I have racoon (the racoon-20020507a package) on 1.5ZC succesfully
establishing conections with a win2k (sp2, high encryption) machine,
using preshared keys.  I'd really like to use the gss-api
authentication instead.

Has anyone ever gotten this to work?  ... and if so, how? By (a)
making a win2k machine use a Heimdal kdc? Or by (b) using
ksetup/ktpass to add racoon's GSS-API krb5 principal to the PDC,
extracting a keytab, moving the keytab to the Netbsd racoon host, and
pointing the krb5.conf on the Racoon host at the Windows PDC?

I tried the former, but then the windows dialog box for adding IPsec
authentication mechanisms told me I couldn't use "kerberos
authentication" for IPsec, unless the win2k desktop was part
of a wink2 domain.  And now (after having done the ksetup) I'm having
difficulty getting that wink2 box to properly interoperate with a
win2k PDC...

Also, if (b) is the way to go, where should I install and run
ksetup/ktpass on the PDC?


Thanks for any assistance,
--Jonathan

(PS: it would be great to put a copy of the relevant I-D into
the racoon docs, as its long expired...)