[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec between OpenBSD and Windows XP

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: IPSec between OpenBSD and Windows XP
From: Waldemar Brodkorb <wbx_(_at_)_openbsd-geek_(_dot_)_de>
Date: Fri, 4 Feb 2005 07:09:10 +0100
Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org

Hi,
Andreas Krummrich wrote,

> Hi,
> 
> I'm having trouble connecting an OpenBSD 3.6 and a Windows XP box.
> Here's the error message:

It is impossible. Part of the enhanced security features of OpenBSD.
Do not connect any unsecure operating system.

Just a joke ;)

You have not specified any life times. IIRC Windows XP (I hope you
use SP2) have another default life time than isakmpd.

NO_PROPOSAL_CHOSEN means that IKE was not successful, because there
is no conclusion on parameters for phase 1.

To debug you can enable oakley.log:
Enabling this setting causes Windows to create an Oakley.log file in
the %SystemRoot%\debug folder for developers or network administrators 
with advanced IKE knowledge.
You need to create the following registry-key (with regedit)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley \"EnableLogging\"=dword:00000001

You can use tcpdump to sniff the communication and analyze the
handshake. Then you will see what life time your windows XP IPsec
client suggest.

good luck

Waldemar

-- 
blog your mind!
http://openbsd-geek.de/

Prev by Date: Re: OpenBSD "Visible" Bridge and NAT box -- strangeness and questions
Next by Date: suppress boot time dmesg?
Previous by thread: extra disk permissions
Next by thread: suppress boot time dmesg?
Index(es):
- Date
- Thread

Visit your host, monkey.org