[Openswan Users] vista AuthIP

Marco Berizzi pupilla at hotmail.com
Wed Sep 5 08:40:18 EDT 2007


Jacco de Leeuw wrote:

> Marco Berizzi wrote:
>
> > I have an interoperability problem with
> > vista.
>
> Can you post the details?

Vista and openswan are able to establish the
ipsec tunnel, but when I try to ping from
vista to the net behing the ipsec gateway,
vista and openswan restart a new IKE Handshaking
which fails...

> > The microsoft support has asked me if is
> > it possible to change openswan configuration
> > so that it does not respond to AuthIP
> > (protocol extension that is not supported
> > anyway)?
>
> Exactly, it is a proprietary extension which is only supported by
> Vista and the upcoming Windows Server 2008. Openswan ignores the
> AuthIP vendor IDs, it does not respond to them. Does Microsoft Support
> say otherwise?

Yes. Here is their version:

[...]
Basically what they [M$ development team] confirm is
The 133 payload is an AuthIP payload, an IKE extension that we have
introduced in Vista.

The 133 payload is sent under exchange type 243. Looks like what is
happening is that the linux implementation is accepting the exchange
type 243 packet (it should drop it) and failing the negotiation when it
finds a 133 payload in the packet.




More information about the Users mailing list