[ WARNING: note that Win2k silently 'downgrades' from 3DES to DES [ if 'strong' crypto modules are not available! folly% cat /etc/isakmpd/isakmpd.conf [Phase 2] Connections= IPSec-Conn-folly-win2k .... ################################################## # Windows 2000 [ISAKMP-peer-node-win2k] Phase= 1 Transport= udp Address= 10.10.10.22 Configuration= Windows-main-mode Authentication= markus [IPSec-Conn-folly-win2k] Phase= 2 ISAKMP-peer= ISAKMP-peer-node-win2k Configuration= Windows-quick-mode Local-ID= Addr-folly Remote-ID= Addr-win2k [Addr-win2k] ID-type= IPV4_ADDR Address= 10.10.10.22 [Addr-folly] ID-type= IPV4_ADDR Address= 10.10.10.251 [Windows-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= DES-SHA [Windows-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-WINDOWS-SUITE [QM-WINDOWS-SUITE] Protocols= QM-WINDOWS-PROTOS [QM-WINDOWS-PROTOS] PROTOCOL_ID= IPSEC_ESP Transforms= QM-WINDOWS-XF [QM-WINDOWS-XF] TRANSFORM_ID= DES ENCAPSULATION_MODE= TRANSPORT AUTHENTICATION_ALGORITHM= HMAC_SHA # end windows folly% cat START #!/bin/sh DBG="-d -D0=99 -D1=99 -D2=99 -D3=99 -D4=99 -D5=99" /sbin/isakmpd "$@" $DBG > LOG 2>&1 & folly% sudo sh ./START folly% ping -c 3 win2k PING win2k (10.10.10.22): 56 data bytes 64 bytes from 10.10.10.22: icmp_seq=0 ttl=128 time=2.201 ms 64 bytes from 10.10.10.22: icmp_seq=1 ttl=128 time=9.812 ms 64 bytes from 10.10.10.22: icmp_seq=2 ttl=128 time=2.514 ms --- win2k ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/std-dev = 2.201/4.842/9.812/3.516 ms folly% folly% sudo tcpdump -N host 10.10.10.22 tcpdump: listening on ne3 14:29:42.213556 esp folly > win2k spi 0xDDC74E15 seq 43 len 100 14:29:42.214334 esp win2k > folly spi 0xFB464BF3 seq 43 len 100 14:29:43.220352 esp folly > win2k spi 0xDDC74E15 seq 44 len 100 14:29:43.221058 esp win2k > folly spi 0xFB464BF3 seq 44 len 100 14:29:44.231478 esp folly > win2k spi 0xDDC74E15 seq 45 len 100 14:29:44.232354 esp win2k > folly spi 0xFB464BF3 seq 45 len 100 230 packets received by filter 0 packets dropped by kernel folly% folly% sudo ifconfig enc0 up folly% sudo tcpdump -N -i enc0 tcpdump: WARNING: SIOCGIFADDR: enc0: Can't assign requested address tcpdump: listening on enc0 14:30:47.418602 authentic,confidential): SPI 0xfb464bf3: win2k > folly: icmp: echo reply 14:30:48.412714 authentic,confidential): SPI 0xfb464bf3: win2k > folly: icmp: echo reply 14:30:49.412900 authentic,confidential): SPI 0xfb464bf3: win2k > folly: icmp: echo reply 3 packets received by filter 0 packets dropped by kernel folly% folly% cat /kern/ipsec SPI = fb464bf3, Destination = 10.10.10.251, Sproto = 50 Established 1381 seconds ago Source = 10.10.10.22 Flags (00000000) = xform = Encryption = Authentication = Currently used by 0 flows 0 ingress flows specified 0 flows have used this SA 3672 bytes processed by this SA Expirations: (none) SPI = ddc74e15, Destination = 10.10.10.22, Sproto = 50 Established 1381 seconds ago Source = 10.10.10.251 Flags (00000000) = xform = Encryption = Authentication = Currently used by 1 flows 0 ingress flows specified 1 flows have used this SA 3336 bytes processed by this SA Expirations: (none) folly% netstat -nr Routing tables ... Encap: Source Port Destination Port Proto SA(Address/SPI/Proto) 10.10.10.251/32 0 10.10.10.22/32 0 0 10.10.10.22/ddc74e15/50 folly%