|
View Full Version : "There are 0 filters" using IPSec via GPO
I'm using group policy (all DC's are Win2k) to apply IPSec group policy to
Win2k servers in an OU. "netdiag /test:ipsec /v /debug" returns the
following:
===============================================================
IP Security test . . . . . . . . . : Passed
Directory IPSec Policy Active: 'Server (Request Security)'
IP Security Policy Path:
LDAP://CN=ipsecPolicy{72385230-70FA-11D1-864C-14A30
0000000},CN=IP Security,CN=System,DC=xxx,DC=xxx,DC=xxx
There are 0 filters
===============================================================
Note the problem: "there are 0 filters". If I then open Local Security
Policy (I get the "domain policy overrides this one" warning) and assign the
very same policy (status says "assigned, but DS policy overriding), netdiag
returns:
===============================================================
IP Security test . . . . . . . . . : Passed
Directory IPSec Policy Active: 'Server (Request Security)'
IP Security Policy Path:
LDAP://CN=ipsecPolicy{72385230-70FA-11D1-864C-14A3
0000000},CN=IP Security,CN=System,DC=lib,DC=washington,DC=edu
There are 8 filters
ICMP
Filter Id: {3BA29370-9E58-4A6C-9C44-91ABFE862C53}
Policy Id: {E027E173-05A6-4450-B2EF-DC8590EBBB03}
Src Addr : xxx.xxx.xxx.xxx Src Mask : 255.255.255.255
Dest Addr : 0.0.0.0 Dest Mask : 0.0.0.0
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 1 TunnelFilter: No
Flags : Outbound
<... listing for seven more filters...>
===============================================================
so there's nothing wrong in general with using "Server (Request Security)'
policy. So why do no filters apply when I assign this policy via a domain
GPO?
I've checked everything I can think of, have created simple filter lists and
tried those, have turned on ipsec debugging and gotten output from
userenv.log (no enlightenment there), have turned on "block policy
inheritence" and "no override" in my domain group policy editor to keep
other GPO's from preventing this one from being applied. I've reset local
policy and GPO back to default policy lists, I've blinked IP policy
assistant, I've done many, many "secedit /refereshpolicy machine_policy
/enforce" commands after unassigning, disabling, deleting, and otherwise
changing policy, and each time, if I assign any IPSec policy via GPO from
DC, I always get maddening "There are 0 filters" problem. I've tried moving
a different (very clean) server into this OU, thinking maybe something was
corrupt on this particular client, but get same result on that server. I've
added the user I'm doing this as to the domain "Group Policy Creator Owners"
group.
I'm certain that in fact the filters are not "active" because ipsecmon shows
none present and because I've done test IPSec rules disabling ICMP or
various network protocols and tests always indicate the IPSec policy works
if done locally from Local Security Policy, but if done via domain GPO IPSec
policy has no effect.
I've spent two days searching via google, Technet, and this newsgroup and
found no mention of anyone else having this problem, am ready to give up and
just manually configure IPSec locally on all of our servers, but I really
hate not using group policy for this just because I can't get it to work.
Does anybody have any suggestions on how to fix?
Thanks in advance for any advice.
Mike Reynolds
ITS dept
University of Washington Libraries
reynolds@u.washington.edu
|
I have not seen that myself but if you have not tried this yet, delete all the
policies in the GPO and then select Ipsec Security Policies in the left pane of
security policy, right click and select all tasks - restore default policies. You
also can try check policy integrity while there. If none of that helps it would be
interesting to see what would happen if you exported the polices from a local policy
that works fine and then import those into the GPO you are using after deleting the
existing default policies first. --- Steve
"Michael J. Reynolds" wrote in message
news:O2xSqL5lEHA.3156@TK2MSFTNGP12.phx.gbl...
