IPSec between client and DC

IP1121I created and OU called IPSec, moved one PC XPS to the OU, created a new GPO and enable it.
when I go to the IP Security Monitor I see the following ( see attached ).
As soon as I do and (gpupdate /force ) I loose all internet connect and all connection to the DC, I can still ping the DC, just can't connec to anything on it ( DFS ) ( Printer ) nothing.
I went back into the IPSec GPO and enabled Permit unsecured IP packets to pass through and again did an ( gpupdate / force ) and then I was able to get internet and connect back to the DC.

What I'm I doing wrong?
Please expalin in details.

Thank you to all.
LVL 1
noadAsked:
Who is Participating?
 
arnoldCommented:
IPSEC encrypts the channel within which the data is transmitted.
Based on this each system to access another will have to establish an IPSEC tunnel or all traffic will go through the DC to which each system will have an IPSEC tunnel. (never mind ipsec in this context does not mean ipsec as a VPN tunnel it rather means IP security/firewall settings such that a CA for certificate issuing is not required..)

http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/1c13453e-1711-4537-bdf1-27ee60ee2478
http://www.techrepublic.com/blog/networking/ipsec-policy-configurations-on-windows-server-2008-systems/481


http://technet.microsoft.com/en-us/library/cc782433%28v=ws.10%29.aspx
0
 
AnuroopsunddCommented:
Can you try to change the outbound and Inbound.
Source 192.168.2.249 Destination any direction Inbound
Source any Destination 192.168.2.249 direction outbound
0
 
arnoldCommented:
Do you have a CA
Do you have a Gpo where each systems auto enrolls and gets a certificate?
http://www.windowsecurity.com/articles/deploying-ipsec-server-domain-isolation-windows-server-2008-group-policy-part1.html
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
noadAuthor Commented:
arnold

no CA
0
 
noadAuthor Commented:
anuroopsundd

why would you suggest the changing of the outbound and inbound?

I did try the following and as son as I did a gpupdate  everything locked up again
0
 
arnoldCommented:
To establish IPSec they have to exchange certificates each side confirming who they are and using the certificate to encrypt the IPSec tunnel. Without that, IPSec can not be established so there is no tunnel through which data can be sent.

Usually, the rule should be to send LAN specific traffic via IPSec, while non LAN traffic should go unsecured.

Refer to the ms doc dealing with IPSec setup on the LAN.
0
 
noadAuthor Commented:
I see your point, but I just want to secure the intranet connect.
From out side users VPN in with SSL.
Is there no way to secure intranet traffic.?
0
 
arnoldCommented:
Secure from whom? If your switch is manageable, you could secure the intranet using 801.1x which also requires mac address based authentication.  Certificates are also part.
0
 
noadAuthor Commented:
Secure in general.....
 No managed switch

Im just trying out new things that I have not done before

SO are you saying there is no way to setup IPSec without a CA?
0
 
noadAuthor Commented:
arnold


I think i understand, I'll read your links...
Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.