Re: IPSec: Network sooo slooooow
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 03/17/05
- Next message: Steven L Umbach: "Re: NLB Question"
- Previous message: Adrian Martinez: "Re: Wireless question"
- In reply to: D Hartry: "IPSec: Network sooo slooooow"
- Next in thread: D Hartry: "Re: IPSec: Network sooo slooooow"
- Reply: D Hartry: "Re: IPSec: Network sooo slooooow"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 16 Mar 2005 22:02:21 -0600
My guess is that since you enabled this at the domain level you are causing
problems with domain computers accessing domain controllers since domain
controllers are also the kerberos key distribution centers. When you
configure an ipsec policy in the domain you must exempt domain controllers
from ipsec negotiation. The is best done by adding a filter list to the
ipsec policy with a rule for permit action for all traffic to and from
domain controllers by their static IP addresses. It is best to not configure
an ipsec policy at the domain level but instead do it at the OU level. The
link below explains more. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;254949
"D Hartry" <DHartry@discussions.microsoft.com> wrote in message
news:9AB91D6A-8FC9-42E2-BB1A-2915EC6CED15@microsoft.com...
>I have been fiddling with IPSec on a test network running in VMWare. I've
> not set up IPSec policies before so am unsure if I have done something
> stupid, perhaps made a mistake many have before me.....??
>
> I have a simple network of two servers (2003 Ent) and a client (XP Pro
> SP2).
> One server is an offline root standalone CA, the other a DC and enterprise
> sub-CA. This autoenrolls certificates to users and computers.
>
> I have enabled the Server (respond) policy for the entire domain, and with
> the policy active, I can log onto the DC from the XP client, but very
> slowly.
> From the DC I can monitor the SAs, they are being set up between the DC
> and
> the XP client.
>
> I get the same result whether I set the authentication for the policy to
> certificates or kerberos, I have tried with both.
>
> It might also be relevant that the DC is running the highsecdc.inf and the
> client the highsecws.inf security templates. I am going to try the
> scenairo
> without any security policy in place next.
>
> Any ideas why the IPSec policy would 'work' but slow the network down so
> much? eg The XP client has been logging on, at the 'applying computer
> settings'/'applying your personal settings' stage for about 5-10 minutes
> now.
>
> I understand that there is an overhead associated with IPSec, but surely
> not
> this much? Even given the fact that the machines are VMs? BTW the
> physical
> machine this is all running on is an Athlon 2.2GHz with 512MB RAM, Big
> disks.
>
> --
> David Hartry
- Next message: Steven L Umbach: "Re: NLB Question"
- Previous message: Adrian Martinez: "Re: Wireless question"
- In reply to: D Hartry: "IPSec: Network sooo slooooow"
- Next in thread: D Hartry: "Re: IPSec: Network sooo slooooow"
- Reply: D Hartry: "Re: IPSec: Network sooo slooooow"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