> I'm using group policy (all DC's are Win2k) to apply IPSec group policy to Win2k
> servers in an OU. "netdiag /test:ipsec /v /debug" returns the following:
>
> ===============================================================
> IP Security test . . . . . . . . . : Passed
> Directory IPSec Policy Active: 'Server (Request Security)'
> IP Security Policy Path: LDAP://CN=ipsecPolicy{72385230-70FA-11D1-864C-14A30
> 0000000},CN=IP Security,CN=System,DC=xxx,DC=xxx,DC=xxx
>
> There are 0 filters
> ===============================================================
>
> Note the problem: "there are 0 filters". If I then open Local Security Policy (I
> get the "domain policy overrides this one" warning) and assign the very same policy
> (status says "assigned, but DS policy overriding), netdiag returns:
>
> ===============================================================
> IP Security test . . . . . . . . . : Passed
> Directory IPSec Policy Active: 'Server (Request Security)'
> IP Security Policy Path: LDAP://CN=ipsecPolicy{72385230-70FA-11D1-864C-14A3
> 0000000},CN=IP Security,CN=System,DC=lib,DC=washington,DC=edu
>
> There are 8 filters
> ICMP
> Filter Id: {3BA29370-9E58-4A6C-9C44-91ABFE862C53}
> Policy Id: {E027E173-05A6-4450-B2EF-DC8590EBBB03}
> Src Addr : xxx.xxx.xxx.xxx Src Mask : 255.255.255.255
> Dest Addr : 0.0.0.0 Dest Mask : 0.0.0.0
> Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
> Protocol : 1 TunnelFilter: No
> Flags : Outbound
> <... listing for seven more filters...>
> ===============================================================
>
> so there's nothing wrong in general with using "Server (Request Security)' policy.
> So why do no filters apply when I assign this policy via a domain GPO?
>
> I've checked everything I can think of, have created simple filter lists and tried
> those, have turned on ipsec debugging and gotten output from userenv.log (no
> enlightenment there), have turned on "block policy inheritence" and "no override"
> in my domain group policy editor to keep other GPO's from preventing this one from
> being applied. I've reset local policy and GPO back to default policy lists, I've
> blinked IP policy assistant, I've done many, many "secedit /refereshpolicy
> machine_policy /enforce" commands after unassigning, disabling, deleting, and
> otherwise changing policy, and each time, if I assign any IPSec policy via GPO from
> DC, I always get maddening "There are 0 filters" problem. I've tried moving a
> different (very clean) server into this OU, thinking maybe something was corrupt on
> this particular client, but get same result on that server. I've added the user
> I'm doing this as to the domain "Group Policy Creator Owners" group.
>
> I'm certain that in fact the filters are not "active" because ipsecmon shows none
> present and because I've done test IPSec rules disabling ICMP or various network
> protocols and tests always indicate the IPSec policy works if done locally from
> Local Security Policy, but if done via domain GPO IPSec policy has no effect.
>
> I've spent two days searching via google, Technet, and this newsgroup and found no
> mention of anyone else having this problem, am ready to give up and just manually
> configure IPSec locally on all of our servers, but I really hate not using group
> policy for this just because I can't get it to work. Does anybody have any
> suggestions on how to fix?
>
> Thanks in advance for any advice.
>
> Mike Reynolds
> ITS dept
> University of Washington Libraries
> reynolds@u.washington.edu
>
|
Thanks for taking the time to write. Unfortunately, the steps you suggested
didn't help. I tried:
1)Deleting all IPSec policies in the GPO
2)Doing "restore default policies"
3)Doing "check policy integrity"
4)Doing "secedit /refreshpolicy machine_policy /enforce"
ipsecmon shows no connections being run thru ipsec, "netdiag /test:ipsec /v
/debug" still says "There are 0 filters"
I also tried:
1)Deleting all IPSec policies in the GPO
2)Deleting all IPSec policies in Local Security Settings
3)Doing "restore default policies" in Local Security Settings
4)Assigning "request security" policy in Local Security Settings, verifying
(ipsecmon, netdiag) that policies are working
5)Exporting IPSec policies from Local Securint Settings to a file, importing
them into the GPO IPSec gui (and choosing the "delete existing policies"
checkbox, just for good measure)
6)Assigning the "request security" policy in the GPO
7)Doing "secedit /refreshpolicy machine_policy /enforce"
8)Verifying (event log, \winnt\debug\usermode\userenv.log) that policy has
been downloaded
Again, ipsecmon shows no connections being run thru ipsec, "netdiag
/test:ipsec /v /debug" still says "There are 0 filters"
In case anyone's curious, here are relevant status lines from userenv.log
after doing the latter procedure above:
USERENV(100.2f8) 11:20:34:148 ProcessGPOs: Processing extension IP Security
USERENV(100.2f8) 11:20:34:148 CompareGPOLists: One list is empty
USERENV(100.2f8) 11:20:34:148 ProcessGPOList: Entering for extension IP
Security
USERENV(100.2f8) 11:20:34:210 ProcessGPOList: Extension IP Security returned
0x0.
