locked
2008 DC refusing to participate in IPSEC (NAP) RRS feed

  • Question

  • hi all. I have set up an NAP IPSec enforcement network (lab environment). I wanted to add a domain controller to the secure zone to ensure things worked ok but it gets lots of audit failures in SERVER01's security log for main mode, as follows.

    An IPsec Main Mode negotiation failed.

    Local Endpoint:
        Local Principal Name:    -
        Network Address:   
        Keying Module Port:    500

    Remote Endpoint:
        Principal Name:        -
        Network Address:   
        Keying Module Port:    500

    Additional Information:
        Keying Module Name:    AuthIP
        Authentication Method:    Unknown authentication
        Role:            Responder
        Impersonation State:    Not enabled
        Main Mode Filter ID:    69824

    Failure Information:
        Failure Point:        Local computer
        Failure Reason:        Received invalid authentication offers.

        State:            No state
        Initiator Cookie:        ce57abef24a21be6
        Responder Cookie:    5922e54a3539db49

    Server01: Forest Root DC, CA enterprise, 2008-32bit, all 5 FSMO roles, WSUS
    Server02: DC, 2008-64bit
    NPS1: Subordinate standalone 2008-64bit, HRA, nap policies, etc.
    SQL: Sql server 2008, win 2008-64bit


    NAP appears to be working fine. Vista non-compliant cannot access SQL/Server02. Vista compliant can access them.
    Server01 and Server02 have got themselves health certificates from forest root CA via auto-enrolment. Have checked certificates all is valid.
    Connection rules used via windows firewall.

    When i apply firewall connection rule of require inbound/outbound, server1 will not talk to anything else. All other computers talk fine

    Server02 shows:
    An IPsec Main Mode negotiation failed.

    Local Endpoint:
        Local Principal Name:    -
        Network Address:   
        Keying Module Port:    500

    Remote Endpoint:
        Principal Name:        -
        Network Address:   
        Keying Module Port:    500

    Additional Information:
        Keying Module Name:    AuthIP
        Authentication Method:    Unknown authentication
        Role:            Initiator
        Impersonation State:    Not enabled
        Main Mode Filter ID:    69799

    Failure Information:
        Failure Point:        Remote computer
        Failure Reason:        Received invalid authentication offers.

        State:            Sent first (SA) payload
        Initiator Cookie:        81a8153dea46a6f1
        Responder Cookie:    0000000000000000

    Any help on what to look for would be appreciated.
    Tuesday, April 21, 2009 9:37 PM

Answers

  • Hmmmmmmmmmm....... disabled the GP produced firewall rules, created them manually, left authentication on default (didnt work), changed back to health certificates, ran the ipsec diagnostic tool and suddenly everything started working.....

    :)

    its all good now.

    Wednesday, April 22, 2009 12:05 AM