From owner-freebsd-security  Sun Apr  1 23:37:52 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mine.kame.net (kame195.kame.net [203.178.141.195])
	by hub.freebsd.org (Postfix) with ESMTP id C539137B71B
	for <freebsd-security@freebsd.org>; Sun,  1 Apr 2001 23:37:48 -0700 (PDT)
	(envelope-from sakane@ydc.co.jp)
Received: from localhost (tanu.tanu.org [3ffe:501:481d:1000:260:1dff:fe1e:f7d4] (may be forged))
	by mine.kame.net (8.11.1/3.7W) with ESMTP id f326iKY83828;
	Mon, 2 Apr 2001 15:44:20 +0900 (JST)
To: jorge@aker.com.br
Cc: freebsd-security@freebsd.org
Subject: Re: IPSEC: racoon and Win2K
In-Reply-To: Your message of "Sat, 24 Mar 2001 16:47:42  -0600"
	<39F078A4FCEC5D408C23FC3D92DEE4020162B9@tyr.kinsman.lan>
References: <39F078A4FCEC5D408C23FC3D92DEE4020162B9@tyr.kinsman.lan>
X-Mailer: Cue version 0.6 (010321-0216/sakane)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Message-Id: <20010402153656U.sakane@ydc.co.jp>
Date: Mon, 02 Apr 2001 15:36:56 +0900
From: Shoichi Sakane <sakane@ydc.co.jp>
X-Dispatcher: imput version 20000228(IM140)
Lines: 26
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> The only problem I've encountered is that, when making Win2K and FreeBSD
> interoperate, the IKE's phase 2 only suceeds if
> Win2K initiates the process. If racoon is to start it, Win2k will not
> accept any proposal for phase 2, complaining  that the dh group number
> (which should correctly be either 1 or 2) received is 1 or 2 (depending
> on the pfs_group setting in racoon.conf) and not null(0). If I try
> setting pfs_group to null, I get a parse error.=20

It would be helpful if win2k dumped some messages a little more.

please check configurations both of racoon and win2k,
and make sure exactly same between them.
also try to delete the line, "pfs_group 2;".
I could negotiate with win2k when racoon was initiate.

> sainfo anonymous
> {
> #	does not matter if 1 or 2, zero (expected by Win2K) won't parse.
> 	pfs_group 2;
> 
> 	lifetime time 36000 sec;
> 	lifetime byte 50000 KB;
> 	encryption_algorithm 3des,des ;
> 	authentication_algorithm hmac_sha1,hmac_md5;
> 	compression_algorithm deflate ;
> }

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message