[Openswan Users] unsupported ID type ID_FQDN and W2k-Client

Ken Bantoft ken at xelerance.com
Fri Apr 2 06:11:22 CEST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Fri, 2 Apr 2004, Dennis Leist wrote:

> Hi all helpers,
> 
> After getting freeswan-1.99.09 getting run with nat_traversal I still 
> encounter some trouble while connecting
> with W2k SP4 (inc. NAT-T Update).

You need to make some changes to support MS's implementation, which (as 
usual) is slightly different that everyone elses.

Specifically, you need to add ID_FQDN support.  Check again Openswan 1.0.2 
for the changes - ipsec_doc.c, around line 4517 has added in:

       /* Hack for MS 818043 NAT-T Update */
        if (id_pd->payload.ipsec_id.isaiid_idtype == ID_FQDN)
          memset(&his.net, 0, sizeof(ip_subnet));
        
        
        if (id_pd->payload.ipsec_id.isaiid_idtype == ID_FQDN)
          happy(addrtosubnet(&c->that.host_addr, &his.net));

to deal with this.  There might be other changes, I can't recall as it's 
been awhile.


> 
> Any help is highly appreciated!
> 
> <snip>
> Apr  2 01:55:50 linuxserver pluto[18381]: "w2k-client"[1] 213.39.182.63 
> #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 s
> upported.  Attribute OAKLEY_GROUP_DESCRIPTION

Note, you need to ensure you're using DH Group 2 or 5 on the windows side.

> Apr  2 01:55:51 linuxserver pluto[18381]: "w2k-client"[1] 213.39.182.63 
> #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike
> -02/03: peer is NATed
> Apr  2 01:55:51 linuxserver pluto[18381]: "w2k-client"[1] 213.39.182.63 
> #1: Peer ID is ID_DER_ASN1_DN: '<Users CN>'
> Apr  2 01:55:51 linuxserver pluto[18381]: | NAT-T: new mapping 
> 213.39.182.63:500/4500)
> Apr  2 01:55:51 linuxserver pluto[18381]: "w2k-client"[1] 
> 213.39.182.63:4500 #1: sent MR3, ISAKMP SA established
> Apr  2 01:55:51 linuxserver pluto[18381]: "w2k-client"[1] 
> 213.39.182.63:4500 #1: unsupported ID type ID_FQDN
> Apr  2 01:55:51 linuxserver pluto[18381]: "w2k-client"[1] 
> 213.39.182.63:4500 #1: sending encrypted notification INVALID_ID_INFORMA
> TION to 213.39.182.63:4500

There's new ID we added support for back when SP4 appeared.

- -- 
Ken Bantoft			VP Business Development
ken at xelerance.com		Xelerance Corporation
sip://toronto.xelerance.com	http://www.xelerance.com

The future is here. It's just not evenly distributed yet. 
        -- William Gibson

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAbNndPiOgilmwgkgRAru0AJwN68F5sGJ+QXkLnUQ69Blg5owTPACggM0c
nHVOQ8ubwcVGaAJ5rcltrNg=
=p4M9
-----END PGP SIGNATURE-----

More information about the Users mailing list