IPsec connection can no be established from BOTH endpoints
Dear friends,
I am experiencing a strange problem resuling in the unability to establish
the IPsec connection from both communications partners, it only works when
machine B contacts machine A, not vice versa. After pinging machine A, A can
ping B - otherwise I get the message that, IP security is beeing negotiated.
Both boxes have static, public IPs and I have defined an IPsec rule based on
those specific IPs. I did that for two pairs of boxes, pair A is working
fine, machine A can contact machine B and vice versa. But my second pair has
the above mentioned problem.
Any hint to work around this problem would be very nice.
Many thanks in advance,
Tobias Punke
Re: IPsec connection can no be established from BOTH endpoints
Hi Tobias,
Ping inserts the MAC addresses of both hosts into each other's arp cache,
which might explain why you are able to connect after pinging (use 'arp -a'
to view and 'arp -d' to delete entries).
Are both pairs of machines on the same or similar subnets, with similar
default gateways and identical or similar routers/hubs/switches between?
Are they all running the same operating system - all workstations or some
servers? Do they all have the same NIC cards?
This is just a wild guess, but you might try turning 'Tx Checksum Offload'
off on the NIC card in the machine where you are having trouble. See if it
makes a difference.
If that doesn't work, check the system and security event logs in Event
Viewer. You may have a problem with certificates.
Refer to the following technet article on troubleshooting IPSec:
[url]http://technet2.microsoft.com/WindowsServer/en/Library/b0b726fc-c6b7-426a-964f-9c7b1c8ef3a81033.mspx?mfr=true[/url]
I hope this helps!
--
Greg Lindsay [MSFT]
[email]greg.lindsay@microsoft.com[/email]
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
"Tobias Punke" <tobias@tobisnet.net> wrote in message
news:OOjKZVcqGHA.148@TK2MSFTNGP04.phx.gbl...[color=blue]
> Dear friends,
>
> I am experiencing a strange problem resuling in the unability to establish
> the IPsec connection from both communications partners, it only works when
> machine B contacts machine A, not vice versa. After pinging machine A, A
> can ping B - otherwise I get the message that, IP security is beeing
> negotiated.
>
> Both boxes have static, public IPs and I have defined an IPsec rule based
> on those specific IPs. I did that for two pairs of boxes, pair A is
> working fine, machine A can contact machine B and vice versa. But my
> second pair has the above mentioned problem.
>
> Any hint to work around this problem would be very nice.
>
> Many thanks in advance,
> Tobias Punke
>[/color]
Re: IPsec connection can no be established from BOTH endpoints
re: different behavior between the machines for IPsec negotiations.
Does each machine have the same mirrored IPsec rule?
IP_Server_A < - > IP_Server_B, Negotiate Security
re: ICMP
I would suggest adding the following rule to exempt ICMP from IPsec
negotiations
Me < - > Any, ICMP, Permit (mirrored)
Jason
"Tobias Punke" <tobias@tobisnet.net> wrote in message
news:OOjKZVcqGHA.148@TK2MSFTNGP04.phx.gbl...[color=blue]
> Dear friends,
>
> I am experiencing a strange problem resuling in the unability to establish
> the IPsec connection from both communications partners, it only works when
> machine B contacts machine A, not vice versa. After pinging machine A, A
> can ping B - otherwise I get the message that, IP security is beeing
> negotiated.
>
> Both boxes have static, public IPs and I have defined an IPsec rule based
> on those specific IPs. I did that for two pairs of boxes, pair A is
> working fine, machine A can contact machine B and vice versa. But my
> second pair has the above mentioned problem.
>
> Any hint to work around this problem would be very nice.
>
> Many thanks in advance,
> Tobias Punke
>[/color]
