From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3)
Gecko/20040911 Firefox/0.10

Description of problem:
I have set up an IPSEC connection between Fedora Core 2 and Windows
2000. ifup-ipsec has a number of problems, however.

1. It adds AH transports which Windows doesn't seem to like.
2. Windows 2000 uses pfs group 0, FC2 is configured to use pfs group 2.

The second problem results in the following error messages in
/var/log/messages:

Oct 23 12:04:52 dogbert racoon: ERROR:
proposal.c:234:cmpsaprop_alloc(): pfs group mismatched: my:2 peer:0

I'm using automatic keying.
/etc/sysconfig/network-scripts/ifcfg-ipsec0 looks as follows:

ONBOOT=yes
USERCTL=no
TYPE=IPSEC
DST=192.168.1.3
IKE_METHOD=X509
IKE_CERTFILE=/etc/racoon/certs/dogbert
IKE_PEER_CERTFILE=/etc/racoon/certs/catbert

I changed ifup-ipsec as follows to get Windows 2000 IPSEC to work
(this is not a general solution):

--- ifup-ipsec.orig     2004-10-23 12:10:29.904272390 +0200
+++ ifup-ipsec  2004-10-23 12:11:07.149475972 +0200
@@ -179,12 +179,10 @@
 
 spdadd $SRC $DST any -P out ipsec
            esp/transport//require
-           ah/transport//require
            ;
                      
 spdadd $DST $SRC any -P in ipsec
            esp/transport//require
-           ah/transport//require
            ;
 EOF
     else
@@ -219,6 +217,7 @@
 remote $DST
 {
        exchange_mode aggressive, main;
+       proposal_check obey;
 EOF
         case "$IKE_METHOD" in
            PSK)

Version-Release number of selected component (if applicable):
initscripts-7.55.1-1

How reproducible:
Always

Steps to Reproduce:
1. Set up IPSEC between Windows 2000 and FC2
2. Doesn't work
3. Remove AH transports and add proposal_check obey;
    

Additional info:

The problem with the AH transport is also discussed at
http://www.purple.dropbear.id.au/node/view/64