Hello, during this week I have set up a FreeSWAN gateway and tested the configuration succesfully with another gateway and a Win2k client. After this I copied the certificate and the configuration I used with Win2K to a XP box (ipsecmd installed, no SP2, ipsec-tool from vpn.ebootis.de). ipsec -debug looked good and a ping to an apache behind the FreeSWAN gateway told me "ip security negotiated". But in /var/log/messages I find the following line: "encrypted Informational Exchange message is invalid because it is for incomplete ISAKMP SA" I saw this message before, when I used the wrong ca in the Win2k ipsec.conf. But this time the ca must be right, because I was able to connect to the apache with the Win2k -client over the vpn (tcpdump and the browser prooved that) Does anyone of you know whether it's necessary to make any change to the config files when the client is an XP box ? I haven't found a note on that in the documentation. Thanks for any hint. Bye, Stefan -- ***************************************** in-put GbR - Das Linux-Systemhaus Stefan-Michael Günther Moltkestraße 49 D-76133 Karlsruhe Tel./Fax : +49 (0)721 / 83044 - 98/93 http://www.in-put.de *****************************************