my client and IPSec :(

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

dunno if this is the right section.

anyway i was studying today, and i put a GPO on my client's OU. that GPO had only the IPSec policy "Secure Server" applied.

so that broke communication between the client and the server, which was my goal. (the server had no policy applied).

so then i wanted to remove it, to set things back to normal.

i deleted the relevant GPO and did a gpupdate /force on the client.

still can't communicate with server.

i did the gpupdate on both computers, and restarted them.

still nothing.

i set the default domain policy to Respond Only, so hopefully my server would respond to the client's insistance on IPSec (that's what i think it is) and restarted them both.

still nothing.

removed that, restarted, still nothing.

from my server i am able to access the internet and ping my client, but i cannot access it through i.e. \\client.

from my client i cannot ping my server or access the internet.

i am writing this from my server now, but i desperately need my client to work.

i also did a RSOP on my client, but there's no IPSec section

and restarting my client is pure hell, somehow it has decided to take 10 literal minutes to "apply policy settings", you have no idea how much that pisses me off

edit: just noticed that i'm able to ping my server by IP but not by name.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

well thanks for all the help y'all ;) but i managed to find the solution.
basically the IPSec service still started with Windows and was running, so i stopped and disabled it and now it works swell.

 

Omni,

e-mail me a more detailed version if you want, i would like to here it.

 

thanks but the problem is solved.

 

Good but I would call that a workaround ;)

I believe what happened here is that by deleting the GPO you left the setting on the client. You can think of group policies as making changes to the registry and those changes would be left there if you delete the policy.

You should have created a local policy to reset the setting to *client* (respond only) and that would have worked I think

You could re-enable the IPSec service and test my theory

 

well i re-enabled the Secure Server GPO setting for my client, got it to stop communicating.
then i simply unassigned the Secure Server setting instead of deleting the GPO, restarted the computer, and was (am) left with the same problem: though there is no policy in place to enforce IPSec, it is still enforced.

again, i was able to regain communication by stopping the IPSec service...through the services console, because when i did the 'net stop ipsec' command this is what it said (and i went through with it ):

The following services are dependant on the IPSEC driver service.
Stopping the IPSEC driver service will also stop these services.

Telnet
Message-oriented TCP/IP and TCP/IPv6 Protocol (SMB session)
IPv6 Helper Service
Microsoft IPv6 Protocol Driver
IPSEC Services
Network Location Awareness (NLA)
TCP/IP NetBIOS Helper
NetBios over Tcpip
IP Network Address Translator
DNS Client
DNS Server
DHCP Server
DHCP Client
TCP/IP Protocol Driver

naturally that didn't help my communication problem

edit: i see now that the command is 'net stop policyagent'.

 

Omni here are a couple of links which may help clarify what is going on for you.

http://filebox.vt.edu/users/zighill/rulesets/IPSEC_FAQ.html

http://www.windowsitpro.com/Articles/ArticleID/37946/37946.html

 

that's probably what happened the first time.
the second time though i unassigned the policy instead of deleting the whole GPO, and it was the same. something kept telling the IPSec service to start.

i just found this too:

but as i cannot wait 24 hours, i want to disable group policy caching and see if that works; because, perhaps in the absence of any enforced IPSec setting, it assumes it must use the cached policy, seeing as the cached policy contains an enforced setting.
so if caching is disabled, it will then be forced to "download" the current settings from my DC.
just musing here.

so...anyone know how to disable it?