Bug 136927 - Problems with IPSEC between Windows 2000 and FC2
Problems with IPSEC between Windows 2000 and FC2
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: initscripts (Show other bugs)
2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-10-23 06:38 EDT by Albert Strasheim
Modified: 2014-03-16 22:49 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-10-25 08:43:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Albert Strasheim 2004-10-23 06:38:44 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3)
Gecko/20040911 Firefox/0.10

Description of problem:
I have set up an IPSEC connection between Fedora Core 2 and Windows
2000. ifup-ipsec has a number of problems, however.

1. It adds AH transports which Windows doesn't seem to like.
2. Windows 2000 uses pfs group 0, FC2 is configured to use pfs group 2.

The second problem results in the following error messages in
/var/log/messages:

Oct 23 12:04:52 dogbert racoon: ERROR:
proposal.c:234:cmpsaprop_alloc(): pfs group mismatched: my:2 peer:0

I'm using automatic keying.
/etc/sysconfig/network-scripts/ifcfg-ipsec0 looks as follows:

ONBOOT=yes
USERCTL=no
TYPE=IPSEC
DST=192.168.1.3
IKE_METHOD=X509
IKE_CERTFILE=/etc/racoon/certs/dogbert
IKE_PEER_CERTFILE=/etc/racoon/certs/catbert

I changed ifup-ipsec as follows to get Windows 2000 IPSEC to work
(this is not a general solution):

--- ifup-ipsec.orig     2004-10-23 12:10:29.904272390 +0200
+++ ifup-ipsec  2004-10-23 12:11:07.149475972 +0200
@@ -179,12 +179,10 @@
 
 spdadd $SRC $DST any -P out ipsec
            esp/transport//require
-           ah/transport//require
            ;
                      
 spdadd $DST $SRC any -P in ipsec
            esp/transport//require
-           ah/transport//require
            ;
 EOF
     else
@@ -219,6 +217,7 @@
 remote $DST
 {
        exchange_mode aggressive, main;
+       proposal_check obey;
 EOF
         case "$IKE_METHOD" in
            PSK)

Version-Release number of selected component (if applicable):
initscripts-7.55.1-1

How reproducible:
Always

Steps to Reproduce:
1. Set up IPSEC between Windows 2000 and FC2
2. Doesn't work
3. Remove AH transports and add proposal_check obey;
    

Additional info:

The problem with the AH transport is also discussed at
http://www.purple.dropbear.id.au/node/view/64
Comment 1 Albert Strasheim 2004-10-25 08:43:20 EDT
I've resolved the problems with the AH transports and PFS by adding a
new filter action for the IP Security Policy on the windows side. More
details here:

http://albert.bagasie.com/archives/000030.html
http://albert.bagasie.com/archives/000031.html

Note You need to log in before you can comment on or make changes to this bug.