IPSec between Domain Controllers

Hopefully someone here is a bit more familiar with the ins and outs of server to server IPSec within Windows.

So I'm trying to set up an IPSec tunnel between all of my internal DCs to the RODCs in our DMZ (to reduce the number of holes we need to punch in our firewall). So I followed the tutorial here to a T: http://blogs.technet.com/b/askpfeplat/archive/2014/12/15/securing-dc-to-dc-communication-with-ipsec-using-windows-firewall-with-advanced-security-wfas-connection-security-rules.aspx

However, I'm having lots of issues with making it work consistently. GP has successfully pushed the Connection Security Rules to all of the DCs, but they don't seem to apply always. When I look at our firewall, I'm seeing lots of blocks because the servers won't use the Connection Rules. However, every once in a while (without any sort of pattern), the Security Associations will create themselves correctly (I can see them under the Main Mode and Quick Mode of the Security Associations tree). When this happens, everything works swimmingly. But once I reboot the servers, the associations go away and the servers only work sporadically again.

I'm beating my head against the wall again. Why are the servers not always honoring the Connection Security Rules? 

July 30th, 2015 2:49pm

Hi ChGPe,

Based on my understanding, when DC2 communicate with DC1 using WFP, firewall of DC1 blocks DC2s packet sometimes. In another word, it has time to work all right, but sometimes DC2 fails to apply the connection rules.

First, we may check if all the configurations to enable Windows firewall and IPSec policy are correct. Here is the link about how to deploy Windows firewall and IPSec step-by-step:

https://technet.microsoft.com/en-us/library/deploy-ipsec-firewall-policies-step-by-step(v=ws.10).aspx

Next, we may check if the key firewall and IPsec services are working. If you want Windows firewall with advanced security to operate correctly, the following services need to be started: Based filtering engine, group policy client, IKE and AuthIP keying modules, IP helper, IPsec Policy Agent, Network Location Awareness, Network List Service, Windows Firewall.

Besides, we may narrow down the problem by capture firewall and IPsec events with Netsh WFP. If you want to learn how to use Netsh WFP to troubleshoot WFP, you may click the following link:

https://technet.microsoft.com/en-us/library/ff428146(v=ws.10).aspx

Best regards,

Anne he

  

Free Windows Admin Tool Kit Click here and download it now
July 31st, 2015 3:02am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics