IPSec Kerberos issue?

Discussion in 'Server Security' started by Dan, Mar 20, 2007.

  1. Dan

    Dan Guest

    I have a windows 2003 domain. I have 2 Servers that are both in the same

    I have a filter requiring ESP (3DES/SHA1) only for communications on port 80
    + 25 between these 2 servers.

    When I use kerberos for authentication... authentication fails. When I
    switch the authentication method to use a preshared key for authentication,
    everything works perfectly.

    DNS is working fine. The servers resolve each other and the DC properly.
    Logging into the servers works properly, and normal kerberos auth doesn't
    seem to cause problems/errors.

    IKE security association negotiation failed.
    Key Exchange Mode (Main Mode)

    Source IP Address XX.XXX.XXX.XX
    Source IP Address Mask
    Destination IP Address XX.XXX.XXX.XX
    Destination IP Address Mask
    Protocol 0
    Source Port 0
    Destination Port 0
    IKE Local Addr XX.XXX.XXX.XX
    IKE Peer Addr XX.XXX.XXX.XX
    IKE Source Port 500
    IKE Destination Port 500
    Peer Private Addr

    Peer Identity:
    Kerberos based Identity: [email protected]
    Peer IP Address: XX.XXX.XXX.XX

    Failure Point:

    Failure Reason:
    Negotiation timed out

    Extra Status:
    Processed first (SA) payload
    Initiator. Delta Time 62
    0x0 0x0

    I've followed the MS troubleshooting docs, (disabled any offloading), and
    verified that there are not errors in the AD logs.

    Any help/ideas would be GREATLY appreciated.
    Dan, Mar 20, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.