Setting up IPSec

[Sorry for the huge cross-post. It's a rather technical question, and I'm usure on where
to post so as to find ipsec experts.]

Hello

I'm trying to set up an IPSec tunnel between a personal computer running WinXP Pro SP1
(with latest updates) and a remote server in an Unix-only network (this server is running
Linux 2.4.20 plus Freeswan, precisely, but I don't think the problem is due to interoperability
issues).

The Oakley log shows that connections starts going awry at the end of the IKE negociation,
just before the exchange of identities, and fails with a time out. Running tcpdump on the
server completes this information: the server send its first encrypted IKE packet, but the
client doesn't seem to notice it, and thus keeps resending its last message.

I haven't been able to find out why WinXP ignores the encrypted packet: the is no error
message about it, and it seems to be what is described by the IKE protocol. The only two
distinguishing features I can see are that it is encrypted and that it is fragmented.

Any idea?

Thanks in advance!

-- Lionel Fourquaux

is there a NAT involved ? I think I read somewhere about some issues with
IPsec and NAT ... if there is a NAT, do some googling on this.

--
Louis Solomon
www.SteelBytes.com


"Lionel Fourquaux" wrote in
message ...
[Sorry for the huge cross-post. It's a rather technical question, and I'm
usure on where
to post so as to find ipsec experts.]

Hello

I'm trying to set up an IPSec tunnel between a personal computer running
WinXP Pro SP1
(with latest updates) and a remote server in an Unix-only network (this
server is running
Linux 2.4.20 plus Freeswan, precisely, but I don't think the problem is
due to interoperability
issues).

The Oakley log shows that connections starts going awry at the end of the
IKE negociation,
just before the exchange of identities, and fails with a time out. Running
tcpdump on the
server completes this information: the server send its first encrypted IKE
packet, but the
client doesn't seem to notice it, and thus keeps resending its last
message.

I haven't been able to find out why WinXP ignores the encrypted packet:
the is no error
message about it, and it seems to be what is described by the IKE
protocol. The only two
distinguishing features I can see are that it is encrypted and that it is
fragmented.

Any idea?

Thanks in advance!

-- Lionel Fourquaux

"Louis Solomon [SteelBytes]" a écrit dans le message de ...
is there a NAT involved ? I think I read somewhere about some issues with
IPsec and NAT ... if there is a NAT, do some googling on this.

Thank you for your answer. No, there is no NAT between the two computers
(although ICF is running). After some painful experimentation, I found out that
it was the fragmentation of IKE packets that caused problems. I don't really
understand what was going on, but reducing the certificates' key size (1024 should
be enough) suppressed the problem.
Now, I'm trying to understand why WinXP doesn't want to initiate the negociation,
and why TCP connections do not work while ICMP packets do. I'll post again
if I can't figure it out.

Thanks again!

-- Lionel Fourquaux