Unless someone has any suggestions how to fix, I'm going to resort to just
importing policies to Local Security Settings on each server individually.
Maybe when I get my DC's upgraded to Server 2003 this'll work better?
--Mike Reynolds
Libraries ITS
University of Washington
"Steven L Umbach" wrote in message
news:M6t0d.279948$8_6.179130@attbi_s04...
>I have not seen that myself but if you have not tried this yet, delete all
>the policies in the GPO and then select Ipsec Security Policies in the left
>pane of security policy, right click and select all tasks - restore default
>policies. You also can try check policy integrity while there. If none of
>that helps it would be interesting to see what would happen if you exported
>the polices from a local policy that works fine and then import those into
>the GPO you are using after deleting the existing default policies
>irst. --- Steve
>
>
> "Michael J. Reynolds" wrote in message
> news:O2xSqL5lEHA.3156@TK2MSFTNGP12.phx.gbl...
>> I'm using group policy (all DC's are Win2k) to apply IPSec group policy
>> to Win2k servers in an OU. "netdiag /test:ipsec /v /debug" returns the
>> following:
>>
>> ===============================================================
>> IP Security test . . . . . . . . . : Passed
>> Directory IPSec Policy Active: 'Server (Request Security)'
>> IP Security Policy Path:
>> LDAP://CN=ipsecPolicy{72385230-70FA-11D1-864C-14A30
>> 0000000},CN=IP Security,CN=System,DC=xxx,DC=xxx,DC=xxx
>>
>> There are 0 filters
>> ===============================================================
>>
>> Note the problem: "there are 0 filters". If I then open Local Security
>> Policy (I get the "domain policy overrides this one" warning) and assign
>> the very same policy (status says "assigned, but DS policy overriding),
>> netdiag returns:
>>
>> ===============================================================
>> IP Security test . . . . . . . . . : Passed
>> Directory IPSec Policy Active: 'Server (Request Security)'
>> IP Security Policy Path:
>> LDAP://CN=ipsecPolicy{72385230-70FA-11D1-864C-14A3
>> 0000000},CN=IP Security,CN=System,DC=lib,DC=washington,DC=edu
>>
>> There are 8 filters
>> ICMP
>> Filter Id: {3BA29370-9E58-4A6C-9C44-91ABFE862C53}
>> Policy Id: {E027E173-05A6-4450-B2EF-DC8590EBBB03}
>> Src Addr : xxx.xxx.xxx.xxx Src Mask : 255.255.255.255
>> Dest Addr : 0.0.0.0 Dest Mask : 0.0.0.0
>> Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
>> Protocol : 1 TunnelFilter: No
>> Flags : Outbound
>> <... listing for seven more filters...>
>> ===============================================================
>>
>> so there's nothing wrong in general with using "Server (Request
>> Security)' policy. So why do no filters apply when I assign this policy
>> via a domain GPO?
>>
>> I've checked everything I can think of, have created simple filter lists
>> and tried those, have turned on ipsec debugging and gotten output from
>> userenv.log (no enlightenment there), have turned on "block policy
>> inheritence" and "no override" in my domain group policy editor to keep
>> other GPO's from preventing this one from being applied. I've reset
>> local policy and GPO back to default policy lists, I've blinked IP policy
>> assistant, I've done many, many "secedit /refereshpolicy machine_policy
>> /enforce" commands after unassigning, disabling, deleting, and otherwise
>> changing policy, and each time, if I assign any IPSec policy via GPO from
>> DC, I always get maddening "There are 0 filters" problem. I've tried
>> moving a different (very clean) server into this OU, thinking maybe
>> something was corrupt on this particular client, but get same result on
>> that server. I've added the user I'm doing this as to the domain "Group
>> Policy Creator Owners" group.
>>
>> I'm certain that in fact the filters are not "active" because ipsecmon
>> shows none present and because I've done test IPSec rules disabling ICMP
>> or various network protocols and tests always indicate the IPSec policy
>> works if done locally from Local Security Policy, but if done via domain
>> GPO IPSec policy has no effect.
