Re: Win2000 IKE and 3des

[Will Price <wprice@cyphers.net>]

This sounds fairly serious to me.

Perhaps this should be posted to BugTraq.  This needs confirmation.  I
thought I saw something like this when I was doing my tests against Win2K,
but it's been quite some time since then.


Sami Vaarala wrote:
> >Are both of you saying that if you set your policy for 3-DES ONLY (not >3-DES prefered but 3-DES only) that Windows 2000 will negotiate DES >anyway?
> 
> Yes, that seems to be the case.  I have only checked that if I configure
> 3des, it will send des as an initiator, and a phase 1 SA with des will
> be formed (if the remote end accepts des).  Haven't checked if it works
> this way as a responder; probably will.
> 
> >Or are you saying that Windows 2000 will fall back from 3-DES to DES if >your configured policy lets it do so and the peer doesn't support >3-DES?
> 
> No.  This would be the correct way to function, and there would not be
> an issue if this were the case.
> 
> >The former is a bug which I've not seen in Windows 2000.  The latter is
> >expected behavior since you configured it to do so.
> 
> My point exactly.  The latter behavior would be the one I would prefer
> to see, of course.


-- 
Will Price, Director of Engineering
PGP Security, Inc.
a division of Network Associates, Inc.

---

Follow-Ups:

• Re: Win2000 IKE and 3des
• From: Frédéric Detienne <fd@cisco.com>

References:

• RE: Win2000 IKE and 3des
• From: Sami Vaarala <sami.vaarala@netseal.com>

---

• Prev by Date: Re: Windows 2000 and Cicsco router interoperability
• Next by Date: Re: Windows 2000 and Cicsco router interoperability
• Prev by thread: RE: Win2000 IKE and 3des
• Next by thread: Re: Win2000 IKE and 3des
• Index(es):
  • Main
  • Thread