[Openswan Users] vista AuthIP

Jacco de Leeuw jacco2 at dds.nl
Thu Dec 27 09:50:33 EST 2007 

Marco Berizzi wrote:

>>>> I have an interoperability problem with vista. [...] Basically what 
>>>> they [M$ development team] confirm is The 133 payload is an AuthIP 
>>>> payload, an IKE extension that we have introduced in Vista.
>> I have been informed (not by Microsoft) that this is a bug in Vista and
>> that it has been fixed starting from Windows Vista Service Pack 1 Beta
>> 6001.17036 v.652.
> 
> Thanks Jacco. I have applied vista beta sp1 and now vista talk with 
> openswan.

There is yet another problem in Vista. It occurs when pure IPsec is used
and NAT is involved. L2TP/IPsec does not have this problem.

Vista does not like a parameter in the QuickMode proposal that Openswan sends.
I see this in the Vista IKE log:

IkeIsSaValidForTunnel failed with Windows error 87(ERROR_INVALID_PARAMETER)

Vista then sends an "IKE Informational Mode" message to the server and
disconnects. Openswan logs this:

pluto[5863]: "IPSEC-PSK"[1] 192.168.15.1 #3: ignoring informational payload,
type INVALID_PAYLOAD_TYPE
pluto[5863]: "IPSEC-PSK"[1] 192.168.15.1 #3: received and ignored
informational message
pluto[5863]: "IPSEC-PSK"[1] 192.168.15.1 #3: received Delete SA payload:
deleting ISAKMP State #3

I have attached the Vista log to this e-mail (slightly edited for brevity,
full log available from me) but I cannot deduce which parameter exactly is
unacceptable to Vista.

The same problem also occurs when ipsec-tools (racoon) is used instead of
Openswan. Therefore I suspect that this is a problem in Vista. The problem has
not been resolved in Vista SP1 beta at the time of this writing. Should
Microsoft be informed of this?

I have not tested with Windows Server 2003 instead of Openswan. On Windows
Server is fairly difficult to configure IPsec without L2TP. Testing with
ISA Server might be another option but I think I will pass that one on.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl



-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: wfpdiag.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20071227/34db3308/attachment.txt

More information about the Users mailing list