>>
>> I've spent two days searching via google, Technet, and this newsgroup and
>> found no mention of anyone else having this problem, am ready to give up
>> and just manually configure IPSec locally on all of our servers, but I
>> really hate not using group policy for this just because I can't get it
>> to work. Does anybody have any suggestions on how to fix?
>>
>> Thanks in advance for any advice.
>>
>> Mike Reynolds
>> ITS dept
>> University of Washington Libraries
>> reynolds@u.washington.edu
>>
>
>
|
Hi Mike.
Well what you are experiencing sounds bizarre. It seems the policy is being applied
but corrupted somehow from the OU level. The gpresult tool can help in determining
what policies are being applied to a computer and when they were last refreshed. From
here I would make sure that the servers you want to apply the policy to are not
having any problems with connectivity to the domain controller or their computer
account/secure channel by running the netdiag support tool on them. If they check out
fine I would create a new GPO for the OU and try that [my guess is you already have].
Another thing to consider as that ipsec policies must exempt domain controllers by
there IP addresses from the policy with a permit action. Domain controller can not
engage in ipsec negotiation policies with domain members since they authenticate
domain computers. The KB link below explains this a bit more. Keep in mind that you
should unassign ipsec policy before deleting them or the GPO that contains them or
the computer will still consider the policy assigned until you assign a new policy to
it.
http://support.microsoft.com/?kbid=254949
"Michael J. Reynolds" wrote in message
news:OQ4P7BcmEHA.3632@TK2MSFTNGP09.phx.gbl...
> Thanks for taking the time to write. Unfortunately, the steps you suggested didn't
> help. I tried:
>
> 1)Deleting all IPSec policies in the GPO
> 2)Doing "restore default policies"
> 3)Doing "check policy integrity"
> 4)Doing "secedit /refreshpolicy machine_policy /enforce"
>
> ipsecmon shows no connections being run thru ipsec, "netdiag /test:ipsec /v /debug"
> still says "There are 0 filters"
>
> I also tried:
>
> 1)Deleting all IPSec policies in the GPO
> 2)Deleting all IPSec policies in Local Security Settings
> 3)Doing "restore default policies" in Local Security Settings
> 4)Assigning "request security" policy in Local Security Settings, verifying
> (ipsecmon, netdiag) that policies are working
> 5)Exporting IPSec policies from Local Securint Settings to a file, importing them
> into the GPO IPSec gui (and choosing the "delete existing policies" checkbox, just
> for good measure)
> 6)Assigning the "request security" policy in the GPO
> 7)Doing "secedit /refreshpolicy machine_policy /enforce"
> 8)Verifying (event log, \winnt\debug\usermode\userenv.log) that policy has been
> downloaded
>
> Again, ipsecmon shows no connections being run thru ipsec, "netdiag /test:ipsec /v
> /debug" still says "There are 0 filters"
>
> In case anyone's curious, here are relevant status lines from userenv.log after
> doing the latter procedure above:
>
> USERENV(100.2f8) 11:20:34:148 ProcessGPOs: Processing extension IP Security
> USERENV(100.2f8) 11:20:34:148 CompareGPOLists: One list is empty
> USERENV(100.2f8) 11:20:34:148 ProcessGPOList: Entering for extension IP Security
> USERENV(100.2f8) 11:20:34:210 ProcessGPOList: Extension IP Security returned 0x0.
>
> Unless someone has any suggestions how to fix, I'm going to resort to just
> importing policies to Local Security Settings on each server individually. Maybe
> when I get my DC's upgraded to Server 2003 this'll work better?
>
> --Mike Reynolds
> Libraries ITS
> University of Washington
>
> "Steven L Umbach" wrote in message
> news:M6t0d.279948$8_6.179130@attbi_s04...
>>I have not seen that myself but if you have not tried this yet, delete all the
>>policies in the GPO and then select Ipsec Security Policies in the left pane of
>>security policy, right click and select all tasks - restore default policies. You
>>also can try check policy integrity while there. If none of that helps it would be
>>interesting to see what would happen if you exported the polices from a local
>>policy that works fine and then import those into the GPO you are using after
>>deleting the existing default policies irst. --- Steve
>>
>>
>> "Michael J. Reynolds" wrote in message
>> news:O2xSqL5lEHA.3156@TK2MSFTNGP12.phx.gbl...
