I have two windows 2003 servers (latest patches, sp's, etc).Both have windows firewall running.I want to use IPSec between the two servers, with the "allow authenticated ipsec bypass" rule set in a gpo so that the two servers can bypass each others firewall.I've added both servers to a global security group, and put the sddl for this group into the policy, in the form "O:DAG:DAD:(A;;RCGW;;;S-1-5-21-xxxxxxxxx- xxxxxxxxx - xxxxxxxxx -xxxx) ", and both servers have been bounced to pick up this group membership.There is an IPSEC policy defined localy on each server. Both are defined to catch all traffic from "My IP Address" to a "Specific IP Address" (for the other server) for Any protocol, and are mirrored.The Filter Actions are set to Negotiate Security, Integrity and Encryption, so ESP, SHA1 & 3DES. Accept unsecured, Allow Unsecured and PFS are all unchecked.The policies use Kerberos authentication, the policy does not define a tunnel and the Connection Type is for All Network Connections.This is all set up on both servers.When I establish the connection, the allow authenticated ipsec bypass rule only appears to work on the server that receives the connection request, and is not applied on the server that makes the connection request. This happens regardless of whichever server makes the request.So, if servera initiates the connection to serverb, serverb will allow servera to bypass the windows firewall, however servera will not allow serverb to bypass its firewall, even though a return connection is established. This works in reverse if serverb establishes the connectionSo, the questions are:1. Should the "allow authenticated ipsec bypass" work at both ends of an IPSec connection like this (i.e. symmetrically)?2. If not, is there a way to craft the IPSec filters/rules to establish a connection that will get accepted by the "allow authenticated ipsec bypass" at both ends?

halibut, I have been circling arround this for a day or two thinking about how best to help with this. This can be rather involved as IPSEC always seems to be, but I want to present some low hanging fruit. First I will say from the steps you have mentioned this should all work, so I think you are on the right track. -Howdid you come to the conclusion that thefirewall was blocking the connection? Did you see the block in the firewall logs? -Have you tried disabling the firewall service on both sides to see if this conenction works? -There is precedence that shows the "mirror" option with the IPSEC rules, may not create the filters correctly. Instead try manually creating the reverse rule. in otherwards in your rule you will have the statement for A over port Y to B over portX are allowed, manually reverse the rule to say that B over port X to A over port Y are allowed. To be frank I a leaning towards an IPSEC processing issue, rather than a windows firewall issue. In the firewall once the connection is established return traffic should associated with the open winsock (SouceIP:Port+DestIP:Port). My understanding of the "allow authenticated ipsec bypass" rule is that we will allow incoming initialrequests to bypass the firewall.Don't forget to give credit where credit is due, vote this as helpful if it helped you.

I'm having the same exact issue. Have you found any solutions yet without disabling the firewall? Thanks, Michel

Speaking generally if you want IPSEC traffic to pass through a firewall you will need to permit ESP (IP protocol 50) and UDP 500 for ISAKMP/Oakley. If there is NAT/PAT involved in between the two hosts you will need to open UDP 4500 for NAT-T since address translation breaks ESP so it needs to be encapsulated with a UDP header.Matt W. CCNP, CCDA, CCNA-S, RHCT, MCSE, MCSA, MCP+I, A+