Environment:
Win 10 client, connected to Srv 2016 DC
IPsec enabled as basic "Connection Security Rule" through GPO with default settings
Environment has more than basic hardening, based on CIS
No network security measures (Dot1x, NIDS/IPS etc) are in place
Problem flow chart:
1 - At client start up, IPsec (transport mode) is initiated with no issues and user can log on
2 - When client reboots, Main mode SA is terminated but quick mode SA stays active on server
3 - When user tries to logon they get errors, boiling down to that IPsec connection is not established
4 - After a 5 minutes (netsh advfirewall show global | find "SAIdleTimeMin") the quickmode SA times out on server
5 - When quickmode SA has timed out, IPsec communication is established and everything works again
Findings:
The SA Idle timeout cannot be set lower than 5 minutes
This behaviour has been observed across 4 other similar systems (all Srv 2016 and Win 10)
Tried "Remove-NetIpsecQuickModeSA", but the command is poorly documented and basically useless
The only workaround found is to stop the "IKEEXT" service at logoff (this kills all active SA's)
I have not 100% ruled out Kerberos, but all clocks are in sync.
Ruled out causes:
- Disabling fastboot does not solve the problem
- The problem is not directly DNS related
- The problem is not network related
There has to be a reason behind this behaviour, googling it returns mostly VPN and Cisco related links., i've yet to find someone describe a similar problem on any forum.
Any constructive inputs and suggestions appreciated.