IPSEC Association Slow

[Russ]

I am using ipsec to secure a subnet to which my servers
are not on and clients are. I have it set on the servers
subnet to require security from any packets indicating
that they are from the clients subnet. The problem is
that when the client boots up and tries to initially
connect to the domain controllers it takes anywhere from
fifteen seconds to a minute and a half. Without ipsec it
is instantaneous. My question is: are there specific
protocols/ports that should be open to the domain
controllers from the clients that will speed this up
while still allowing it to be a secure environment?

 

[Steven L Umbach]

I have tried work arounds with no luck. If your domain controllers are part
of the "require" policy, try "require" for just them instead - even though
you probably will still experience much of the same. Officialy Microsoft
does not support ipsec negotiation beween domain controllers and domain
members and suggest that you exempt domain controllers by ip address in
ipsec policies other than with other domain controllers as explained in KB
article below. --- Steve

http://support.microsoft.com/?kbid=254949

 

[Steven L Umbach]

Darn. I meant try "request" policy instead. --- Steve

 

[Russ]

is this a known flaw? And if so is it fixed with server
2003?

 

[Steven L Umbach]

I have not read any info on this regarding Windows 2003, nor have testesd it yet
though plan to soon. ---Steve