• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Allow Authenticated IPSec Bypass GP

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Allow Authenticated IPSec Bypass GP Page: [1]
Login
Message << Older Topic   Newer Topic >>
Allow Authenticated IPSec Bypass GP - 15.Dec.2005 9:59:07 PM   
JeffVandervoort

 

Posts: 142
Joined: 20.Nov.2004
Status: offline
P2TP/IPSec VPN on ISA 2004 SP1/WS 2003 SP1, Win XP SP2 client. Currently using a pre-shared key--no cert.

I have done everything in http://www.microsoft.com/technet/security/prodtech/windowsxp/adprtect.mspx relating to the "Allow authenticated IPSec Bypass" policy.

However, the firewall is still dropping packets from computers that are members of the group.

After a GPUPDATE, I used RSOP to verify that the client applied the policy, and double-checked the SDDL. All correct.

Any idea why it isn't working? Is it because I'm using a pre-shared key instead of a cert?
Post #: 1
RE: Allow Authenticated IPSec Bypass GP - 16.Dec.2005 6:10:10 AM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
I imagine that this only works with Certificates, when Cert-To-Account mapping is enabled, or when using Kerberos for the IPSec authentication.

Since the IPSec Bypass works by consulting the SID (through the SDDL) there must be some domain account based verification of the SID in order for IPSec negotiations to complete.

(in reply to JeffVandervoort)
Post #: 2
RE: Allow Authenticated IPSec Bypass GP - 23.Dec.2005 12:00:49 AM   
JeffVandervoort

 

Posts: 142
Joined: 20.Nov.2004
Status: offline
OK...I set up a CA and issued certs to the ISA computer and the VPN client computer. Disabled pre-shared key.

I can log on using "Log on using dial-up connection" and everything seems to work properly...except the firewall bypass. I've triple-checked the SID in the SDDL. Domain Admins (of which my acct is a member) and a computer on the internal network that I'm using to test this are both in the group whose SID is specified in the policy. But packets Windows Firewall is supposed to drop when off the LAN are still dropped. Whether packets I send (ping, for example), or those sent by the computer.

One other thing I've wondered about this policy: Documentation I've seen seems to imply--without ever actually saying it outright--that if I enter the SID within the parentheses, I can use the remainder of the SDDL syntax as it's shown in the GP property dialog. Nothing changes outside the parens that surround the SID...right?

(in reply to ClintD)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Allow Authenticated IPSec Bypass GP Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts