[Openswan Users] Nortel interoperability questions

Ken Bantoft ken at xelerance.com
Mon May 3 23:02:59 CEST 2004 

On Mon, 3 May 2004, David Mattes wrote:

> Hi,
> 
> I'm interoperating with a Nortel CES VPN server.  The Nortel maintains 
> an address pool to allocate to connecting clients (approximately DHCP).  
> I'm not sure if the address is coming down as part of the ISAKMP SA 
> (main mode) or IPSec SA (Quick mode).  Does OpenS/WAN 2.x.x have any way 
> of handling this address allocation mechanism for the virtual private 
> interface?

Hi David, 

You are talking about Mode Config, an (expired) IETF draft.  This assigns
IP/DNS/WINS IP addresses to IPsec clients - currently used by Cisco and
Nortel, and perhaps some others.  Currently, Openswan does not have Mode
Config support.  There are some defines in the code for this, but no
actual code written.  It's probably about a weeks worth of effort to write
the client side code for this, provided access to a Contivity for actual
testing.  It probably also need aggressive mode support too, but I don't 
know for sure.

My Contivity is useless (new to recover adminpw and put new image on it) 
so I can't check in depth.

> I'm also having a hard time specifying a static virtual private address 
> on the OpenS/WAN side of the connection.  Here is my connection diagram 
> and connection specification in ipsec.conf:
> 
> |-------------------------------|       |-------------|
> |     eth0            ipsec0    |       |    Router   |
> | 130.42.32.235   130.42.160.12 |-------| 130.42.32.1 |
> |                               |       |     /24     |
> |-------------------------------|       |-------------|
>         |                                      |
>         |                                      |
>         |                                      |
>         |      |----------------|       |--------------|
>         |      |     Nortel     |       |    Router    |
>         |      | 130.42.160.10  |-------| 130.42.160.1 |
>         |      |                |       |     /22      |
>         |      |----------------|       |--------------|
>         |                |
>         |                |
>         |                |
> |--------------------------------|
> |        Intranet                |
> |--------------------------------|
> 
> conn cert
>     authby=rsasig
>     left=%defaultroute
>     leftsubnet=130.42.160.12/32
>     leftcert=foo.pem
>     leftid="C=us, O=b, OU=p, CN=dm"
>     right=130.42.160.10
>     rightnexthop=130.42.160.1
>     rightsubnet=130.42.160.0/22
>     rightrsasigkey=%cert
>     rightid="C=us, O=b, CN=nortel"
>     auto=add

If you're using 2.1.x, you can use 

leftsourceip=130.42.160.12

and it will do the routing magic for you. (assign IP to lo interface, and 
do source routing).  I do this myself between two Openswan boxes.


> The Nortel is also sending down long routing tables to the client 
> through some (Nortel/Apani client specific) [proprietary] protocol.  
> Does anyone know what this is or how to use it - is it part of XAuth?  

The policies are proprietary - not part of the XAUTH drafts.  Nortel won't 
release details for free.

> Better, how about fooling the Nortel that my client runs the proprietary 
> client software?

You'd need to reverse engineer the extensions and code them into Openswan.  
These would include the VendorID's, and 'spoof' support for the policy 
transfer stuff.


-- 
Ken Bantoft			VP Business Development
ken at xelerance.com		Xelerance Corporation
sip://toronto.xelerance.com	http://www.xelerance.com

The future is here. It's just not evenly distributed yet. 
        -- William Gibson

More information about the Users mailing list