?
Solved

IPSec between client and DC

Posted on 2012-04-07
10
Medium Priority
?
676 Views
Last Modified: 2012-04-23
IP1121I created and OU called IPSec, moved one PC XPS to the OU, created a new GPO and enable it.
when I go to the IP Security Monitor I see the following ( see attached ).
As soon as I do and (gpupdate /force ) I loose all internet connect and all connection to the DC, I can still ping the DC, just can't connec to anything on it ( DFS ) ( Printer ) nothing.
I went back into the IPSec GPO and enabled Permit unsecured IP packets to pass through and again did an ( gpupdate / force ) and then I was able to get internet and connect back to the DC.

What I'm I doing wrong?
Please expalin in details.

Thank you to all.
0
Comment
Question by:noad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37820449
Can you try to change the outbound and Inbound.
Source 192.168.2.249 Destination any direction Inbound
Source any Destination 192.168.2.249 direction outbound
0
 
LVL 79

Expert Comment

by:arnold
ID: 37820455
Do you have a CA
Do you have a Gpo where each systems auto enrolls and gets a certificate?
http://www.windowsecurity.com/articles/deploying-ipsec-server-domain-isolation-windows-server-2008-group-policy-part1.html
0
 
LVL 1

Author Comment

by:noad
ID: 37821089
arnold

no CA
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 1

Author Comment

by:noad
ID: 37821118
anuroopsundd

why would you suggest the changing of the outbound and inbound?

I did try the following and as son as I did a gpupdate  everything locked up again
0
 
LVL 79

Expert Comment

by:arnold
ID: 37821607
To establish IPSec they have to exchange certificates each side confirming who they are and using the certificate to encrypt the IPSec tunnel. Without that, IPSec can not be established so there is no tunnel through which data can be sent.

Usually, the rule should be to send LAN specific traffic via IPSec, while non LAN traffic should go unsecured.

Refer to the ms doc dealing with IPSec setup on the LAN.
0
 
LVL 1

Author Comment

by:noad
ID: 37821701
I see your point, but I just want to secure the intranet connect.
From out side users VPN in with SSL.
Is there no way to secure intranet traffic.?
0
 
LVL 79

Expert Comment

by:arnold
ID: 37821738
Secure from whom? If your switch is manageable, you could secure the intranet using 801.1x which also requires mac address based authentication.  Certificates are also part.
0
 
LVL 1

Author Comment

by:noad
ID: 37822082
Secure in general.....
 No managed switch

Im just trying out new things that I have not done before

SO are you saying there is no way to setup IPSec without a CA?
0
 
LVL 79

Accepted Solution

by:
arnold earned 2000 total points
ID: 37822165
IPSEC encrypts the channel within which the data is transmitted.
Based on this each system to access another will have to establish an IPSEC tunnel or all traffic will go through the DC to which each system will have an IPSEC tunnel. (never mind ipsec in this context does not mean ipsec as a VPN tunnel it rather means IP security/firewall settings such that a CA for certificate issuing is not required..)

http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/1c13453e-1711-4537-bdf1-27ee60ee2478
http://www.techrepublic.com/blog/networking/ipsec-policy-configurations-on-windows-server-2008-systems/481


http://technet.microsoft.com/en-us/library/cc782433%28v=ws.10%29.aspx
0
 
LVL 1

Author Comment

by:noad
ID: 37823189
arnold


I think i understand, I'll read your links...
Thanks
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month13 days, 3 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question