Thanks Mike, but even with your suggestions it doesn't get past phase 1, using main or aggressive mode. I think I will have to shelve this effort for now.

Thanks for your input though,
  --Victor

> From: michaelkintzios@gmail.com
> To: hero_of_nothing_1@hotmail.com
> Subject: Re: [Ipsec-tools-users] AD Kerberos + Racoon
> Date: Wed, 6 Nov 2013 23:31:36 +0000
> CC: ipsec-tools-users@lists.sourceforge.net
>
> I beg your pardon Victor, my understanding was incorrect. I had some time to
> look it up: MSWindows versions post Vista support *both* IKEv1 and IKEv2.
>
> You may need to set up encoding to utf-16:
>
> gss_id_enc utf-16le;
>
> but I have no Kerberos (or much MSWindows) experience to help with either at
> this stage.
>
>
>
> On Wednesday 06 Nov 2013 21:57:24 Victor T wrote:
> > Thanks Mike, I wasn't even aware of IKEv2 only. I'm trying to do transport
> > only using GSSAPI/Kerberos for authentication, which the *swans and
> > racoon2 don't seem to support. Can you correct me if I'm wrong? If that's
> > the case, it doesn't seem like there's any solution for my scenario.
> >
> > Thanks,
> > --Victor
> >
> > > From: michaelkintzios@gmail.com
> > > To: ipsec-tools-users@lists.sourceforge.net
> > > Subject: Re: [Ipsec-tools-users] AD Kerberos + Racoon
> > > Date: Wed, 6 Nov 2013 06:46:22 +0000
> > > CC: hero_of_nothing_1@hotmail.com
> > >
> > > On Tuesday 05 Nov 2013 20:50:49 Victor T wrote:
> > > > Has anyone gotten racoon to work with Kerberos/GSSAPI, where the KDC is
> > > > a Windows server? I have a Linux(RHEL6.4) server trying to establish a
> > > > connection to a Windows machine where the IPSec policies are pushed
> > > > out via GPO, and it doesn't work at all as is. I did some
> > > > modifications to gssapi.c and that got me a bit further, but still no
> > > > dice.
> > >
> > > I'm not the right person to speak of MSWindows, or Kerberos, but I
> > > understand that at least the post Vista versions only do IKEv2. Also,
> > > although you can
> > >
> > > use:
> > > authentication_method gssapi_krb;
> > >
> > > gss_id "host/fqdn";
> > >
> > > all this will only deal with the IKE negotiation (Phase 1), not IPSec
> > > (Phase 2). Check this if you haven't seen it already as it mentions
> > > some other gotchas that could trip you:
> > >
> > > http://blogs.technet.com/b/port25/archive/2007/05/09/windows-vista-beta-l
> > > inux-ipsec-interop-testing.aspx
> > >
> > > I suspect that StrongSwan, or OpenSwan may be a better option for you.
> > >
> > > PS. There is also racoon2 which covers IKEv2:
> > > http://www.racoon2.wide.ad.jp/w/
>
> --
> Regards,
> Mick