Printable View
Failed to configure IPSec on Windows server. I am not sure what wrong I did, but I am trying to block certain incoming connections. That is still accessible via rdp. I do not want to completely block. Actually I am novice is IPsec configuration. I do not understand why this happen. I want to secure the traffic. Later on my friend notice some bad spi error in the event log file. We had build up a new server on the lan, and want to limit the access via IPSec. What should I do.
The thing that you mentioned about traffic security can be cause because of connectivity failure. In simple word there is a IPSec SA which is responsible of securing the traffic on the network. If you are facing issue related to that I will advice you to read about IPSec SA. Check your filter list first. Did you allowed non ipsec systems to access your network. You will have to thoroughly check all the network policies This is quiet important. Check your manual for that. The IPSec traffic needs a secure connection. For that you will need to disable access to unsecure communication. Try this one. Go on the security tab and then click on filter. Enable block access to non-ipsec connections and then check back. Ensure that you are get the right message on your screen. I also want to add something on IPSec negotiation failure. This happens if any unsecure connection is set to on. It is quiet necessary to make this work fine all the systems on the network must be IPSec enable or should support it. Some systems on the network if not support it, then you will need to block access to them. This is quiet necessary. Read on technet.microsoft.com about troubleshooting IPSec. You will find ample of information there.
Recently I had faced a issue when computers on the network are not able to communicate with each other. All those system were secure and access was allowed to all. To initiate a proper secure connection it is necessary that all system should be enabled with common settings. Because the issue appears when unsecured and secure connection both are on single network. Either move them to another network or follow strict network policies to control them.
I have some tips here that might help you to fix the issue that you are facing. First I will advice you to work on the IPSec policies. This is quiet important because if policies are not configured properly you will face such kind of error. First of all I will not recommend you to configure IPSec just by reading up a manual, you need a experts advice on that. You have to ensure that all settings are properly configured so that you can troubleshoot it in future. To fix those regular issues, you will need to properly trace different IPSec problems. This problems can be found and noted from logs. The authentication process also works fine if IPSec is running properly. There are different kind of IPSec tools that work in the background. The easy way to check whether IPSec is working in the background or not is by running Network Monitor. Network Monitor will give you clear idea about IPSec functioning. Once after configuration you can try to reboot IPSec so that all the changes that you had done are initiated well.
It looks to be complicated process. Instead of configuring that by your own way, better talk to some network admin or person who specialize in that troubleshooting. Because IPSec consist of number of policy configuration and authentication method. That cannot be explain in short term.
Do one thing. Take a paper and make a checklist what you will have to check. First start with the policies. Those are the thing which control everything. Second ensure that all PC on your network support IPSec or not. They are called as IPSec aware. Because if not then there will be some problem between secure and unsecured connection. You will need to define separately policy to manage connection between those unsecured traffic. Check that each and every policy is configure on active mode and they are working. You can test that by using any network pc. Or else you can try using Microsoft Management Console. Run this and add IP Security Monitor on it. This will help you to find the active process on the network. Modify any policies if you found that might cause issues. You can re-creating all policies one by one and check that all are working or not.
What I know that if IPSec does not work then you have to disable it completely. Then you will need to configure the same from start. There is no mid way changes that can make this thing work. Try to re-configure this again.
It can be possible that some of your IPSec policies are corrupted, because of which you are facing that issue. It is necessary that you must check properly all polices are fine. There is a small process by which you can restore the corrupt policy. You can remove that or fix that it is your choice. But if you are not much aware about the same, I will advice you not to make any changes. I will not really advice registry fix for beginners. Because of something wrong happen your server will not work properly. The most you can do is disable all stuff and start fixing them from scratch. You can do that as number of time as you want. As you said the server that you are using is on small network. So in my case building up all again from scratch wouldn't be a bad option.
IPsec configuration is also based on the device you are using. For example if you are using Cisco router then the settings and troubleshooting guide is available on the official website of Cisco. Why don't you try reading that. I hope that can help you.