Hi everyone,
I'm tying to set up DirectAccess with Windows 2012 for Windows 8 and Windows 7 Clients.
I followed the official Microsoft Guide to configure DirectAccess.
DirectAccess is already working fine if I don't enable Support for Windows 7 clients. DirectAccess is also working with the "Use computer certificate" checkbox enabled in the configuration.
But as soon as I enable the "Enable Windows 7 client computers to connect via DirectAccess" my Windows 8 client will not work anymore with DirectAccess.
I see two errors on the client event log:
AAAA:BBBB:CCCC is our global unicast prefix
DDDD:EEEE is our public IPv4 address embedded in the 6to4 IPv6 address.
An IPsec main mode negotiation failed. Local Endpoint: Local Principal Name: - Network Address: AAAA:BBBB:CCCC:265:b006:e1b0:f11a:f21b Keying Module Port: 500 Remote Endpoint: Principal Name: - Network Address: 2002:DDDD:EEEE::DDDD:EEEE Keying Module Port: 500 Additional Information: Keying Module Name: IKEv1 Authentication Method: Unknown authentication Role: Initiator Impersonation State: Not enabled Main Mode Filter ID: 0 Failure Information: Failure Point: Local computer Failure Reason: No policy configured State: No state Initiator Cookie: 189e724ff0b1a873 Responder Cookie: 0000000000000000
An IPsec main mode negotiation failed. Local Endpoint: Local Principal Name: - Network Address: AAAA:BBBB:CCCC:265:b006:e1b0:f11a:f21b Keying Module Port: 500 Remote Endpoint: Principal Name: - Network Address: 2002:DDDD:EEEE::DDDD:EEEE Keying Module Port: 500 Additional Information: Keying Module Name: AuthIP Authentication Method: Unknown authentication Role: Initiator Impersonation State: Not enabled Main Mode Filter ID: 68458 Failure Information: Failure Point: Local computer Failure Reason: IKE authentication credentials are unacceptable State: Sent second (KE) payload Initiator Cookie: 414873805a2941c5
The non-ipsec tunnel is working fine. I can ping the internal servers using the IPv6 address. But the name resolution is not working (because DNS traffic goes through the IPsec tunnel).
One strange thing is that the NLS https website is unreachable (due to failing ipsec tunnel) but the command Get-DAConnectionStatus says "ConnectedRemotely".
Has anyone run into something similar?
If you need further information just let me know.
Regards,
Nicolas