Discussion:
IPSEC Tunnel for Active Directory Replication through Firewall using CIDR
(too old to reply)
s***@yahoo.com
2007-10-26 18:47:35 UTC
Permalink
We are in the process of re-organizing our network into a Win2K3-based
AD forest. One area of the network is a Class C that has been
subnetted. One subnet contains the Forest Root Domain (let's call
this network 192.168.65.0/27 therefore the subnet mask is
255.255.255.224). Another subnet contains a Child Domain
(192.168.65.128/26, therefore, 255.255.255.192).

We have a Certificate Services infrastructure in place and are using
certificates on the DCs. We followed the instructions laid out at
http://technet.microsoft.com/en-us/library/Bb727063.aspx but when we
assign the policies, the two servers never complete the security
negotiation. If we un-assign the policy, all is fine.

We do have NAT disabled at the firewall.

As a test, we set up the exact same IPSEC tunnels between two servers
in a segment that is not using CIDR, and they communicated fine. In
another CIDR segment, we also tested and it too failed.

Is there something about CIDR-based subnets and firewalls that just
refuses to let IPSEC negotiations take place, or are we missing
something?

Thanks,

Steve
s***@yahoo.com
2007-10-30 20:08:55 UTC
Permalink
Following up on this:

The systems cannot negotiate a secure connection. If we unassign
IPSEC policies, communication is established immediately.

We are dealing with standardized servers that have been "secured"
through the use of some group policies by another team. It is now our
belief that one of the policies is actually causing the problem. To
test that, we tried estabishing the exact same IPSEC policy on two
other servers which are not standardized with the polcies, and the
IPSEC connection works. Systems with the standard configuration will
not communicate via IPSEC, even when they are physically in the same
subnet.

Can anyone think of a particular GPO that might prevent an IPSEC
negotiation from gettting resolved, but that would not break
connectivity for the same traffic without IPSEC?

Thanks,

Steve
Post by s***@yahoo.com
We are in the process of re-organizing our network into a Win2K3-based
AD forest. One area of the network is a Class C that has been
subnetted. One subnet contains the Forest Root Domain (let's call
this network 192.168.65.0/27 therefore the subnet mask is
255.255.255.224). Another subnet contains a Child Domain
(192.168.65.128/26, therefore, 255.255.255.192).
We have a Certificate Services infrastructure in place and are using
certificates on the DCs. We followed the instructions laid out athttp://technet.microsoft.com/en-us/library/Bb727063.aspxbut when we
assign the policies, the two servers never complete the security
negotiation. If we un-assign the policy, all is fine.
We do have NAT disabled at the firewall.
As a test, we set up the exact same IPSEC tunnels between two servers
in a segment that is not using CIDR, and they communicated fine. In
another CIDR segment, we also tested and it too failed.
Is there something about CIDR-based subnets and firewalls that just
refuses to let IPSEC negotiations take place, or are we missing
something?
Thanks,
Steve
Loading...