Re: IPSec: Network sooo slooooow

From: D Hartry (DHartry_at_discussions.microsoft.com)
Date: 03/17/05 

Date: Thu, 17 Mar 2005 07:57:04 -0800

Thanks Steve,

I had almost come to this conclusion myself after searching on the web, but
you have confirmed my suspicions. If possible, I would like to secure all
traffic to DCs except for the logon etc traffic that needs to be unsecured. I
think I need to set specific filters to allow unsecured domain membership
traffic to/from DCs, but to secure all other traffic. I'm unsure exactly what
traffic needs to be excluded. Can anyone tell me the protocols and ports
used in 'domain membership' communications between DCs and domain computers?

Thanks again,
Dave

"Steven L Umbach" wrote:

> My guess is that since you enabled this at the domain level you are causing
> problems with domain computers accessing domain controllers since domain
> controllers are also the kerberos key distribution centers. When you
> configure an ipsec policy in the domain you must exempt domain controllers
> from ipsec negotiation. The is best done by adding a filter list to the
> ipsec policy with a rule for permit action for all traffic to and from
> domain controllers by their static IP addresses. It is best to not configure
> an ipsec policy at the domain level but instead do it at the OU level. The
> link below explains more. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;254949
>
> "D Hartry" <DHartry@discussions.microsoft.com> wrote in message
> news:9AB91D6A-8FC9-42E2-BB1A-2915EC6CED15@microsoft.com...
> >I have been fiddling with IPSec on a test network running in VMWare. I've
> > not set up IPSec policies before so am unsure if I have done something
> > stupid, perhaps made a mistake many have before me.....??
> >
> > I have a simple network of two servers (2003 Ent) and a client (XP Pro
> > SP2).
> > One server is an offline root standalone CA, the other a DC and enterprise
> > sub-CA. This autoenrolls certificates to users and computers.
> >
> > I have enabled the Server (respond) policy for the entire domain, and with
> > the policy active, I can log onto the DC from the XP client, but very
> > slowly.
> > From the DC I can monitor the SAs, they are being set up between the DC
> > and
> > the XP client.
> >
> > I get the same result whether I set the authentication for the policy to
> > certificates or kerberos, I have tried with both.
> >
> > It might also be relevant that the DC is running the highsecdc.inf and the
> > client the highsecws.inf security templates. I am going to try the
> > scenairo
> > without any security policy in place next.
> >
> > Any ideas why the IPSec policy would 'work' but slow the network down so
> > much? eg The XP client has been logging on, at the 'applying computer
> > settings'/'applying your personal settings' stage for about 5-10 minutes
> > now.
> >
> > I understand that there is an overhead associated with IPSec, but surely
> > not
> > this much? Even given the fact that the machines are VMs? BTW the
> > physical
> > machine this is all running on is an Athlon 2.2GHz with 512MB RAM, Big
> > disks.
> >
> > --
> > David Hartry
>
>
>