Re: IPSEC not working

From: Ludwig Zammit (LudwigZammit_at_discussions.microsoft.com)
Date: 05/07/05


Date: Fri, 6 May 2005 23:23:20 -0700

First of all thanks for your reply!

I can confirm that nothing has changed. If I disable IPSec Policies I can
ping the server without any problems.

What I cannot explain is that when the policies are enabled, ipsecmon tells
me that the connection is being secured by "ESP Triple DES HMAC SHA1" but
still I am receiving a "request timed out" when pinging the server from a
client which has " client(respond only)" enabled.

The Server(Request Security) policy is configured to permit "All ICMP Traffic"

Regards
Ludwig

"Stephen Cartwright [MSFT]" wrote:

> Sounds like you have a basic connectivity issue with you server. IKE is
> timing out and ping is failing. You said all was working until yesterday and
> nothing has changed on your polices [or become invalid?].
> Stop policyagent on the server and one client and establish that the server
> is ping contactable before lauching on IPsec/AD/DNS troubleshooting as it
> does not appear to be an IPsec issue on first reading.
>
> --
> Stephen Cartwright [MSFT]
>
> "This posting is provided "AS IS" with no warranties, and confers no
> rights."
>
> "Ludwig Zammit" <Ludwig Zammit@discussions.microsoft.com> wrote in message
> news:1FD7D43B-0DB6-46B6-BEB2-D764510B62E4@microsoft.com...
> >I have set up one of my servers with the Server(Request Security) IPSEC
> > policy. Any clients and servers (memebrs of the same domain)which had the
> > client(respond Only) policy activated used to communicate succesfully with
> > this server and any communication was shown correctly in ipsecmon.
> >
> > However as of yesterday I started having problems with clients
> > communicating
> > with this server. I have enabled Object Access Auditing on the server and
> > am
> > receiving event ID 547 in my security event log:
> >
> > The failure reason is either "IKE SA deleted before establishment
> > completed"
> > or "No response from peer". The failure point is always "Me"
> >
> > If i try to ping the server from any machine which has the client(respond
> > only) policy enable I get a "Request Timed Out". The Server(Request
> > Security)
> > policy has not been modified and hence all ICMP traffic should be
> > permitted.
> >
> > I am still receiving sucessful event ids (541,542 and 543) along with
> > these
> > error messages. I am not sure if this is a normal behaviour or not.
> >
> > Any help is appreciated.
>
>
>



Relevant Pages

  • Re: Securing the communication between all workstations in a domain
    ... I am no expert at Ipsec. ... I would try using the server (request ... security) policy in that OU - the secure policy is rather extreme and can ... exempt the domain controllers from ipsec traffic - a request policy may work ...
    (microsoft.public.win2000.security)
  • Re: Require connecting systems to be a Domain Computers
    ... something in which I include the group Domain Computers. ... >kerberos computer authentication for the ipsec SA then the computer must be ... In such case the server must not be a domain controller, ... >ipsec require policy will need to exempt all domain controllers with a rule ...
    (microsoft.public.security)
  • Re: lan ipsec ws2003 / xp pro deplyoyment
    ... Remote Access on the server and configure it and then configure your XP computer to ... preshared key for machine authentication. ... If you use ipsec pre shared key [policy/all ... You could go to Local Security Policy of each ...
    (microsoft.public.windowsxp.security_admin)
  • Re: RDP can not logon error
    ... Tracert & Ping to dc on the same subnet as the server that is having trouble. ... No network provider accepted the given network path.. ... Starting test: CrossRefValidation ...
    (microsoft.public.windows.server.general)
  • Re: IPSEC Problems
    ... You may want to try and rebuild the ipsec policy. ... ipsec negotiation traffic between domain members and domain controllers as ... > this server and any communication was shown correctly in ipsecmon. ...
    (microsoft.public.windows.server.security)