Hopefully someone here is a bit more familiar with the ins and outs of server to server IPSec within Windows.
So I'm trying to set up an IPSec tunnel between all of my internal DCs to the RODCs in our DMZ (to reduce the number of holes we need to punch in our firewall). So I followed the tutorial here to a T: http://blogs.technet.com/b/askpfeplat/archive/2014/12/15/securing-dc-to-dc-communication-with-ipsec-using-windows-firewall-with-advanced-security-wfas-connection-security-rules.aspx
However, I'm having lots of issues with making it work consistently. GP has successfully pushed the Connection Security Rules to all of the DCs, but they don't seem to apply always. When I look at our firewall, I'm seeing lots of blocks because the servers won't use the Connection Rules. However, every once in a while (without any sort of pattern), the Security Associations will create themselves correctly (I can see them under the Main Mode and Quick Mode of the Security Associations tree). When this happens, everything works swimmingly. But once I reboot the servers, the associations go away and the servers only work sporadically again.
I'm beating my head against the wall again. Why are the servers not always honoring the Connection Security Rules?