Solved

IPSec between client and DC

Posted on 2012-04-07
10
638 Views
Last Modified: 2012-04-23
IP1121I created and OU called IPSec, moved one PC XPS to the OU, created a new GPO and enable it.
when I go to the IP Security Monitor I see the following ( see attached ).
As soon as I do and (gpupdate /force ) I loose all internet connect and all connection to the DC, I can still ping the DC, just can't connec to anything on it ( DFS ) ( Printer ) nothing.
I went back into the IPSec GPO and enabled Permit unsecured IP packets to pass through and again did an ( gpupdate / force ) and then I was able to get internet and connect back to the DC.

What I'm I doing wrong?
Please expalin in details.

Thank you to all.
0
Comment
Question by:noad
  • 5
  • 4
10 Comments
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37820449
Can you try to change the outbound and Inbound.
Source 192.168.2.249 Destination any direction Inbound
Source any Destination 192.168.2.249 direction outbound
0
 
LVL 77

Expert Comment

by:arnold
ID: 37820455
Do you have a CA
Do you have a Gpo where each systems auto enrolls and gets a certificate?
http://www.windowsecurity.com/articles/deploying-ipsec-server-domain-isolation-windows-server-2008-group-policy-part1.html
0
 
LVL 1

Author Comment

by:noad
ID: 37821089
arnold

no CA
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:noad
ID: 37821118
anuroopsundd

why would you suggest the changing of the outbound and inbound?

I did try the following and as son as I did a gpupdate  everything locked up again
0
 
LVL 77

Expert Comment

by:arnold
ID: 37821607
To establish IPSec they have to exchange certificates each side confirming who they are and using the certificate to encrypt the IPSec tunnel. Without that, IPSec can not be established so there is no tunnel through which data can be sent.

Usually, the rule should be to send LAN specific traffic via IPSec, while non LAN traffic should go unsecured.

Refer to the ms doc dealing with IPSec setup on the LAN.
0
 
LVL 1

Author Comment

by:noad
ID: 37821701
I see your point, but I just want to secure the intranet connect.
From out side users VPN in with SSL.
Is there no way to secure intranet traffic.?
0
 
LVL 77

Expert Comment

by:arnold
ID: 37821738
Secure from whom? If your switch is manageable, you could secure the intranet using 801.1x which also requires mac address based authentication.  Certificates are also part.
0
 
LVL 1

Author Comment

by:noad
ID: 37822082
Secure in general.....
 No managed switch

Im just trying out new things that I have not done before

SO are you saying there is no way to setup IPSec without a CA?
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 37822165
IPSEC encrypts the channel within which the data is transmitted.
Based on this each system to access another will have to establish an IPSEC tunnel or all traffic will go through the DC to which each system will have an IPSEC tunnel. (never mind ipsec in this context does not mean ipsec as a VPN tunnel it rather means IP security/firewall settings such that a CA for certificate issuing is not required..)

http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/1c13453e-1711-4537-bdf1-27ee60ee2478
http://www.techrepublic.com/blog/networking/ipsec-policy-configurations-on-windows-server-2008-systems/481


http://technet.microsoft.com/en-us/library/cc782433%28v=ws.10%29.aspx
0
 
LVL 1

Author Comment

by:noad
ID: 37823189
arnold


I think i understand, I'll read your links...
Thanks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question