Thanks Mike, but even with your suggestions it doesn't get past phase 1, using main or aggressive mode. I think I will have to shelve this effort for now.
Thanks for your input though, --Victor
> From: firstname.lastname@example.org > To: email@example.com > Subject: Re: [Ipsec-tools-users] AD Kerberos + Racoon > Date: Wed, 6 Nov 2013 23:31:36 +0000 > CC: firstname.lastname@example.org > > I beg your pardon Victor, my understanding was incorrect. I had some time to > look it up: MSWindows versions post Vista support *both* IKEv1 and IKEv2. > > You may need to set up encoding to utf-16: > > gss_id_enc utf-16le; > > but I have no Kerberos (or much MSWindows) experience to help with either at > this stage. > > > > On Wednesday 06 Nov 2013 21:57:24 Victor T wrote: > > Thanks Mike, I wasn't even aware of IKEv2 only. I'm trying to do transport > > only using GSSAPI/Kerberos for authentication, which the *swans and > > racoon2 don't seem to support. Can you correct me if I'm wrong? If that's > > the case, it doesn't seem like there's any solution for my scenario. > > > > Thanks, > > --Victor > > > > > From: email@example.com > > > To: firstname.lastname@example.org > > > Subject: Re: [Ipsec-tools-users] AD Kerberos + Racoon > > > Date: Wed, 6 Nov 2013 06:46:22 +0000 > > > CC: email@example.com > > > > > > On Tuesday 05 Nov 2013 20:50:49 Victor T wrote: > > > > Has anyone gotten racoon to work with Kerberos/GSSAPI, where the KDC is > > > > a Windows server? I have a Linux(RHEL6.4) server trying to establish a > > > > connection to a Windows machine where the IPSec policies are pushed > > > > out via GPO, and it doesn't work at all as is. I did some > > > > modifications to gssapi.c and that got me a bit further, but still no > > > > dice. > > > > > > I'm not the right person to speak of MSWindows, or Kerberos, but I > > > understand that at least the post Vista versions only do IKEv2. Also, > > > although you can > > > > > > use: > > > authentication_method gssapi_krb; > > > > > > gss_id "host/fqdn"; > > > > > > all this will only deal with the IKE negotiation (Phase 1), not IPSec > > > (Phase 2). Check this if you haven't seen it already as it mentions > > > some other gotchas that could trip you: > > > > > > http://blogs.technet.com/b/port25/archive/2007/05/09/windows-vista-beta-l > > > inux-ipsec-interop-testing.aspx > > > > > > I suspect that StrongSwan, or OpenSwan may be a better option for you. > > > > > > PS. There is also racoon2 which covers IKEv2: > > > http://www.racoon2.wide.ad.jp/w/ > > -- > Regards, > Mick