[Openswan Users] vista AuthIP
Jacco de Leeuw
jacco2 at dds.nl
Thu Dec 27 09:50:33 EST 2007
Marco Berizzi wrote:
>>>> I have an interoperability problem with vista. [...] Basically what
>>>> they [M$ development team] confirm is The 133 payload is an AuthIP
>>>> payload, an IKE extension that we have introduced in Vista.
>> I have been informed (not by Microsoft) that this is a bug in Vista and
>> that it has been fixed starting from Windows Vista Service Pack 1 Beta
>> 6001.17036 v.652.
>
> Thanks Jacco. I have applied vista beta sp1 and now vista talk with
> openswan.
There is yet another problem in Vista. It occurs when pure IPsec is used
and NAT is involved. L2TP/IPsec does not have this problem.
Vista does not like a parameter in the QuickMode proposal that Openswan sends.
I see this in the Vista IKE log:
IkeIsSaValidForTunnel failed with Windows error 87(ERROR_INVALID_PARAMETER)
Vista then sends an "IKE Informational Mode" message to the server and
disconnects. Openswan logs this:
pluto[5863]: "IPSEC-PSK"[1] 192.168.15.1 #3: ignoring informational payload,
type INVALID_PAYLOAD_TYPE
pluto[5863]: "IPSEC-PSK"[1] 192.168.15.1 #3: received and ignored
informational message
pluto[5863]: "IPSEC-PSK"[1] 192.168.15.1 #3: received Delete SA payload:
deleting ISAKMP State #3
I have attached the Vista log to this e-mail (slightly edited for brevity,
full log available from me) but I cannot deduce which parameter exactly is
unacceptable to Vista.
The same problem also occurs when ipsec-tools (racoon) is used instead of
Openswan. Therefore I suspect that this is a problem in Vista. The problem has
not been resolved in Vista SP1 beta at the time of this writing. Should
Microsoft be informed of this?
I have not tested with Windows Server 2003 instead of Openswan. On Windows
Server is fairly difficult to configure IPsec without L2TP. Testing with
ISA Server might be another option but I think I will pass that one on.
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: wfpdiag.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20071227/34db3308/attachment.txt
More information about the Users
mailing list