[Openswan Users] IPSEC windows 2003 and linux openswan 1.0.7

Brian Candler B.Candler at pobox.com
Sun Apr 16 08:50:11 CEST 2006

On Tue, Apr 11, 2006 at 11:30:09PM -0400, Brad Langhorst wrote:
> Ulf Jakobsson's posting saying that he was able to get 2003 and openswan 
> 1.x working .
> I've tried this series of commands - all i see is "negotiating ip 
> security" at the windows command prompt.

1. Run tcpdump on the IKE traffic:

    tcpdump -i eth0 -n -s 1500 -v udp port 500

The initial exchanges are not encrypted. You will be able to see what side A
is offering, and often the error if B rejects it (e.g. "no proposal chosen")

Unfortunately, most IPSEC implementations are poor when it comes to handling
'informational' messages; they often just discard without even logging. So
tcpdump can be the only tool.

2. Enable oakley logging at the Windows end. This creates a file
\windows\debug\oakley.log showing the exchange and what happened.
Google for oakley.log or search for it on microsoft.com

You are using some third-party tool called ipsec.exe. I can't help you with
this; I only know the Microsoft-supplied tools (ipseccmd for XP, ipsecpol
for 2000).



More information about the Users mailing list