Gave up on IPSec w/ Kerberos authentication. However, I can do IPSec w/ authentication via certificate or PSK. Notes:
-> If a policy isn't applied when you assign it, restart the IPSec service.
-> Normally, you can reset IPSec policies back to default settings; DCs are an exception.
