Re: IPSEC Problems

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/13/05


Date: Thu, 12 May 2005 19:22:42 -0500

You may want to try and rebuild the ipsec policy. Note that for domain
computers you need to make sure that domain controllers are exempt from
ipsec negotiation traffic between domain members and domain controllers as
they do the kerberos authentication. --- Steve

"Ludwig Zammit" <LudwigZammit@discussions.microsoft.com> wrote in message
news:B0E9631D-88FC-48D8-A2DB-E6C6984EB080@microsoft.com...
>I have set up one of my servers with the Server(Request Security) IPSEC
> policy. Any clients and servers (memebrs of the same domain)which had the
> client(respond Only) policy activated used to communicate succesfully with
> this server and any communication was shown correctly in ipsecmon.
>
> However as of yesterday I started having problems with clients
> communicating
> with this server. I have enabled Object Access Auditing on the server and
> am
> receiving event ID 547 in my security event log:
>
> The failure reason is either "IKE SA deleted before establishment
> completed"
> or "No response from peer". The failure point is always "Me"
>
> If i try to ping the server from any machine which has the client(respond
> only) policy enable I get a "Request Timed Out". The Server(Request
> Security)
> policy has not been modified and hence all ICMP traffic should be
> permitted.
>
> I am still receiving sucessful event ids (541,542 and 543) along with
> these
> error messages. I am not sure if this is a normal behaviour or not.
>
> If I disable the policies I can succesfully ping the server.
>
> Any help is appreciated.



Relevant Pages

  • Re: authentication problem
    ... double or triple duty most traffic [authentication and AD replication] is ... laptops and I bring up ipsec as a possible solution with the caveat on ... domain controllers because many admins right away want to enable the require ... policy at the domain level which can bring their network to it's knees. ...
    (microsoft.public.win2000.security)
  • Re: Securing the communication between all workstations in a domain
    ... I am no expert at Ipsec. ... I would try using the server (request ... security) policy in that OU - the secure policy is rather extreme and can ... exempt the domain controllers from ipsec traffic - a request policy may work ...
    (microsoft.public.win2000.security)
  • Re: RE: Front End/Back End communication
    ... and stick that in your DMZ. ... your internal mail server. ... If you are thinking about IPSec policies in Windows then you have to ...
    (Focus-Microsoft)
  • Re: IPSec / domain isolation: confusing MS documents
    ... right for access this computer from the network will not work for computer ... If the domain controllers are Windows 2003 I would use Software ... If anyone has another idea how to protect the file server ressources on ... Windows XP systems at a customer location with IPSec. ...
    (microsoft.public.windows.server.security)
  • RE: authentication problem
    ... IPSec is based on the authentication of computers on a network; ... The Active Directory security domain provides this authentication using the ... are used for communication with domain controllers. ... Directory¨Cbased IPSec policy settings are typically applied to domain ...
    (microsoft.public.win2000.security)