[Openswan Users] vista AuthIP

Marco Berizzi pupilla at hotmail.com
Thu Sep 6 05:16:56 EDT 2007

Jacco de Leeuw wrote:

> Paul Wouters wrote:
> > Show us the logs on the openswan end.
> Might be the same as previously posted on the list:
> http://lists.openswan.org/pipermail/users/2007-July/012780.html


> Actually, it was the Microsoft Support team that wrote:
> >> The 133 payload is sent under exchange type 243. Looks like what is
> >> happening is that the linux implementation is accepting the
exchange type
> >> 243 packet (it should drop it) and failing the negotiation when it
> >> a 133 payload in the packet.
> These types are from 'private use' ranges, according the RFC. As far
as I
> can see from the code, the only 'private use' exchange types in
Openswan are
> Private Echo Request and -Reply but these are 244 and 245,
> So Openswan should ignore what Vista is sending. Looking at Marco's
> log it does indeed:
> > packet from next payload type of ISAKMP Message has
> > unknown value: 133
> Then according to Marco's log the Vista client continues to do its
> thing, which Openswan of course does not understand.
> However, why is Vista sending these private payload types anyway?
> did not respond to the AuthIP vendor IDs that Vista sent (assuming
> this is the proper way to negotiate proprietary extensions).
> Marco, are you sure you haven't enabled something in your Vista client
> forces the use of AuthIP?

Not explicitly.

> For example, don't use that "Windows Firewall with
> Advanced Security" thingie in Vista.

I'm using a standard vista installation and this script
for build the ipsec tunnel:

netsh advf consec delete rule name=all
set ip=  <<=== vista ip address
netsh advf consec add rule name="osw" mode=tunnel endpoint1=%ip%
endpoint2= qmsecmethods=esp:sha1-aes128
action=requireinrequireout enable=yes qmpfs=mainmode auth1=computercert
enswan at company" remotetunnelendpoint=OPENSWAN_IP_ADDRESS

More information about the Users mailing list