Date: Wed, 10 Jan 2001 19:37:32 -0200 From: Jorge Peixoto Vasquez <jorge@aker.com.br> To: freebsd-net@freebsd.org, freebsd-security@freebsd.org Subject: Re: IPSEC: racoon and Win2K Message-ID: <3A5CD61C.673C1B83@aker.com.br> References: <5077.979084280@coconut.itojun.org>
next in thread | previous in thread | raw e-mail | index | archive | help
itojun@iijlab.net wrote: > > >The only problem I've encountered is that, when making Win2K and FreeBSD > >interoperate, the IKE's phase 2 only suceeds if > >Win2K initiates the process. If racoon is to start it, Win2k will not > >accept any proposal for phase 2, complaining that the dh group number > >(which should correctly be either 1 or 2) received is 1 or 2 (depending > >on the pfs_group setting in racoon.conf) and not null(0). If I try > >setting pfs_group to null, I get a parse error. > > try removing "pfs_group 2" line. the problem here is that PFS group > is not negotiated (from the protocol spec), so > - if Win2K uses no pfs group, racoon obeys > - if racoon proposes either pfs group 1/2, Win2K rejects > hope this helps. > I had already done it, but it acts exactly the same way as it does if I put "pfs_group 2" or "pfs_group modp1024", i.e. sends '2' to Win2K. Anyone was successfull in making these interoperate? Could you please tell me which racoon version you used and please send me the conf file? Thanx anyways, jOrge -- Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A5CD61C.673C1B83>