>>
>>>> ===============================================================
>>>> IP Security test . . . . . . . . . : Passed
>>>> Directory IPSec Policy Active: 'Server (Request Security)'
>>>> IP Security Policy Path:
>>>> LDAP://CN=ipsecPolicy{72385230-70FA-11D1-864C-14A3
>>>> 0000000},CN=IP Security,CN=System,DC=lib,DC=washington,DC=edu
>>>>
>>>> There are 8 filters
>>>> ICMP
>>>> Filter Id: {3BA29370-9E58-4A6C-9C44-91ABFE862C53}
>>>> Policy Id: {E027E173-05A6-4450-B2EF-DC8590EBBB03}
>>>> Src Addr : xxx.xxx.xxx.xxx Src Mask : 255.255.255.255
>>>> Dest Addr : 0.0.0.0 Dest Mask : 0.0.0.0
>>>> Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
>>>> Protocol : 1 TunnelFilter: No
>>>> Flags : Outbound
>>>> <... listing for seven more filters...>
>>>> ===============================================================
>>>>
>>>> so there's nothing wrong in general with using "Server (Request
>>>> Security)' policy. So why do no filters apply when I assign this policy
>>>> via a domain GPO?
>>>>
>>>> I've checked everything I can think of, have created simple filter
>>>> lists and tried those, have turned on ipsec debugging and gotten output
>>>> from userenv.log (no enlightenment there), have turned on "block policy
>>>> inheritence" and "no override" in my domain group policy editor to keep
>>>> other GPO's from preventing this one from being applied. I've reset
>>>> local policy and GPO back to default policy lists, I've blinked IP
>>>> policy assistant, I've done many, many "secedit /refereshpolicy
>>>> machine_policy /enforce" commands after unassigning, disabling,
>>>> deleting, and otherwise changing policy, and each time, if I assign any
>>>> IPSec policy via GPO from DC, I always get maddening "There are 0
>>>> filters" problem. I've tried moving a different (very clean) server
>>>> into this OU, thinking maybe something was corrupt on this particular
>>>> client, but get same result on that server. I've added the user I'm
>>>> doing this as to the domain "Group Policy Creator Owners" group.
>>>>
>>>> I'm certain that in fact the filters are not "active" because ipsecmon
>>>> shows none present and because I've done test IPSec rules disabling
>>>> ICMP or various network protocols and tests always indicate the IPSec
>>>> policy works if done locally from Local Security Policy, but if done
>>>> via domain GPO IPSec policy has no effect.
>>>>
>>>> I've spent two days searching via google, Technet, and this newsgroup
>>>> and found no mention of anyone else having this problem, am ready to
>>>> give up and just manually configure IPSec locally on all of our
>>>> servers, but I really hate not using group policy for this just because
>>>> I can't get it to work. Does anybody have any suggestions on how to
>>>> fix?
>>>>
>>>> Thanks in advance for any advice.
>>>>
>>>> Mike Reynolds
>>>> ITS dept
>>>> University of Washington Libraries
>>>> reynolds@u.washington.edu
>>>>
>>>
>>>
>>
>>
>
>
- Next message: Steven L Umbach: "Re: What permission set is required for adding events to Event Viewer?"
- Previous message: Steven L Umbach: "Re: requiring new accounts to have passwords"
- In reply to: Steven L Umbach: "Re: "There are 0 filters" using IPSec via GPO"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
