Solaris 9 (and higher) and Windows IKE definitely interoperate in Transport
Mode and there are many people who use this configuration routinely. There are
subtle configuration problems that can get people frustrated, however. These
SunSolve articles (which are very long due to Windows screenshots) have
step-by-step instructions and also attempt to document the intersection of
features in which interoperability is possible. (e.g. as far as I can tell,
Windows does not have manual keying or self-signed certificate capabilities and
only has one phase 1 auth method for certificates.)
Infodoc 79028: Solaris[TM] IPsec/IKE Interoperability with Microsoft (R)
Windows 2000 and XP (Using Windows CA)
Infodoc 77805: Solaris[TM] IPsec/IKE Interoperability with Microsoft (R)
Windows 2000 and XP (Pre-shared keys)
Infodoc 74677: Solaris[TM] IPsec/IKE Interoperability with Microsoft (R)
Windows 2000 and XP (CA signed certificates / OpenSSL generated)
To the extent that these docs don't answer your questions, I'd be happy to try
to work with you in a different forum or offline to determine where the issue
is. For transport mode, It's likely either a configuration problem or a bug,
either of which can be remedied. (Unless there is some detail I don't know
about with respect to the configuration you were trying.)
Also, as Solaris has progressed from S9->S10->Nevada/OpenSolaris/Solaris
Express, the in.iked debug output has improved considerably to become more
human-readable, which also helps a great deal in figuring out what is wrong.
The problem with tunnel mode in Solaris is that the whole notion of inner
identities (and the processing thereof) is fundamentally different from most
other operating systems, so it is more than just a bug fix. It requires a
pretty extensive re-working of the IKE and IPsec plumbing, hence the project
status.
Regards,
Paul
This message posted from opensolaris.org
_______________________________________________
opensolaris-discuss mailing list
[email protected]
