From owner-freebsd-security Tue Jan 9 15:52:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id 57BBB37B400; Tue, 9 Jan 2001 15:52:10 -0800 (PST) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id IAA05079; Wed, 10 Jan 2001 08:51:20 +0900 (JST) To: Jorge Peixoto Vasquez Cc: freebsd-net@freebsd.org, freebsd-security@freebsd.org In-reply-to: jorge's message of Tue, 09 Jan 2001 18:01:43 -0200. <3A5B6E27.5787D716@aker.com.br> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPSEC: racoon and Win2K From: itojun@iijlab.net Date: Wed, 10 Jan 2001 08:51:20 +0900 Message-ID: <5077.979084280@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >The only problem I've encountered is that, when making Win2K and FreeBSD >interoperate, the IKE's phase 2 only suceeds if >Win2K initiates the process. If racoon is to start it, Win2k will not >accept any proposal for phase 2, complaining that the dh group number >(which should correctly be either 1 or 2) received is 1 or 2 (depending >on the pfs_group setting in racoon.conf) and not null(0). If I try >setting pfs_group to null, I get a parse error. try removing "pfs_group 2" line. the problem here is that PFS group is not negotiated (from the protocol spec), so - if Win2K uses no pfs group, racoon obeys - if racoon proposes either pfs group 1/2, Win2K rejects hope this helps. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message