Our environment has two forests with a two-way forest-trust established. Now we want to use IPSec to enable domain isolation between the two forests.
Since there is a trust already established we configured our environment to use Kerberos authentication with IPSec. We added the 88 TCP and UDP to the exceptions and everything worked fine. After a day or two we started to see random problems with IPSec authentication, as if the trust is not working properly.
We managed to overcome the problem by reverting the group policies from require to request until the machine from one domain successfully communicated with the DC from the other domain and than returned the initial configuration. However this was just a workaround since the issue was detected again after few days.
Can the problem be with Kerberos ticket expiring?