Bug 136927

Summary: Problems with IPSEC between Windows 2000 and FC2
Product: [Fedora] Fedora Reporter: Albert Strasheim <13640887>
Component: initscriptsAssignee: Bill Nottingham <notting>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 2CC: rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-10-25 12:43:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Albert Strasheim 2004-10-23 10:38:44 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3)
Gecko/20040911 Firefox/0.10

Description of problem:
I have set up an IPSEC connection between Fedora Core 2 and Windows
2000. ifup-ipsec has a number of problems, however.

1. It adds AH transports which Windows doesn't seem to like.
2. Windows 2000 uses pfs group 0, FC2 is configured to use pfs group 2.

The second problem results in the following error messages in
/var/log/messages:

Oct 23 12:04:52 dogbert racoon: ERROR:
proposal.c:234:cmpsaprop_alloc(): pfs group mismatched: my:2 peer:0

I'm using automatic keying.
/etc/sysconfig/network-scripts/ifcfg-ipsec0 looks as follows:

ONBOOT=yes
USERCTL=no
TYPE=IPSEC
DST=192.168.1.3
IKE_METHOD=X509
IKE_CERTFILE=/etc/racoon/certs/dogbert
IKE_PEER_CERTFILE=/etc/racoon/certs/catbert

I changed ifup-ipsec as follows to get Windows 2000 IPSEC to work
(this is not a general solution):

--- ifup-ipsec.orig     2004-10-23 12:10:29.904272390 +0200
+++ ifup-ipsec  2004-10-23 12:11:07.149475972 +0200
@@ -179,12 +179,10 @@
 
 spdadd $SRC $DST any -P out ipsec
            esp/transport//require
-           ah/transport//require
            ;
                      
 spdadd $DST $SRC any -P in ipsec
            esp/transport//require
-           ah/transport//require
            ;
 EOF
     else
@@ -219,6 +217,7 @@
 remote $DST
 {
        exchange_mode aggressive, main;
+       proposal_check obey;
 EOF
         case "$IKE_METHOD" in
            PSK)

Version-Release number of selected component (if applicable):
initscripts-7.55.1-1

How reproducible:
Always

Steps to Reproduce:
1. Set up IPSEC between Windows 2000 and FC2
2. Doesn't work
3. Remove AH transports and add proposal_check obey;
    

Additional info:

The problem with the AH transport is also discussed at
http://www.purple.dropbear.id.au/node/view/64
Comment 1 Albert Strasheim 2004-10-25 12:43:20 UTC 
I've resolved the problems with the AH transports and PFS by adding a
new filter action for the IP Security Policy on the windows side. More
details here:

http://albert.bagasie.com/archives/000030.html
http://albert.bagasie.com/archives/000031.html