Subject: Re: racoon, gss-api auth, and win2k IPSec IKE ...
To: Jason R Thorpe <>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: tech-net
Date: 06/07/2002 16:05:20
In message <>,
Jason R Thorpe writes
>On Thu, Jun 06, 2002 at 06:44:55PM -0700, Jonathan Stone wrote:
> > PS: mucho thanks to Frank and Zembu for adding the GSSAPI hooks to racoon.
>FWIW, Zembu used GSSAPI'ified racoon between NetBSD machines heavily.  I
>did test it against win2k back then, but I never got it to work, and never
>had time to chase down all the problems.
>Thank *you* guys for doing this :-)

And, of course to, KAME team and Sakane.

For the win2k stuff: best wait until it's working. After'm forcibly
rewriting the UTF-8'ed Unicode principals into ASCII, and whacking
heimdal, racoon gets through the GSSAPI stage, sends its final Phase-1
message and waits for phase2.  But now the Windows box is having fits
about what it sees as a bogus Kanji/chinese string principal in
Racoon's IKE response. But by that time it's too late to tell what the
unrecognized principal really was: the Windows event log msg shows
several of the two-byte chars as boxes.

So far, I cant tell whether that error is from the win2k equivalent of
gss_accept_sec_context(), or if it's from the IKE code processing
racoon's IKE message. If it's the latter, I *may* be able to kludge 
things by building and sending back a unicoded principal name .

But if it's the former, racoon <-> win2k IKE is probably SOL.

I have to say i'm ... impressed. If you asked me a week ago, I'd have
said not even Micorsoft could make ASN.1 any worse than it already is
Not only was it a no-brainer to DTRT, namely invent and use a new
string encoding for Unicode srings. I hear what Microsoft acutally did
is allegedly in violation of  ITU rules on BER and strings.