[Openswan Users] Connecting a branch office to nortel contivity

Ken Bantoft ken at xelerance.com
Tue Dec 14 14:52:28 CET 2004 

I did this config last year, and worked okay.  I assume you used the
docs from http://www.freeswan.ca/docs/Contivity/ ?  Although your config
differs a bit from mine.

You logs aren't usefull, as I don't see the pluto logs.  KLIPS logs
won't be of much use in this, as it'll be a mismatch somewhere in the
configuration.  Perhaps you need to look in /var/log/secure to see your
pluto logs, as on RH boxen, that's where pluto normally logs too.

Ensure Contivity is on 4.x code.  I had issues on 3.x based Contivities.


On Tue, 2004-12-14 at 16:50 -0200, Bento Loewenstein wrote:
> Hi ppl,
> 
> I'kind of desperate here. I'm trying to connect our branch office in
> brasil to a Nortel Contivity switch in the head office using openswan
> without luck.
> 
> bellow is my ipsec.conf file. what happens is even when the tunnel is
> that the tunnel is not established. even when phase 2 negotiation
> completes my side doesen't send IKE packet to the head office according
> to my contact there. i'm also sending a packet dump.
> 
> my setup is:
> 
> Red hat linux 7.3 (updated with packages from fedoralegacy.org)
> vanila kernel 2.4.28 with nat-traversal patch
> openswan 2.1.6 (also tried 2.4.0dr4)
> 
> 
> a log with "klipsdebug=all" and "plutodebug=all" is available at
> http://sprints.tks.com.br/messages.log
> 
> - any idea of what i'm doing wrong ?
> - would a complete upgrade (maybe debian sarge with 2.6 kernel) help ?
> 
> 
> Any help would be apreciated.
> 
> TIA,
> 
> Bento Loewenstein
> 
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
> 
> # This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
> 
> 
> version 2.0     # conforms to second version of ipsec.conf specification
> 
> # basic configuration
> config setup
>          # Debug-logging controls:  "none" for (almost) none, "all" for
> lots.
>          interfaces="ipsec0=eth1"
>          klipsdebug=all
>          plutodebug=all
> 
> conn %default
>         left=200.xxx.xxx.2
>         leftnexthop=200.xxx.xxx.1
>         leftsubnet=10.1.0.0/21
>         keyingtries=10
>         disablearrivalcheck=no
>         auto=start
>         keylife=8h
>         rekeymargin=5m
>         ikelifetime=3h
> 
> include /etc/ipsec.d/examples/no_oe.conf
> 
> conn nortel
>   right=65.xxx.xxx.65
>   rightsubnet=198.36.64.0/22
>   pfs=yes
>   compress=no
>   authby=secret
>   type=tunnel
>   auto=route
>   auth=esp
>   esp=3des-md5-96
> 
>   keyexchange=ike
>   keylife=8h
>   keyingtries=3
> 
> packet dump (with tcpdump -vnni host 65.xxx.xxx.65)
> 
> 11:40:09.637570 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: isakmp 1.0 msgid
> : phase 1 R ident[E]: [encrypted id] [tos 0xe0]
> (ttl 53, id 6439, len 96)
> 
> 11:40:19.014517 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: isakmp 1.0 msgid
> : phase 1 I ident[E]: [encrypted id] [tos 0xe0]
> (ttl 53, id 6634, len 88)
> 
> 11:40:26.127226 200.xxx.xxx.2.500 > 65.xxx.xxx.65.500: isakmp 1.0 msgid
> : phase 1 R ident: [|ke] (DF) (ttl 64, id 0, len
> 208)
> 
> 11:40:33.834634 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: isakmp 1.0 msgid
> : phase 1 I ident[E]: [encrypted id] [tos 0xe0]
> (ttl 53, id 6939, len 88)
> 
> 11:40:34.912995 200.xxx.xxx.2.500 > 65.xxx.xxx.65.500: isakmp 1.0 msgid
> : phase 1 I ident[E]: [encrypted id] (DF) (ttl 64
> , id 0, len 96)
> 
> 11:40:35.361100 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: isakmp 1.0 msgid
> : phase 1 R ident[E]: [encrypted id] [tos 0xe0]
> (ttl 53, id 6961, len 96)
> 
> 11:40:50.319664 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: isakmp 1.0 msgid
> : phase 1 I ident[E]: [encrypted id] [tos 0xe0]
> (ttl 53, id 7192, len 88)
> 
> 11:41:01.305440 200.xxx.xxx.2.500 > 65.xxx.xxx.65.500: isakmp 1.0 msgid
> : phase 2/others I oakley-quick[E]: [encrypted ha
> sh] (DF) (ttl 64, id 0, len 344)
> 
> 11:41:10.594172 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: isakmp 1.0 msgid
> : phase 2/others R oakley-quick[E]: [encrypted ha
> sh] [tos 0xe0]  (ttl 53, id 7615, len 320)
> 
> 11:41:11.100647 200.xxx.xxx.2.500 > 65.xxx.xxx.65.500: isakmp 1.0 msgid
> : phase 1 R ident[E]: [encrypted id] (DF) (ttl 64
> , id 0, len 88)
> 
> 11:41:12.684555 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500:  [udp sum
> ok]isakmp 1.0 msgid : phase 1 I inf:
>      (n: doi=ipsec proto=isakmp type=INVALID-COOKIE) [tos 0xe0]  (ttl
> 53, id 7654, len 68)
> 11:41:14.551198 200.xxx.xxx.2.500 > 65.xxx.xxx.65.500: isakmp 1.0 msgid
> : phase 2/others I oakley-quick[E]: [encrypted ha
> sh] (DF) (ttl 64, id 0, len 344)
> 
> 11:41:26.143745 200.xxx.xxx.2.500 > 65.xxx.xxx.65.500: isakmp 1.0 msgid
> : phase 1 R ident[E]: [encrypted id] (DF) (ttl 64
> , id 0, len 88)
> 
> 11:41:27.501807 200.xxx.xxx.2.500 > 65.xxx.xxx.65.500: isakmp 1.0 msgid
> : phase 1 R ident[E]: [encrypted id] (DF) (ttl 64
> , id 0, len 88)
> 
> 11:41:30.928968 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: isakmp 1.0 msgid
> : phase 2/others R oakley-quick[E]: [encrypted ha
> sh] [tos 0xe0]  (ttl 53, id 8042, len 320)
> 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list