Re: IPSEC: racoon and Win2K

From: Jorge Peixoto Vasquez (jorge@aker.com.br)
Date: 01/10/01


Date: Wed, 10 Jan 2001 19:37:32 -0200
From: Jorge Peixoto Vasquez <jorge@aker.com.br>
To: freebsd-net@freebsd.org, freebsd-security@freebsd.org

itojun@iijlab.net wrote:
>
> >The only problem I've encountered is that, when making Win2K and FreeBSD
> >interoperate, the IKE's phase 2 only suceeds if
> >Win2K initiates the process. If racoon is to start it, Win2k will not
> >accept any proposal for phase 2, complaining that the dh group number
> >(which should correctly be either 1 or 2) received is 1 or 2 (depending
> >on the pfs_group setting in racoon.conf) and not null(0). If I try
> >setting pfs_group to null, I get a parse error.
>
> try removing "pfs_group 2" line. the problem here is that PFS group
> is not negotiated (from the protocol spec), so
> - if Win2K uses no pfs group, racoon obeys
> - if racoon proposes either pfs group 1/2, Win2K rejects
> hope this helps.
>

I had already done it, but it acts exactly the same way as it does if I
put "pfs_group 2" or "pfs_group modp1024", i.e. sends '2' to Win2K.

Anyone was successfull in making these interoperate? Could you please
tell me which racoon version you used and please send me the conf file?

Thanx anyways,

jOrge

-- 
Jorge Peixoto Vasquez, Elet. Eng.
Aker Security Solutions
tel. +55 - 61 - 340 9083
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message