From: Paul M. <pau...@ce...> - 2009-01-05 20:28:33
|
2409 does not specify when you can use subnets in IDcX. This has resulted in a conflict between Windows and racoon If I define a rule like this spdadd <your subnet>[21] <yoursubnet> tcp -P in ipsec esp/transport//require then racoon send an IDcr of type subnet in the QM exchange. Windows does not like this; (stepping through the code you can see that the first check it makes is that its not v4 or v6 subnet) It rejects the request. There is also another failure associated with this. When Windows is the initiator then racoon checks that the IDcr it gets matches what it expects, in this case it still checks against a subnet but Windows sent a concrete address This is easy to fix in racoon but I copied it to the ipsec group too because the protocol does not really say what IDcX should contain. And I wanted to get consensus about the correct behavior Note that solaris send concrete adresses |