What can cause a DirectAccess IPSec Main Mode Error "no policy configured"

Posted by Mike Haboustak on Server Fault See other posts from Server Fault or by Mike Haboustak
Published on 2011-09-16T18:08:42Z Indexed on 2014/06/09 9:28 UTC
Read the original article Hit count: 1219

Filed under:

Windows

|

ipsec

|

direct-access

We have Microsoft's DirectAccess VPN set up on Server 2008 R2 with end-to-edge security, and we're having trouble with the manage-out tunnel.

The DirectAccess client has DC/DNS and intranet connectivity, it can ping/rdp/etc to intranet hosts. However connections originating from those same intranet hosts can only intermittently reach the client. At times it works fine, other times it doesn't.

When an inbound (intranet to client) connection is attempted there's an IPSec Main Mode failure logged: Event 4653 with a failure reason of "No Policy Configured".

I think that it may be related to the state of the intranet (corp) access tunnel, and an overlap in the configured subnets for those polices. I haven't figured out exactly what's different in the scenario where the connection works and where it does not.

© Server Fault or respective owner

Related posts about Windows

Server 2012 DFS New Member Issue

as seen on Server Fault - Search for 'Server Fault'
I am trying to add a new member to our DFS topology. We have 3 DCs (VMs - VMware) running Windows server 2012, two servers are located in or Primary site and the third at our DR site. Currently the two servers at our primary site are currently replicating DFS (full mesh) and are working fine. I have… >>> More
error in IIS7 but not on IIS6

as seen on Server Fault - Search for 'Server Fault'
I have a website that is we are now deploying to windows 2008 servers that has worked in the past on IIS6 without a problem. It is using .net 2 framework. Most of the website works. Just when we create a screen report over a certain size on the server we get this error. Event code: 3005 Event… >>> More
error in IIS7 but not on IIS6

as seen on Server Fault - Search for 'Server Fault'
I have a website that is we are now deploying to windows 2008 servers that has worked in the past on IIS6 without a problem. It is using .net 2 framework. Most of the website works. Just when we create a screen report over a certain size on the server we get this error. Event code: 3005 Event… >>> More
Microsoft Management Console stops working when I add snap-in to it

as seen on Super User - Search for 'Super User'
I have Windows 7 Ultimate OS. I'm opening mmc.exe as administrator and trying add Certificates or any other snap-in, then while loading that snap-in MMC breaks and displays following message and after that it closes automatically once I click on close button on that message. What could be the problem… >>> More
Handling keyboard and mouse input (Win API)

as seen on Game Development - Search for 'Game Development'
There is a number of ways to catch mouse or keyboard under Windows. So I tried some of them, but every of them has some advantages and drawbacks. I want to ask you: Which method do use? I've tried these: WM_KEYDOWN/WM_KEYUP - Main disadvantage is that, I can't distinguish between left and right-handed… >>> More

Related posts about ipsec

Ipsec reload fails to load ipsec.conf Strongswan 5.0

as seen on Server Fault - Search for 'Server Fault'
I am having trouble configuring a connection to an Android device using a fedora 17 linux machine and strongSwanv5.0.1dr2. I have made some progress but when I try adding the configuration to support xauth authentication I receive an error when I try to reload the configuration file. I get a similar… >>> More
Specify IPSEC port range using ipsec-tools

as seen on Server Fault - Search for 'Server Fault'
Is it possible to require IPSEC on a port range ? I want to require IPSEC for all incoming connections except a few public ports like 80 and 443, but don't want to restrict outgoing connections. My SPD rules would look like: spdadd 0.0.0.0/0 0.0.0.0/0[80] tcp -P in none; spdadd 0.0.0.0/0 0.0.0.0/0[443]… >>> More
Connecting debian and windows via IPsec VPN with Racoon and ipsec-tools

as seen on Server Fault - Search for 'Server Fault'
I've some trouble with the IPsec configuration on my debian server (6 squeeze). This server should connect via IPsec VPN to an windows server, which is protected by an firewall. I've used racoon and ipsec-tools and this tutorial http://wiki.debian.org/IPsec. However, I am not quite sure, if this… >>> More
ASA hairpining: I basicaly want to allow 2 spokes to be able to communicate with each other.

as seen on Server Fault - Search for 'Server Fault'
ASA Spoke to Spoke Communication I have been looking at spke to spoke comms or "hairpining" for months and have posted on numerouse forums but to no avail. I have a Hub and spoke network where the HUB is an ASA Firewall version 8.2 * I basicaly want to allow 2 spokes to be able to communicate with… >>> More
Can't get the L2TP IPSEC up and running

as seen on Server Fault - Search for 'Server Fault'
i have an Ubuntu 11.10 (oneiric) server running on a ReadyNAS. Im planning to use this to accept ipsec+l2tp connections through a router. However, the connection is failing somewhere half through. Using Openswan IPsec U2.6.28/K3.0.0-12-generic and trying to connect with an iOS 5 iPhone 4S. This is… >>> More