[Openswan Users] Microsoft case SRX071018601917-1, was Re: Cisco and Win2003 fixes in Openswan 2.4.10

[Paul Wouters]

On Sun, 24 Feb 2008, Jacco de Leeuw wrote:

>   #449: 17/%any is a template conn problem [mcr]
>   #802: Error: "our client ID returned doesn't match my proposal" [mcr/paul]

> - When connecting to a Cisco server, the following is logged:
>   "Allowing bad L2TP/IPsec proposal (see bug #849) anyway".
>   I suppose this refers to bug #449 as well? Bug #849 is not
>   listed in the changelog.

Because http://bugs.xelerance.com/view.php?id=849 is actually related to #449

> - Windows Server 2003 and ISA Server 2006 also send bad L2TP/IPsec
>   proposals: they are confused about subnets in the negotiation.

Yes. And I've spend a lot of time reminding Microsoft engineers about this,
and after like 20 messages back and forth, I got completely ignored :(

>   However, unlike the Cisco fix, the workaround in Openswan 2.4.10 is
>   not enabled by default. You have to define ALLOW_MICROSOFT_BAD_PROPOSAL
>   to enable the workaround. Are there any cons in enabling it? Or is it
>   a matter of waiting for Microsoft to fix their stuff?

It is not a complete fix. From http://bugs.xelerance.com/view.php?id=870

	Note that after "allowing" the questionable proposal anyway,
	the connection does not work despite the IPsec SA coming up. I
	assume that the other end actually installed the wrong policy
	as well (the one it announced to us which we tried to ignore)

Note, that if this is true, it is REALLY bad. It would let you setup
arbitrary IP range tunnels into their network. It would be front page
news.

> - Is there anyone who tried connecting to Windows Server 2008?

I am not aware of anyone.

>   I don't suppose Microsoft has fixed the problem mentioned above?

Not that they told me. But if one of the Microsoft people on the CC: list
wishes to pick this up again, it is Microsoft case number SRX071018601917-1
and the full details are at: http://bugs.xelerance.com/view.php?id=870

Paul Wouters
Xelerance Corp.