IPSec and clusters

[Solomon]

Hi All
I have 2 Windows 2000 servers in a cluster, and
I'm using group polices to apply IPSec. I'm using IPSec
as a firewall to block subnet ranges and ports. I
currently have the servers open to my subnet and port 80
open for IIS.
My problem is when ever I reboot a server in the
cluster, IPSec blocks port 80 but does not block my local
subnet. I then have to disable IPSec in group polices
run secedit on the local servers and then reapply IPSec
and rerun secedit on the local servers.

I'm aware that IPCes has problems when encrypting data on
a cluster, but I have not seen anything about using IPSec
as a firewall and having cluster problems.

Any help would be great.
-Solomon

 

[Mark Swift [MSFT]]

Can you reply back with the filters you are using? (You can change the IP's
if you aren't comfortable making them public).

 

[Solomon]

Here are the filter lists, IP address are all made up.
Hope you can read them, they look bad after pasting.

After one or both cluster nodes are rebooted
the "filter list for port 80" does not take effect, and
only the subnets that are defined in "Filter list for
subnets" have access.


10.10.10.20 Cluster IP
10.10.10.21 Node1
10.10.10.22 Node2
10.10.10.23 Test1 (Stand alone server)



Filter list for port 80 (Filter Action: Allow)
Mirrored Protocol Source Port
Destination Port Source DNS Source
Address Source Mask Destination DNS
Destination Address Destination Mask
Yes TCP ANY 80
ANY ANY
0.0.0.0 A Specific IP Address
10.10.10.20 255.255.255.255
Yes TCP ANY 80
ANY ANY
0.0.0.0 A Specific IP Address
10.10.10.21 255.255.255.255
Yes TCP ANY 80
ANY ANY
0.0.0.0 A Specific IP Address
10.10.10.22 255.255.255.255
Yes TCP ANY 80
ANY ANY
0.0.0.0 A Specific IP Address
10.10.10.23 255.255.255.255



Filter list for subnets (Filter Action: Allow)
Mirrored Protocol Source Port
Destination Port Source DNS
Source Address Source Mask
Destination DNS Destination Address
Destination Mask
Yes ANY ANY ANY
A Specific IP Address 10.10.0.0
255.255.0.0 My IP Address My IP
Address 255.255.255.255
Yes ANY ANY ANY
A Specific IP Address 192.168.0.0
255.255.0.0 My IP Address My IP
Address 255.255.255.255
Yes ANY ANY ANY
A Specific IP Address 20.50.0.0
255.255.0.0 My IP Address My IP
Address 255.255.255.255



Filter list for everything else (Filter Action: Block)
Mirrored Protocol Source Port
Destination Port Source DNS
Source Address Source Mask
Destination DNS Destination Address
Destination Mask
Yes ANY ANY ANY
ANY ANY
0.0.0.0 My IP Address My IP
Address 255.255.255.255


Thanks,
-Solomon

 

[Solomon]

I have reworked it so it looks better.

Here are the filter lists, IP address are all made up.
After one or both cluster nodes are rebooted the "filter
list for port 80" does not take effect, and only the
subnets that are defined in "Filter list for subnets"
have access.


10.10.10.20 Cluster IP
10.10.10.21 Node1
10.10.10.22 Node2
10.10.10.23 Test1 (Stand alone server)




Filter list for port 80 (Filter Action: Allow)
Mirrored Protocol Source Port
Yes TCP ANY
Yes TCP ANY
Yes TCP ANY
Yes TCP ANY


Destination Port Source DNS Source Address
80 ANY ANY
80 ANY ANY
80 ANY ANY
80 ANY ANY



Source Mask Destination DNS
0.0.0.0 A Specific IP Address
0.0.0.0 A Specific IP Address
0.0.0.0 A Specific IP Address
0.0.0.0 A Specific IP Address


Destination Address Destination Mask
10.10.10.20 255.255.255.255




Filter list for subnets (Filter Action: Allow)
Mirrored Protocol Source Port
Yes ANY ANY
Yes ANY ANY
Yes ANY ANY


Source DNS Source Address
A Specific IP Address 10.10.0.0
A Specific IP Address 10.10.0.0
A Specific IP Address 10.10.0.0


Source Mask Destination DNS
255.255.0.0 My IP Address
255.255.0.0 My IP Address
255.255.0.0 My IP Address


Destination Address Destination Mask
My IP Address 255.255.255.255
My IP Address 255.255.255.255
My IP Address 255.255.255.255



Filter list for everything else (Filter Action: Block)
Mirrored Protocol Source Port
Yes ANY ANY

Destination Port
ANY

Source DNS Source Address
ANY ANY


Source Mask Destination DNS
0.0.0.0 My IP Address

Destination Address Destination Mask
My IP Address 255.255.255.255

 

[Mark Swift [MSFT]]

Hmm, I don't see anything wrong with the filters. Officially MS only
supports IPsec on WS03 clusters so we are sailing into new waters here. Do
all the subnet filters not work or just the 10.10.0.0 network? Does stopping
and starting the IPSec service fix the issue? How about stopping and
starting clustering?

Filter Action: Allow
Mirrored=Yes Protocol=TCP SrcPort=ANY DestPort=80 SrcAddress=ANY
SrcMask=0.0.0.0 DestAddress=10.10.10.20 DestMask=255.255.255.255
Mirrored=Yes Protocol=TCP SrcPort=ANY DestPort=80 SrcAddress=ANY
SrcMask=0.0.0.0 DestAddress=10.10.10.21 DestMask=255.255.255.255
Mirrored=Yes Protocol=TCP SrcPort=ANY DestPort=80 SrcAddress=ANY
SrcMask=0.0.0.0 DestAddress=10.10.10.22 DestMask=255.255.255.255
Mirrored=Yes Protocol=TCP SrcPort=ANY DestPort=80 SrcAddress=ANY
SrcMask=0.0.0.0 DestAddress=10.10.10.23 DestMask=255.255.255.255

Filter Action: Allow
Mirrored=Yes Protocol=ANY SrcPort=ANY DestPort=ANY SrcAddress=10.10.0.0
SrcMask=255.255.0.0 DestAddress=My IP Address DestMask=255.255.255.255
Mirrored=Yes Protocol=ANY SrcPort=ANY DestPort=ANY SrcAddress=192.168.0.0
SrcMask=255.255.0.0 DestAddress=My IP Address DestMask=255.255.255.255
Mirrored=Yes Protocol=ANY SrcPort=ANY DestPort=ANY SrcAddress=20.50.0.0
SrcMask=255.255.0.0 DestAddress=My IP Address DestMask=255.255.255.255

Filter Action: Block
Mirrored=Yes Protocol=ANY SrcPort=ANY DestPort=ANY SrcAddress=ANY
SrcMask=0.0.0.0 DestAddr=My IP Address DestMask=255.255.255.255

--

Mark Swift
Software Test Engineer
IP Security
Windows Networking
Microsoft

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

--