Options
IPSec problem on my test lab...
CompGuru
Member Posts: 10 ■□□□□□□□□□
I need help configuring IPSec, or really troubleshooting it. I want to set it up just for the sake of doing it and getting the experience but so far I can not get it to work.
I have one DC in my domain and one workstation for this situation.
I have configured a GPO on the DC OU with the Secure Server IPSec policy because I want to simulate a high security environment. I set the Key exchange security method to:
3DES MD5 Medium(2)
I set up a GPO for the WS OU with the Client IPSec Policy and made sure the settings matched with both GPOs having filters set to allow all ICMP traffic and to require security for all IP traffic.
This setup however does not allow my WS to contact the DHCP server (the same DC) and thus communication is not established.
I thought that maybe the WS GPO wasn't being applied because I could not logon, so I changed the local security settings to match the WS GPO but it still doesn't work.
If I run netsh ipsec dynamic show mmsas it shows an error that there are no active security associations, which tells me that the WS is not negotiaing security with the server correctly, what am I missing?
I have one DC in my domain and one workstation for this situation.
I have configured a GPO on the DC OU with the Secure Server IPSec policy because I want to simulate a high security environment. I set the Key exchange security method to:
3DES MD5 Medium(2)
I set up a GPO for the WS OU with the Client IPSec Policy and made sure the settings matched with both GPOs having filters set to allow all ICMP traffic and to require security for all IP traffic.
This setup however does not allow my WS to contact the DHCP server (the same DC) and thus communication is not established.
I thought that maybe the WS GPO wasn't being applied because I could not logon, so I changed the local security settings to match the WS GPO but it still doesn't work.
If I run netsh ipsec dynamic show mmsas it shows an error that there are no active security associations, which tells me that the WS is not negotiaing security with the server correctly, what am I missing?
If you stop getting better, you cease being good.
Comments
-
OptionsCompGuru
Member Posts: 10 ■□□□□□□□□□
** Update **
I was able to get it working, I needed to create an IP filter to allow UDP traffice from ports 68 to 67 on the serve to allow DHCP traffic.If you stop getting better, you cease being good. -
Options
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
Thanks for the update. It's been a while since I've implemented IPSec policies. They are great for security, but as you found it's easy to break something. In a discussion I had with Keatron one time, he mentioned having seen poorly implemented IPSec policies bring entire networks down.All things are possible, only believe.