[Openswan Users] vista AuthIP

Marco Berizzi pupilla at hotmail.com
Thu Sep 6 05:16:56 EDT 2007


Jacco de Leeuw wrote:

> Paul Wouters wrote:
>
> > Show us the logs on the openswan end.
>
> Might be the same as previously posted on the list:
> http://lists.openswan.org/pipermail/users/2007-July/012780.html

exactly

> Actually, it was the Microsoft Support team that wrote:
>
> >> The 133 payload is sent under exchange type 243. Looks like what is
> >> happening is that the linux implementation is accepting the
exchange type
> >> 243 packet (it should drop it) and failing the negotiation when it
finds
> >> a 133 payload in the packet.
>
> These types are from 'private use' ranges, according the RFC. As far
as I
> can see from the code, the only 'private use' exchange types in
Openswan are
> Private Echo Request and -Reply but these are 244 and 245,
respectively.
>
> So Openswan should ignore what Vista is sending. Looking at Marco's
Openswan
> log it does indeed:
>
> > packet from 151.25.20.9:500: next payload type of ISAKMP Message has
an
> > unknown value: 133
>
> Then according to Marco's log the Vista client continues to do its
AuthIP
> thing, which Openswan of course does not understand.
>
> However, why is Vista sending these private payload types anyway?
Openswan
> did not respond to the AuthIP vendor IDs that Vista sent (assuming
that
> this is the proper way to negotiate proprietary extensions).
>
> Marco, are you sure you haven't enabled something in your Vista client
which
> forces the use of AuthIP?

Not explicitly.

> For example, don't use that "Windows Firewall with
> Advanced Security" thingie in Vista.

I'm using a standard vista installation and this script
for build the ipsec tunnel:

netsh advf consec delete rule name=all
set ip=151.25.38.58  <<=== vista ip address
netsh advf consec add rule name="osw" mode=tunnel endpoint1=%ip%
endpoint2=172.16.0.0/23 qmsecmethods=esp:sha1-aes128
action=requireinrequireout enable=yes qmpfs=mainmode auth1=computercert
auth1ca="C=IT,ST=Venezia,L=Marcon,O=COMPANY,OU=TEST,CN=Openswan,Email=op
enswan at company" remotetunnelendpoint=OPENSWAN_IP_ADDRESS
localtunnelendpoint=%ip%




More information about the Users mailing list