locked
IPsec main mode negotiation fails after transition to 2012 multi-site RRS feed

  • Question

  • Hi all

    I am labbing with 2012 multi-site. I had a working single-site DA 2012, after transitioning to multi-site no IPsec-tunnels come up any more, neither on Win 8 nor on Win 7. IPHTTPS interface is active and reports 0x0.

    Transition steps after having added a new AD-site with one DC, DA-server (with computer and IPHTTPS cert), application server and Windows 7 client:

    1. Create security groups DirectAccess Windows 7 clients SiteA and DirectAccess Windows 7 clients SiteB
    2. Remove Windows 7 clients from group used for single-site DA
    3. Run Enable-DAMultiSite and Add-DAEntryPoint
    4. Enable Windows 7 clients to connect to their respective entry point (by adding the group to the Entry Point) 
    5. Create and link two GPOs (one per client group) for configuring DirectAccess Conectivity Assistant v2 for Windows 7 clients
    6. Checked Remote Access console (ramgmtui) and everything is green for both

    After turning on IPsec auditing I see the following error in the DA-clients Security Event Log on a Windows 7 client:

    Event 4653 (IPsec Main Mode / Audit Failure)

    An IPsec main mode negotiation failed.

    Local Endpoint:
     Local Principal Name: -
     Network Address: 2002:<snip>:<snip>:1000:c8a7:17c1:8fdb:16a8
     Keying Module Port: 500

    Remote Endpoint:
     Principal Name:  -
     Network Address: fd75:273b:b285:2223::1
     Keying Module Port: 500

    Additional Information:
     Keying Module Name: IKEv1
     Authentication Method: Unknown authentication
     Role:   Initiator
     Impersonation State: Not enabled
     Main Mode Filter ID: 0

    Failure Information:
     Failure Point:  Local computer
     Failure Reason:  No policy configured

     State:   No state
     Initiator Cookie:  0539ce0131194bfc
     Responder Cookie: 0000000000000000

    IPsec settings from GPO seems to be correct, and I can see the "Connection Security Rules" definitions "DirctAccess-ClientTo..." in Windows Firewall (wf.msc).

    Any ideas?

    /Maurice

    Wednesday, June 5, 2013 1:43 PM

All replies

  • Hi

    Are you sure that Windows 7 client do not use the previous GPO? Do you have the same problem with Windows 8 clients?


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Friday, June 7, 2013 2:06 PM
  • Hello Benoit

    Thanks for your input. - Unfortunately in my lab i get some strange error when running gpresult /scope computer /r. In the meantime I have seen the exact same error in a customer's environment - one entry point is working as expected (the original DA-server when not using multi-site), but the "new" entry point does not work with the same error in Security Event Log.

    When comparing all GPOs (server and Client), I discovered one particular thing: both client GPOs for the different sites (SiteA and SiteB) have the same endpoint1 address for the Connection Security rule. This was a bit surprising, but since I can't compare with a working installation I am not sure if this has any significance.

    Probably I will scratch my DA lab and re-start, but suggestions are still welcome...

    /Maurice

    Friday, June 7, 2013 2:20 PM
  • Maurice

    I'm seeing the exact same thing in my migration.  I have a working 2012 server for Win 8 that is not part of the environment. If I try and put my clients on the production multisite servers the Windows 7 work just fine but nothing from Windows 8 at all, an IPSec negation failure just like you.

    Have you had any luck? 

    Monday, June 17, 2013 5:48 PM
  • Helo Aaron

    Unfortunately, no. I set up a new multi-site lab ending up with exactly the same error Message. My gutt feeling tells me the problem is related to IPv6 Routing, but did not have the time to test further...

    But a side note: if you started off with a simple deployment (aka not using PKI) and then later enabled Legacy (Windows 7) support, please make sure Your Windows 8 computers correctly enroll and get a computer certificate. (I forgot this in a previous lab, and suddenly Win 8 would not work anymore).

    /Maurice

    Tuesday, June 18, 2013 6:27 AM