From owner-freebsd-security Sat Mar 24 13:48: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 0CBE037B71F for ; Sat, 24 Mar 2001 13:47:47 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340433 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 15:47:59 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:47:44 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1B7B_01C0B479.C46F87E0" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:47:39 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:47:37 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <94@243200115473794> directly for ; Sat, 24 Mar 2001 3:47:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 15:47:41 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE402016295@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 21:47:44.0696 (UTC) FILETIME=[0F17B380:01C0B4AC] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1B7B_01C0B479.C46F87E0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1B7B_01C0B479.C46F87E0 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1B7B_01C0B479.C46F87E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message