1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

my client and IPSec :(

Discussion in 'Computer Security' started by _omni_, Dec 27, 2005.

  1. _omni_

    _omni_ Megabyte Poster

    647
    10
    62
    dunno if this is the right section.

    anyway i was studying today, and i put a GPO on my client's OU. that GPO had only the IPSec policy "Secure Server" applied.

    so that broke communication between the client and the server, which was my goal. (the server had no policy applied).

    so then i wanted to remove it, to set things back to normal.

    i deleted the relevant GPO and did a gpupdate /force on the client.

    still can't communicate with server.

    i did the gpupdate on both computers, and restarted them.

    still nothing.

    i set the default domain policy to Respond Only, so hopefully my server would respond to the client's insistance on IPSec (that's what i think it is) and restarted them both.

    still nothing.

    removed that, restarted, still nothing.

    from my server i am able to access the internet and ping my client, but i cannot access it through i.e. \\client.

    from my client i cannot ping my server or access the internet.

    i am writing this from my server now, but i desperately need my client to work.

    i also did a RSOP on my client, but there's no IPSec section :(

    and restarting my client is pure hell, somehow it has decided to take 10 literal minutes to "apply policy settings", you have no idea how much that pisses me off :biggrin

    edit: just noticed that i'm able to ping my server by IP but not by name.
     
    Certifications: MCSE 2003, MCSA:M
  2. _omni_

    _omni_ Megabyte Poster

    647
    10
    62
    well thanks for all the help y'all ;) but i managed to find the solution.
    basically the IPSec service still started with Windows and was running, so i stopped and disabled it and now it works swell. :biggrin
     
    Certifications: MCSE 2003, MCSA:M
  3. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Omni,

    e-mail me a more detailed version if you want, i would like to here it.
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  4. _omni_

    _omni_ Megabyte Poster

    647
    10
    62
    thanks but the problem is solved. :)
     
    Certifications: MCSE 2003, MCSA:M
  5. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256
    Good but I would call that a workaround ;)

    I believe what happened here is that by deleting the GPO you left the setting on the client. You can think of group policies as making changes to the registry and those changes would be left there if you delete the policy.

    You should have created a local policy to reset the setting to *client* (respond only) and that would have worked I think :rolleyes:

    You could re-enable the IPSec service and test my theory :D
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  6. _omni_

    _omni_ Megabyte Poster

    647
    10
    62
    well i re-enabled the Secure Server GPO setting for my client, got it to stop communicating.
    then i simply unassigned the Secure Server setting instead of deleting the GPO, restarted the computer, and was (am) left with the same problem: though there is no policy in place to enforce IPSec, it is still enforced.

    again, i was able to regain communication by stopping the IPSec service...through the services console, because when i did the 'net stop ipsec' command this is what it said (and i went through with it :tune ):

    The following services are dependant on the IPSEC driver service.
    Stopping the IPSEC driver service will also stop these services.

    Telnet
    Message-oriented TCP/IP and TCP/IPv6 Protocol (SMB session)
    IPv6 Helper Service
    Microsoft IPv6 Protocol Driver
    IPSEC Services
    Network Location Awareness (NLA)
    TCP/IP NetBIOS Helper
    NetBios over Tcpip
    IP Network Address Translator
    DNS Client
    DNS Server
    DHCP Server
    DHCP Client
    TCP/IP Protocol Driver

    naturally that didn't help my communication problem :D

    edit: i see now that the command is 'net stop policyagent'. :rolleyes:
     
    Certifications: MCSE 2003, MCSA:M
  7. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  8. _omni_

    _omni_ Megabyte Poster

    647
    10
    62
    that's probably what happened the first time.
    the second time though i unassigned the policy instead of deleting the whole GPO, and it was the same. something kept telling the IPSec service to start.

    i just found this too:
    but as i cannot wait 24 hours, i want to disable group policy caching and see if that works; because, perhaps in the absence of any enforced IPSec setting, it assumes it must use the cached policy, seeing as the cached policy contains an enforced setting.
    so if caching is disabled, it will then be forced to "download" the current settings from my DC.
    just musing here.

    so...anyone know how to disable it? :eek:
     
    Certifications: MCSE 2003, MCSA:M

Share This Page

Loading...