[Openswan Users] inter operate with windows server 2000 (site tosite)

Ryan McLeod r.mcleod20 at gmail.com
Wed Jul 21 14:21:11 EDT 2010


OK SOLVED!! YAY. The issue which i read here:
http://archives.free.net.ph/message/20080320.204610.6aa04768.fi.html
is that openswan no longer supports DES, needs 3DES. Its what i
initially tried to use with Windows 2000, but event log reported an
informational error from Oakley which started with: this ip security
policy for isakmp/oakley specified an encryption algorithm that is
invalid due to export cryptography restrictions. And it went on to say
that DES will be used instead of 3DES. Now my server 2000 has no
service packs installed, and i have no internet access to get them.

So i got a vm of Windows Server 2003 up and running, did the same
settings and it established fine.

Thanks for input on helping me figure this out.

Ryan

On Wed, Jul 21, 2010 at 1:06 PM, Ryan McLeod <r.mcleod20 at gmail.com> wrote:
> Looking in auth.log right now. They send hashes to one another, the
> cookies match.
>
> Then there's:
> got payload 0x800(ISAKMP_NEXT_N) needed: 0x0 opt: 0x0
> ****parse ISAKMP Notification Payload:
>     next payload type: ISAKMP_NEXT_NONE
> length:40
> DOI: ISAKMP_DOI_IPSEC
> protocol ID: 1
> SPI size 16
> Notify Message Type: NO_PROPOSAL_CHOSEN
>
> Not sure if thats any help or not. Most things ive seen on google are
> mismatched esp auth/encryption methods or connectivity issues. They
> can ping one another, and ive specified des-md5 in the conf file. In
> Windows, each of the IPSec rules requires security; with a DES/MD5
> custom security method on the top of the list. And in the general
> settings for the policy I have IKE: DES, MD5, Group 2 on top. (i've
> tried group 1 as well)
>
> Thanks,
>
> Ryan
>
> On Wed, Jul 21, 2010 at 12:55 PM, Randy Wyatt <rwyatt at nvtl.com> wrote:
>> Have you take a debug log?
>>
>> plutodebug="all" in ipsec.conf
>>
>> Regards,
>> Randy
>>
>> -----Original Message-----
>> From: Ryan McLeod [mailto:r.mcleod20 at gmail.com]
>> Sent: Wednesday, July 21, 2010 9:54 AM
>> To: Paul Wouters
>> Cc: Randy Wyatt; users at openswan.org
>> Subject: Re: [Openswan Users] inter operate with windows server 2000 (site tosite)
>>
>> As I still havent had any luck getting this working, I just wanted to
>> check that this is the way its supposed to be in the
>> programs/pluto/Makefile:
>>
>> # Enable ALLOW_MICROSOFT_BAD_PROPOSAL
>> CFLAGS+=-DALLOW_MICROSOFT_BAD_PROPOSAL
>>
>> I didnt add anything to this, its how i found it.
>>
>> Thanks,
>>
>> Ryan
>>
>> On Wed, Jul 21, 2010 at 11:25 AM, Paul Wouters <paul at xelerance.com> wrote:
>>> On Wed, 21 Jul 2010, Randy Wyatt wrote:
>>>
>>>> Subject: Re: [Openswan Users] inter operate with windows server 2000 (site
>>>>    tosite)
>>>>
>>>> You have to define it in programs/Pluto/Makefile.options.
>>>
>>>> Yes it is version 2.6.27. I cant say whether or not i specified
>>>> ALLOW_MICROSOFT_BAD_PROPOSAL. That would be specified during
>>>
>>> That has been enabled per default in 2.6.27
>>>
>>> Paul
>>>
>>
>


More information about the Users mailing list