locked
IPSec between Domain Controllers RRS feed

  • Question

  • Hopefully someone here is a bit more familiar with the ins and outs of server to server IPSec within Windows.

    So I'm trying to set up an IPSec tunnel between all of my internal DCs to the RODCs in our DMZ (to reduce the number of holes we need to punch in our firewall). So I followed the tutorial here to a T: http://blogs.technet.com/b/askpfeplat/archive/2014/12/15/securing-dc-to-dc-communication-with-ipsec-using-windows-firewall-with-advanced-security-wfas-connection-security-rules.aspx

    However, I'm having lots of issues with making it work consistently. GP has successfully pushed the Connection Security Rules to all of the DCs, but they don't seem to apply always. When I look at our firewall, I'm seeing lots of blocks because the servers won't use the Connection Rules. However, every once in a while (without any sort of pattern), the Security Associations will create themselves correctly (I can see them under the Main Mode and Quick Mode of the Security Associations tree). When this happens, everything works swimmingly. But once I reboot the servers, the associations go away and the servers only work sporadically again.

    I'm beating my head against the wall again. Why are the servers not always honoring the Connection Security Rules? 

    Thursday, July 30, 2015 6:37 PM

Answers

  • Hi ChGPe,

    Based on my understanding, when DC2 communicate with DC1 using WFP, firewall of DC1 blocks DC2’s packet sometimes. In another word, it has time to work all right, but sometimes DC2 fails to apply the connection rules.

    First, we may check if all the configurations to enable Windows firewall and IPSec policy are correct. Here is the link about how to deploy Windows firewall and IPSec step-by-step:

    https://technet.microsoft.com/en-us/library/deploy-ipsec-firewall-policies-step-by-step(v=ws.10).aspx

    Next, we may check if the key firewall and IPsec services are working. If you want Windows firewall with advanced security to operate correctly, the following services need to be started: Based filtering engine, group policy client, IKE and AuthIP keying modules, IP helper, IPsec Policy Agent, Network Location Awareness, Network List Service, Windows Firewall.

    Besides, we may narrow down the problem by capture firewall and IPsec events with Netsh WFP. If you want to learn how to use Netsh WFP to troubleshoot WFP, you may click the following link:

    https://technet.microsoft.com/en-us/library/ff428146(v=ws.10).aspx

    Best regards,

    Anne he

      


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, July 31, 2015 6:50 AM