I have a windows 2003 domain. I have 2 Servers that are both in the same\ndomain.\n\nI have a filter requiring ESP (3DES/SHA1) only for communications on port 80\n+ 25 between these 2 servers.\n\nWhen I use kerberos for authentication... authentication fails. When I\nswitch the authentication method to use a preshared key for authentication,\neverything works perfectly.\n\nDNS is working fine. The servers resolve each other and the DC properly.\nLogging into the servers works properly, and normal kerberos auth doesn't\nseem to cause problems/errors.\n\n\n#####\nIKE security association negotiation failed.\nMode:\nKey Exchange Mode (Main Mode)\n\nFilter:\nSource IP Address XX.XXX.XXX.XX\nSource IP Address Mask 255.255.255.255\nDestination IP Address XX.XXX.XXX.XX\nDestination IP Address Mask 255.255.255.255\nProtocol 0\nSource Port 0\nDestination Port 0\nIKE Local Addr XX.XXX.XXX.XX\nIKE Peer Addr XX.XXX.XXX.XX\nIKE Source Port 500\nIKE Destination Port 500\nPeer Private Addr\n\nPeer Identity:\nKerberos based Identity: servername$@domain.COM\nPeer IP Address: XX.XXX.XXX.XX\n\nFailure Point:\nMe\n\nFailure Reason:\nNegotiation timed out\n\nExtra Status:\nProcessed first (SA) payload\nInitiator. Delta Time 62\n0x0 0x0\n#####\n\nI've followed the MS troubleshooting docs, (disabled any offloading), and\nverified that there are not errors in the AD logs.\n\nAny help/ideas would be GREATLY appreciated.