Hi there,
we're testing with IPSec and are running into an issue we can't seem to narrow down.
Currently there's a GPO denying all inbound and outbound traffic. It also has rules to allow basic AD connectivity in order to be able to retrieve GPO updates etc.
So far so good.
Then we created additional rules. We have a webserver running a site on port 980 to test the connectivity. Created a connection security rule that requiress inbound and requests outbound authentication. I had set this to require both, but for some reason things like DNS then sometimes worked, sometimes not, without any changes... Really driving me mad... This only goes for the 172.30.0.0/16 subnet set as both endpoint 1 and 2.
Created a rule allowing tcp/980 incoming, require security (authentication/integrity, no encryption) on the webserver, this rule also specifies only the application server can connect.
Created a second rule, and here is where it goes wrong, allowing outbound tcp/980 on the application server. This one also requires security.
This works, however, if I add the webserver to the outbound rule (the only allow connections to these computers check is now cleared, it then works thus) it drops dead. The connection does not work at all. Figured I maybe had the wrong direction or something, so tried adding all the computers to the authorized computer section, but no changes. If I clear the check it works flawlessly, also see the security associations in the Windows Firewall with Advanced Services snap-in. Don't quite get why it stops working when I set it somewhat stricter, since the computer accounts are correct and they secure the connection anyways if I don't specify them specifically.