<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.0.10">
</HEAD>
<BODY>
Hello, <BR>
<BR>
Anybody has successfully deployed an IPsec tunnel using Openswan as concentrator and nortel contivity (model 251) as branch office ?<BR>
I'd like to know about similar scenarios. I have a lot of data and logs regarding my tests (for the moment not successfull) but before loading you with data, only a brief of the situation: <BR>
<BR>
my scenario looks like this<BR>
<BR>
Linux Openswan --- DSL NAT router ---- Internet ----------------------------- Nortel contivity<BR>
<BR>
So I need NAT-traversal in action. This family of Nortel devices seems to be really full IPsec and NAT-T featured looking at config options and it sould work ...<BR>
<BR>
Tunnel gets up, but traffic only flows from branch office to the Openswan. Openswan detects NAT and log shows:<BR>
<BR>
Dec 22 17:32:48 tunnel pluto[4220]: packet from N.N.N.N:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]Dec 22 17:32:48 tunnel pluto[4220]: packet from 80.28.216.105:500: ignoring Vendor ID payload [625027749d5ab97f5616c1602765cf480a3b7d0b]<BR>
Dec 22 17:32:48 tunnel pluto[4220]: "vpn-sants-nortel" #10: responding to Main Mode<BR>
Dec 22 17:32:48 tunnel pluto[4220]: "vpn-sants-nortel" #10: transition from state (null) to state STATE_MAIN_R1<BR>
Dec 22 17:32:50 tunnel pluto[4220]: "vpn-sants-nortel" #10: <B>NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-00/01: i am NAT</B>ed<BR>
Dec 22 17:32:50 tunnel pluto[4220]: "vpn-sants-nortel" #10: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<BR>
Dec 22 17:32:51 tunnel pluto[4220]: "vpn-sants-nortel" #10: ignoring informational payload, type IPSEC_INITIAL_CONTACT<BR>
Dec 22 17:32:51 tunnel pluto[4220]: "vpn-sants-nortel" #10: Peer ID is ID_IPV4_ADDR: 'N.N.N.N'<BR>
Dec 22 17:32:51 tunnel pluto[4220]: "vpn-sants-nortel" #10: I did not send a certificate because I do not have one.<BR>
Dec 22 17:32:51 tunnel pluto[4220]: "vpn-sants-nortel" #10: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<BR>
Dec 22 17:32:51 tunnel pluto[4220]: "vpn-sants-nortel" #10: sent MR3, ISAKMP SA established<BR>
Dec 22 17:32:53 tunnel pluto[4220]: "vpn-sants-nortel" #11: <B>NAT-Traversal: received 1 NAT-OA. ignored because peer is not NATed</B><BR>
Dec 22 17:32:53 tunnel pluto[4220]: "vpn-sants-nortel" #11: responding to Quick Mode<BR>
Dec 22 17:32:53 tunnel pluto[4220]: "vpn-sants-nortel" #11: transition from state (null) to state STATE_QUICK_R1<BR>
Dec 22 17:32:54 tunnel pluto[4220]: "vpn-sants-nortel" #11: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<BR>
Dec 22 17:32:54 tunnel pluto[4220]: "vpn-sants-nortel" #11: IPsec SA established {ESP=>0x5a9852fe <0xb6566bf4 NATOA=0.0.0.0}<BR>
<BR>
Route installed and all seems ok. In Nortel side IPSEC SA looks ok. Nothing is seen over UDP 4500. Until now all NAT-T proves with openswan used this port for NAT traversal, but now traffic encapsulated seems to travel over UDP 500<BR>
When traffic goes out Openswan (ping to remote end) and must enter the tunnel tcpdump shows things like that :<BR>
<BR>
21:11:16.563563 IP (tos 0x0, ttl 64, id 1258, offset 0, flags [DF], proto 17, length: 154) 192.168.5.2.isakmp > vallfogona.isakmp: [no cksum] isakmp 4.4 msgid cookie ->: phase 2/others ? #241[C]: [|#139] (len mismatch: isakmp 1992383718/ip 126)<BR>
21:11:17.563396 IP (tos 0x0, ttl 64, id 1258, offset 0, flags [DF], proto 17, length: 154) 192.168.5.2.isakmp > vallfogona.isakmp: [no cksum] isakmp 12.14 msgid cookie ->: phase 2/others ? #135[]: [|#201] (len mismatch: isakmp 3582546107/ip 126)<BR>
21:11:18.563258 IP (tos 0x0, ttl 64, id 1258, offset 0, flags [DF], proto 17, length: 154) 192.168.5.2.isakmp > vallfogona.isakmp: [no cksum] isakmp 11.3 msgid cookie ->: phase 2/others ? #45[C]: [|sig] (len mismatch: isakmp 176508591/ip 126)<BR>
....<BR>
<BR>
anyone knows what does this mean ? what is intented for IKE fase 2 ? and what could be the reason for constant len mismatch errors. When packets reach remote end (branch office) are discarted<BR>
<BR>
Thanks in advance<BR>
Albert Agustí<BR>
<BR>
</BODY>
</HTML>