Solved

IPSec between client and DC

Posted on 2012-04-07
10
625 Views
Last Modified: 2012-04-23
IP1121I created and OU called IPSec, moved one PC XPS to the OU, created a new GPO and enable it.
when I go to the IP Security Monitor I see the following ( see attached ).
As soon as I do and (gpupdate /force ) I loose all internet connect and all connection to the DC, I can still ping the DC, just can't connec to anything on it ( DFS ) ( Printer ) nothing.
I went back into the IPSec GPO and enabled Permit unsecured IP packets to pass through and again did an ( gpupdate / force ) and then I was able to get internet and connect back to the DC.

What I'm I doing wrong?
Please expalin in details.

Thank you to all.
0
Comment
Question by:noad
  • 5
  • 4
10 Comments
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37820449
Can you try to change the outbound and Inbound.
Source 192.168.2.249 Destination any direction Inbound
Source any Destination 192.168.2.249 direction outbound
0
 
LVL 77

Expert Comment

by:arnold
ID: 37820455
Do you have a CA
Do you have a Gpo where each systems auto enrolls and gets a certificate?
http://www.windowsecurity.com/articles/deploying-ipsec-server-domain-isolation-windows-server-2008-group-policy-part1.html
0
 
LVL 1

Author Comment

by:noad
ID: 37821089
arnold

no CA
0
 
LVL 1

Author Comment

by:noad
ID: 37821118
anuroopsundd

why would you suggest the changing of the outbound and inbound?

I did try the following and as son as I did a gpupdate  everything locked up again
0
 
LVL 77

Expert Comment

by:arnold
ID: 37821607
To establish IPSec they have to exchange certificates each side confirming who they are and using the certificate to encrypt the IPSec tunnel. Without that, IPSec can not be established so there is no tunnel through which data can be sent.

Usually, the rule should be to send LAN specific traffic via IPSec, while non LAN traffic should go unsecured.

Refer to the ms doc dealing with IPSec setup on the LAN.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:noad
ID: 37821701
I see your point, but I just want to secure the intranet connect.
From out side users VPN in with SSL.
Is there no way to secure intranet traffic.?
0
 
LVL 77

Expert Comment

by:arnold
ID: 37821738
Secure from whom? If your switch is manageable, you could secure the intranet using 801.1x which also requires mac address based authentication.  Certificates are also part.
0
 
LVL 1

Author Comment

by:noad
ID: 37822082
Secure in general.....
 No managed switch

Im just trying out new things that I have not done before

SO are you saying there is no way to setup IPSec without a CA?
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 37822165
IPSEC encrypts the channel within which the data is transmitted.
Based on this each system to access another will have to establish an IPSEC tunnel or all traffic will go through the DC to which each system will have an IPSEC tunnel. (never mind ipsec in this context does not mean ipsec as a VPN tunnel it rather means IP security/firewall settings such that a CA for certificate issuing is not required..)

http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/1c13453e-1711-4537-bdf1-27ee60ee2478
http://www.techrepublic.com/blog/networking/ipsec-policy-configurations-on-windows-server-2008-systems/481


http://technet.microsoft.com/en-us/library/cc782433%28v=ws.10%29.aspx
0
 
LVL 1

Author Comment

by:noad
ID: 37823189
arnold


I think i understand, I'll read your links...
Thanks
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Looking for a MFP for a small office network 26 133
VMware Black Screen 13 85
Undo a Print Server Setup 5 75
Replacing a server/domain controller 5 95
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now