Solved

IPSec between client and DC

Posted on 2012-04-07
10
619 Views
Last Modified: 2012-04-23
IP1121I created and OU called IPSec, moved one PC XPS to the OU, created a new GPO and enable it.
when I go to the IP Security Monitor I see the following ( see attached ).
As soon as I do and (gpupdate /force ) I loose all internet connect and all connection to the DC, I can still ping the DC, just can't connec to anything on it ( DFS ) ( Printer ) nothing.
I went back into the IPSec GPO and enabled Permit unsecured IP packets to pass through and again did an ( gpupdate / force ) and then I was able to get internet and connect back to the DC.

What I'm I doing wrong?
Please expalin in details.

Thank you to all.
0
Comment
Question by:noad
  • 5
  • 4
10 Comments
 
LVL 17

Expert Comment

by:Anuroopsundd
Comment Utility
Can you try to change the outbound and Inbound.
Source 192.168.2.249 Destination any direction Inbound
Source any Destination 192.168.2.249 direction outbound
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Do you have a CA
Do you have a Gpo where each systems auto enrolls and gets a certificate?
http://www.windowsecurity.com/articles/deploying-ipsec-server-domain-isolation-windows-server-2008-group-policy-part1.html
0
 
LVL 1

Author Comment

by:noad
Comment Utility
arnold

no CA
0
 
LVL 1

Author Comment

by:noad
Comment Utility
anuroopsundd

why would you suggest the changing of the outbound and inbound?

I did try the following and as son as I did a gpupdate  everything locked up again
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
To establish IPSec they have to exchange certificates each side confirming who they are and using the certificate to encrypt the IPSec tunnel. Without that, IPSec can not be established so there is no tunnel through which data can be sent.

Usually, the rule should be to send LAN specific traffic via IPSec, while non LAN traffic should go unsecured.

Refer to the ms doc dealing with IPSec setup on the LAN.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:noad
Comment Utility
I see your point, but I just want to secure the intranet connect.
From out side users VPN in with SSL.
Is there no way to secure intranet traffic.?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Secure from whom? If your switch is manageable, you could secure the intranet using 801.1x which also requires mac address based authentication.  Certificates are also part.
0
 
LVL 1

Author Comment

by:noad
Comment Utility
Secure in general.....
 No managed switch

Im just trying out new things that I have not done before

SO are you saying there is no way to setup IPSec without a CA?
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
Comment Utility
IPSEC encrypts the channel within which the data is transmitted.
Based on this each system to access another will have to establish an IPSEC tunnel or all traffic will go through the DC to which each system will have an IPSEC tunnel. (never mind ipsec in this context does not mean ipsec as a VPN tunnel it rather means IP security/firewall settings such that a CA for certificate issuing is not required..)

http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/1c13453e-1711-4537-bdf1-27ee60ee2478
http://www.techrepublic.com/blog/networking/ipsec-policy-configurations-on-windows-server-2008-systems/481


http://technet.microsoft.com/en-us/library/cc782433%28v=ws.10%29.aspx
0
 
LVL 1

Author Comment

by:noad
Comment Utility
arnold


I think i understand, I'll read your links...
Thanks
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Suggested Solutions

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now