I am getting some very strange behavior out of the Windows 8 Advanced Firewall / IPsec implementation.
It appears now that all inbound traffic that isn't return traffic from a previously contacted host is being dropped. Why?
Background:
I'm working on getting initial Windows 8 integration on my network, predominantly Windows 7 and Server 2008 R2 based. One of the requirements is using IPsec. I'm seeing some very unusual behavior from the Windows Advanced Firewall.
- I can't generally establish inbound connections using an IPsec secured connection (assuming the use of a computer name or computer group). Outbound connections are fine.
- On the rare chance that I do get an inbound connection to work I get something like the following, indicating two quick mode associations.
I've tried everything I can think of on this, even using two stock windows 8 systems without any group policies, etc applied to rule out my environment. The behavior remains the same.
This was apparently all systems joined to my domain during a certain time frame, including a couple Windows 7s. Building exactly identical VMs and joining them today functions 100% normally.
I'm guessing that a group policy or the like was the hangup, although there isn't any proof in the logs of a failure of this nature.
I've tried both rejoining the domain and deleting C:\WINDOWS\security\Database\secedit.sdb
.
It looks like this was a wider issue then just inbound ipsec - it was all inbound traffic on the problem machines. I shut down the windows firewall service and my connections were still failing. It wasn't until I shut down the base filtering engine that things started working inbound.
I have tried using secedit /configure /cfg c:\Windows\inf\defltbase.inf /db defltbase.sdb /verbose
to reset the local security rules without impact.
The issue here had to do with windows firewall not transitioning to being fully on, using the windows BFE. For some reason the filter registry keys would be duplicated and stop the service from transitioning over to the windows firewall.