The reason why you can't initiate from host2 to host1 in your first scenario
is because host2 has a more generic filter than host1. It would be insecure
for host1 to accept a more general policy from someone initiating to it.
Reversing the initiation causes host1 to initiate to host2 which works
because host2 will accept a more specific policy.
"Daniel" <(E-Mail Removed)> wrote in message
news:4A77BB29-3772-45E2-A482-(E-Mail Removed)...
> Hi,
>
> I have a problem with two Server 2003 boxes and IPSec.
>
> First a definition:
> Filter action "require IPSec" means: require ESP+AH (3DES+SHA-1), do not
> allow unsecured communication, do not accept unsecured communication
>
> On host1 I have the rules<->actions
> icmp (any to me)<->require IPSec (mirrored)
> all ip traffic (any to any)<->block (mirrored)
>
> on host2
> all ip traffic (any to any)<->require IPSec (mirrored)
>
>
> When I do an "ping host1" on host2 I get a "negotiating IP Security".
> A network trace and IPSec monitor tells me that the hosts initiate a main
> mode session. After a quick mode package from host2 to host1, host1
> answers
> with an "ISAKMP informational" package. Event Viewer on host1 says that
> ike
> negotiation failed because of "no policy configured".
>
> When I start a ping from host1 to host2, the quick mode association gets
> established. pinging host1->host2 and vice versa works fine.
>
> When I change the rules on host1 to
> icmp (any to me)<->require IPSec (mirrored)
> all ip traffic (any to any)<->require IPSec (mirrored)
> everything works fine from the first moment.
>
> When I change the rules on host1 to
> icmp (any to me)<->require IPSec (mirrored)
> all ip traffic (host2 to host1)<->require IPSec (not mirrored!)
> all ip traffic (any to any)<->block (mirrored)
> two quick mod associations are established (any+icmp), but ping replies
> time
> outs. After a "netsh ipsec dynamic delete all" on host1 ping works fine,
> so I
> suppose the problem here are mismatched quick mode associations.
>
>
> If I understand right, host1 needs an outbounding rule that initiates an
> ike-negotiation to host2. Maybe the rule "all ip traffic<->require IPSec
> (mirrored)" on host1 does that. But why? There is only isakmp-traffic and
> udp
> 500 should not be triggered by ipsec-filters. And why is the mirrored
> icmp-rule not sufficient?
>
> Maybe someone can shed some light on that?
>
> Thanks,
> Daniel
|
Similar Threads
Linear Mode