>>> I'm using group policy (all DC's are Win2k) to apply IPSec group policy to Win2k
>>> servers in an OU. "netdiag /test:ipsec /v /debug" returns the following:
>>>
>>> ===============================================================
>>> IP Security test . . . . . . . . . : Passed
>>> Directory IPSec Policy Active: 'Server (Request Security)'
>>> IP Security Policy Path: LDAP://CN=ipsecPolicy{72385230-70FA-11D1-864C-14A30
>>> 0000000},CN=IP Security,CN=System,DC=xxx,DC=xxx,DC=xxx
>>>
>>> There are 0 filters
>>> ===============================================================
>>>
>>> Note the problem: "there are 0 filters". If I then open Local Security Policy (I
>>> get the "domain policy overrides this one" warning) and assign the very same
>>> policy (status says "assigned, but DS policy overriding), netdiag returns:
>>>
>>> ===============================================================
>>> IP Security test . . . . . . . . . : Passed
>>> Directory IPSec Policy Active: 'Server (Request Security)'
>>> IP Security Policy Path: LDAP://CN=ipsecPolicy{72385230-70FA-11D1-864C-14A3
>>> 0000000},CN=IP Security,CN=System,DC=lib,DC=washington,DC=edu
>>>
>>> There are 8 filters
>>> ICMP
>>> Filter Id: {3BA29370-9E58-4A6C-9C44-91ABFE862C53}
>>> Policy Id: {E027E173-05A6-4450-B2EF-DC8590EBBB03}
>>> Src Addr : xxx.xxx.xxx.xxx Src Mask : 255.255.255.255
>>> Dest Addr : 0.0.0.0 Dest Mask : 0.0.0.0
>>> Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
>>> Protocol : 1 TunnelFilter: No
>>> Flags : Outbound
>>> <... listing for seven more filters...>
>>> ===============================================================
>>>
>>> so there's nothing wrong in general with using "Server (Request Security)'
>>> policy. So why do no filters apply when I assign this policy via a domain GPO?
>>>
>>> I've checked everything I can think of, have created simple filter lists and
>>> tried those, have turned on ipsec debugging and gotten output from userenv.log
>>> (no enlightenment there), have turned on "block policy inheritence" and "no
>>> override" in my domain group policy editor to keep other GPO's from preventing
>>> this one from being applied. I've reset local policy and GPO back to default
>>> policy lists, I've blinked IP policy assistant, I've done many, many "secedit
>>> /refereshpolicy machine_policy /enforce" commands after unassigning, disabling,
>>> deleting, and otherwise changing policy, and each time, if I assign any IPSec
>>> policy via GPO from DC, I always get maddening "There are 0 filters" problem.
>>> I've tried moving a different (very clean) server into this OU, thinking maybe
>>> something was corrupt on this particular client, but get same result on that
>>> server. I've added the user I'm doing this as to the domain "Group Policy
>>> Creator Owners" group.
>>>
>>> I'm certain that in fact the filters are not "active" because ipsecmon shows none
>>> present and because I've done test IPSec rules disabling ICMP or various network
>>> protocols and tests always indicate the IPSec policy works if done locally from
>>> Local Security Policy, but if done via domain GPO IPSec policy has no effect.
>>>
>>> I've spent two days searching via google, Technet, and this newsgroup and found
>>> no mention of anyone else having this problem, am ready to give up and just
>>> manually configure IPSec locally on all of our servers, but I really hate not
>>> using group policy for this just because I can't get it to work. Does anybody
>>> have any suggestions on how to fix?
>>>
>>> Thanks in advance for any advice.
>>>
>>> Mike Reynolds
>>> ITS dept
>>> University of Washington Libraries
>>> reynolds@u.washington.edu
>>>
>>
>>
>
>
|
Yep, I did try starting with a fresh OU and fresh GPO, same result. Thanks
again for trying. I'm over with this now unless someone else suggests
something to try, will be using local security tool until we upgrade the
DC's to Windows 2003, at which point I'll try again.
