From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3)
Description of problem:
I have set up an IPSEC connection between Fedora Core 2 and Windows
2000. ifup-ipsec has a number of problems, however.
1. It adds AH transports which Windows doesn't seem to like.
2. Windows 2000 uses pfs group 0, FC2 is configured to use pfs group 2.
The second problem results in the following error messages in
Oct 23 12:04:52 dogbert racoon: ERROR:
proposal.c:234:cmpsaprop_alloc(): pfs group mismatched: my:2 peer:0
I'm using automatic keying.
/etc/sysconfig/network-scripts/ifcfg-ipsec0 looks as follows:
I changed ifup-ipsec as follows to get Windows 2000 IPSEC to work
(this is not a general solution):
--- ifup-ipsec.orig 2004-10-23 12:10:29.904272390 +0200
+++ ifup-ipsec 2004-10-23 12:11:07.149475972 +0200
@@ -179,12 +179,10 @@
spdadd $SRC $DST any -P out ipsec
spdadd $DST $SRC any -P in ipsec
@@ -219,6 +217,7 @@
exchange_mode aggressive, main;
+ proposal_check obey;
case "$IKE_METHOD" in
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Set up IPSEC between Windows 2000 and FC2
2. Doesn't work
3. Remove AH transports and add proposal_check obey;
The problem with the AH transport is also discussed at
I've resolved the problems with the AH transports and PFS by adding a
new filter action for the IP Security Policy on the windows side. More