[Openswan Users] OpenSwan Configuration for Manual Keys
Brian Candler
B.Candler at pobox.com
Sat Apr 15 09:27:52 CEST 2006
On Fri, Apr 14, 2006 at 08:36:45PM -0500, Jay Potter wrote:
> This is a very new release from windows xp professional with service
> pack 2 installed (marked 2002). (We just got the MSDN subscription from
> Microsoft and this version was included - we did not have to install
> service pack 2 seperately)
Have you applied XP IPSEC policy hotfix?
http://support.microsoft.com/default.aspx?scid=kb;en;907865
> When we run the MMC it allows us the choice
> of either 3des or des / sha1 or md5.
OK. Well "NO_PROPOSAL_CHOSEN" means that none of the combinations of
(encryption alg + authentication alg + Diffie-Hellman group) offered by one
side was acceptable to the other.
> >>"Sample" #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536
> >>supported. Attribute OAKLEY_GROUP_DESCRIPTION
That sounds like Windows is asking for some other Diffie-Hellman group (e.g.
768 bits or 2048 bits)
> >>"Sample" #1: OAKLEY_DES_CBC is not supported. Attribute
> >>OAKLEY_ENCRYPTION _ALGORITHM
Sounds like Windows is asking for DES. However, if I remember correctly, an
up-to-date Windows will offer four combinations:
DES-SHA1
DES-MD5
3DES-SHA1
3DES-MD5
so I'd expect Openswan would accept one of those.
If you run
tcpdump -i eth0 -n -s1500 -v udp port 500
on the Linux side, you will see the proposals in quite graphic detail.
Also, you may find it useful to turn on Oakley logging at the Windows side.
Google or search microsoft.com for oakley.log
Anyway, almost all the information you need can be found linked from here:
http://www.jacco2.dds.nl/networking/index.html
especially the second document about Windows XP/2000.
Regards,
Brian.
More information about the Users
mailing list