I'm aware of the negotiation limitations between DC's and domain members; my
understanding is that this shouldn't apply since I'm only trying to
firewall, not encrypt traffic (all filters set to "no tunnel required", all
filter actions are "permit" except for the deny filter's "deny" action).
Thanks again for your efforts. --Mike
"Steven L Umbach" wrote in message
news:X6o1d.86653$3l3.23325@attbi_s03...
> Hi Mike.
>
> Well what you are experiencing sounds bizarre. It seems the policy is
> being applied but corrupted somehow from the OU level. The gpresult tool
> can help in determining what policies are being applied to a computer and
> when they were last refreshed. From here I would make sure that the
> servers you want to apply the policy to are not having any problems with
> connectivity to the domain controller or their computer account/secure
> channel by running the netdiag support tool on them. If they check out
> fine I would create a new GPO for the OU and try that [my guess is you
> already have]. Another thing to consider as that ipsec policies must
> exempt domain controllers by there IP addresses from the policy with a
> permit action. Domain controller can not engage in ipsec negotiation
> policies with domain members since they authenticate domain computers. The
> KB link below explains this a bit more. Keep in mind that you should
> unassign ipsec policy before deleting them or the GPO that contains them
> or the computer will still consider the policy assigned until you assign a
> new policy to it.
>
> http://support.microsoft.com/?kbid=254949
>
>
>
>
> "Michael J. Reynolds" wrote in message
> news:OQ4P7BcmEHA.3632@TK2MSFTNGP09.phx.gbl...
>> Thanks for taking the time to write. Unfortunately, the steps you
>> suggested didn't help. I tried:
>>
>> 1)Deleting all IPSec policies in the GPO
>> 2)Doing "restore default policies"
>> 3)Doing "check policy integrity"
>> 4)Doing "secedit /refreshpolicy machine_policy /enforce"
>>
>> ipsecmon shows no connections being run thru ipsec, "netdiag /test:ipsec
>> /v /debug" still says "There are 0 filters"
>>
>> I also tried:
>>
>> 1)Deleting all IPSec policies in the GPO
>> 2)Deleting all IPSec policies in Local Security Settings
>> 3)Doing "restore default policies" in Local Security Settings
>> 4)Assigning "request security" policy in Local Security Settings,
>> verifying (ipsecmon, netdiag) that policies are working
>> 5)Exporting IPSec policies from Local Securint Settings to a file,
>> importing them into the GPO IPSec gui (and choosing the "delete existing
>> policies" checkbox, just for good measure)
>> 6)Assigning the "request security" policy in the GPO
>> 7)Doing "secedit /refreshpolicy machine_policy /enforce"
>> 8)Verifying (event log, \winnt\debug\usermode\userenv.log) that policy
>> has been downloaded
>>
>> Again, ipsecmon shows no connections being run thru ipsec, "netdiag
>> /test:ipsec /v /debug" still says "There are 0 filters"
>>
>> In case anyone's curious, here are relevant status lines from userenv.log
>> after doing the latter procedure above:
>>
>> USERENV(100.2f8) 11:20:34:148 ProcessGPOs: Processing extension IP
>> Security
>> USERENV(100.2f8) 11:20:34:148 CompareGPOLists: One list is empty
>> USERENV(100.2f8) 11:20:34:148 ProcessGPOList: Entering for extension IP
>> Security
>> USERENV(100.2f8) 11:20:34:210 ProcessGPOList: Extension IP Security
>> returned 0x0.
>>
>> Unless someone has any suggestions how to fix, I'm going to resort to
>> just importing policies to Local Security Settings on each server
>> individually. Maybe when I get my DC's upgraded to Server 2003 this'll
>> work better?
>>
>> --Mike Reynolds
>> Libraries ITS
>> University of Washington
>>
>> "Steven L Umbach" wrote in message
>> news:M6t0d.279948$8_6.179130@attbi_s04...
>>>I have not seen that myself but if you have not tried this yet, delete
>>>all the policies in the GPO and then select Ipsec Security Policies in
>>>the left pane of security policy, right click and select all tasks -
>>>restore default policies. You also can try check policy integrity while
>>>there. If none of that helps it would be interesting to see what would
>>>happen if you exported the polices from a local policy that works fine
>>>and then import those into the GPO you are using after deleting the
>>>existing default policies irst. --- Steve
>>>
>>>
>>> "Michael J. Reynolds" wrote in message
>>> news:O2xSqL5lEHA.3156@TK2MSFTNGP12.phx.gbl...
