[Openswan Users] vista AuthIP
Jacco de Leeuw
jacco2 at dds.nl
Wed Sep 5 17:00:27 EDT 2007
Paul Wouters wrote:
> Show us the logs on the openswan end.
Might be the same as previously posted on the list:
http://lists.openswan.org/pipermail/users/2007-July/012780.html
> And preferable the OAKLEY.LOG on the windows end.
Note that generating the Oakley log is a bit different on Vista:
http://www.jacco2.dds.nl/networking/vista-openswan.html#Oakley_logs
> Openswan just ignores unknown vendorid's, so the microsoft devel team seems
> to be wrong here.
Actually, it was the Microsoft Support team that wrote:
>> The 133 payload is sent under exchange type 243. Looks like what is
>> happening is that the linux implementation is accepting the exchange type
>> 243 packet (it should drop it) and failing the negotiation when it finds
>> a 133 payload in the packet.
These types are from 'private use' ranges, according the RFC. As far as I
can see from the code, the only 'private use' exchange types in Openswan are
Private Echo Request and -Reply but these are 244 and 245, respectively.
So Openswan should ignore what Vista is sending. Looking at Marco's Openswan
log it does indeed:
> packet from 151.25.20.9:500: next payload type of ISAKMP Message has an
> unknown value: 133
Then according to Marco's log the Vista client continues to do its AuthIP
thing, which Openswan of course does not understand.
However, why is Vista sending these private payload types anyway? Openswan
did not respond to the AuthIP vendor IDs that Vista sent (assuming that
this is the proper way to negotiate proprietary extensions).
Marco, are you sure you haven't enabled something in your Vista client which
forces the use of AuthIP? For example, don't use that "Windows Firewall with
Advanced Security" thingie in Vista.
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list