Ah, more FUD about MS. ;-) In this particular case, the problem is not with MS *or* Cisco for that matter (although members on the IETF IPSec WG may disagree, but that's for another conversation). MS's implementation of IPSec is in fact compliant with the RFC. But believe me when I say that just because something is written in an RFC doesn't mean it is a workable standard that should allow for full interoperability. And IPSec is the most perfect example of that to date.
The IPSec RFC is full of SHOULDs and MAYs rather than MUSTs in order to satisfy all the competing interests of the members of the WG. As a result, there are many variations, or "flavors", of IPSec if you will. Since ICSA started doing IPSec compliance testing a few years ago, interoperability has improved greatly. But as someone who has done LOTS of IPSec testing, including interoperability, the problem with IPSec (and IKE in particular) is in the lack of good RFCs, not vendor implementations. To prove my point, the *nix choice of IPSec is called FreeS/WAN. It blatantly does not comply with all of the RFCs (see RFCs 240x if you're interested). The RFCs require support for DES encapsulation, and FreeS/WAN only supports 3DES. Their reasoning is sound, because DES is not considered secure. So they don't support it. But in essence, it is the *nix OSes that are not compliant in this case. As for the original poster's question, I can't help him much but to say that you can't really blame MS or Cisco entirely as both adhere to as much of the RFCs as possible. If you want interoperability with VPNs, then we need to fix the RFCs first (which is trying to be done, but talk about red tape...). Please no flames about my defending MS. That was not my intent. I'm speaking only to the reality of this particular issue where MS does adhere to the RFC and *nix OSes don't. Brownfox -----Original Message----- From: Chris Moody [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 13, 2002 10:01 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: VPN and Cisco +IIOP question Leon, IP-SEC -=IS=- an rfc standard. The trouble is that Micro$oft doesn't adhere to rfc's. I presume their belief is that the entire Internet and its communities exist _because_ of Micro$oft...therefore I guess it's justified in their minds when they decide to "implement" some sort of GLOBALLY-STANDARDIZED service in whatever damn way they see fit. You want rfc-compliancy? Use a compliant OS. There are dozens of xNIX (not plugging ANYONE in particular) variants available...and I'm sure you know...a LARGE number of them are available at no cost. xNIX has been the predominant OS of scientists and researchers for decades. It's no wonder that the various distributions comply (atleast a LOT more closely) with published and established standards... <snip>