>>>> I'm using group policy (all DC's are Win2k) to apply IPSec group policy
>>>> to Win2k servers in an OU. "netdiag /test:ipsec /v /debug" returns the
>>>> following:
>>>>
>>>> ===============================================================
>>>> IP Security test . . . . . . . . . : Passed
>>>> Directory IPSec Policy Active: 'Server (Request Security)'
>>>> IP Security Policy Path:
>>>> LDAP://CN=ipsecPolicy{72385230-70FA-11D1-864C-14A30
>>>> 0000000},CN=IP Security,CN=System,DC=xxx,DC=xxx,DC=xxx
>>>>
>>>> There are 0 filters
>>>> ===============================================================
>>>>
>>>> Note the problem: "there are 0 filters". If I then open Local Security
>>>> Policy (I get the "domain policy overrides this one" warning) and
>>>> assign the very same policy (status says "assigned, but DS policy
>>>> overriding), netdiag returns:
>>>>
>>>> ===============================================================
>>>> IP Security test . . . . . . . . . : Passed
>>>> Directory IPSec Policy Active: 'Server (Request Security)'
>>>> IP Security Policy Path:
>>>> LDAP://CN=ipsecPolicy{72385230-70FA-11D1-864C-14A3
>>>> 0000000},CN=IP Security,CN=System,DC=lib,DC=washington,DC=edu
>>>>
>>>> There are 8 filters
>>>> ICMP
>>>> Filter Id: {3BA29370-9E58-4A6C-9C44-91ABFE862C53}
>>>> Policy Id: {E027E173-05A6-4450-B2EF-DC8590EBBB03}
>>>> Src Addr : xxx.xxx.xxx.xxx Src Mask : 255.255.255.255
>>>> Dest Addr : 0.0.0.0 Dest Mask : 0.0.0.0
>>>> Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
>>>> Protocol : 1 TunnelFilter: No
>>>> Flags : Outbound
>>>> <... listing for seven more filters...>
>>>> ===============================================================
>>>>
>>>> so there's nothing wrong in general with using "Server (Request
>>>> Security)' policy. So why do no filters apply when I assign this policy
>>>> via a domain GPO?
>>>>
>>>> I've checked everything I can think of, have created simple filter
>>>> lists and tried those, have turned on ipsec debugging and gotten output
>>>> from userenv.log (no enlightenment there), have turned on "block policy
>>>> inheritence" and "no override" in my domain group policy editor to keep
>>>> other GPO's from preventing this one from being applied. I've reset
>>>> local policy and GPO back to default policy lists, I've blinked IP
>>>> policy assistant, I've done many, many "secedit /refereshpolicy
>>>> machine_policy /enforce" commands after unassigning, disabling,
>>>> deleting, and otherwise changing policy, and each time, if I assign any
>>>> IPSec policy via GPO from DC, I always get maddening "There are 0
>>>> filters" problem. I've tried moving a different (very clean) server
>>>> into this OU, thinking maybe something was corrupt on this particular
>>>> client, but get same result on that server. I've added the user I'm
>>>> doing this as to the domain "Group Policy Creator Owners" group.
>>>>
>>>> I'm certain that in fact the filters are not "active" because ipsecmon
>>>> shows none present and because I've done test IPSec rules disabling
>>>> ICMP or various network protocols and tests always indicate the IPSec
>>>> policy works if done locally from Local Security Policy, but if done
>>>> via domain GPO IPSec policy has no effect.
>>>>
>>>> I've spent two days searching via google, Technet, and this newsgroup
>>>> and found no mention of anyone else having this problem, am ready to
>>>> give up and just manually configure IPSec locally on all of our
>>>> servers, but I really hate not using group policy for this just because
>>>> I can't get it to work. Does anybody have any suggestions on how to
>>>> fix?
>>>>
>>>> Thanks in advance for any advice.
>>>>
>>>> Mike Reynolds
>>>> ITS dept
>>>> University of Washington Libraries
>>>> reynolds@u.washington.edu
>>>>
>>>
>>>
>>
>>
>
>
|
|
|
|