[Openswan Users] Connecting a branch office to nortel contivity
Bento Loewenstein
bento at tks.com.br
Tue Dec 14 12:11:15 CET 2004
Hi ppl,
I'kind of desperate here. I'm trying to connect our branch office in
brasil to a Nortel Contivity switch in the head office using openswan
without luck.
bellow is my ipsec.conf file. what happens is even when the tunnel is
that the tunnel is not established. even when phase 2 negotiation
completes my side doesen't send IKE packet to the head office according
to my contact there. i'm also sending a packet dump.
my setup is:
Red hat linux 7.3 (updated with packages from fedoralegacy.org)
vanila kernel 2.4.28 with nat-traversal patch
openswan 2.1.6 (also tried 2.4.0dr4)
a log with "klipsdebug=all" and "plutodebug=all" is available at
http://sprints.tks.com.br/messages.log
- any idea of what i'm doing wrong ?
- would a complete upgrade (maybe debian sarge with 2.6 kernel) help ?
Any help would be apreciated.
TIA,
Bento Loewenstein
PS.: if possible CC me in the reply, i'm not currently subscribed to the
list.
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for
lots.
interfaces="ipsec0=eth1"
klipsdebug=all
plutodebug=all
conn %default
left=200.xxx.xxx.2
leftnexthop=200.xxx.xxx.1
leftsubnet=10.1.0.0/21
keyingtries=10
disablearrivalcheck=no
auto=start
keylife=8h
rekeymargin=5m
ikelifetime=3h
include /etc/ipsec.d/examples/no_oe.conf
conn nortel
right=65.xxx.xxx.65
rightsubnet=198.36.64.0/22
pfs=yes
compress=no
authby=secret
type=tunnel
auto=route
auth=esp
esp=3des-md5-96
keyexchange=ike
keylife=8h
keyingtries=3
packet dump (with tcpdump -vnni host 65.xxx.xxx.65)
11:40:09.637570 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: isakmp 1.0 msgid
: phase 1 R ident[E]: [encrypted id] [tos 0xe0]
(ttl 53, id 6439, len 96)
11:40:19.014517 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: isakmp 1.0 msgid
: phase 1 I ident[E]: [encrypted id] [tos 0xe0]
(ttl 53, id 6634, len 88)
11:40:26.127226 200.xxx.xxx.2.500 > 65.xxx.xxx.65.500: isakmp 1.0 msgid
: phase 1 R ident: [|ke] (DF) (ttl 64, id 0, len
208)
11:40:33.834634 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: isakmp 1.0 msgid
: phase 1 I ident[E]: [encrypted id] [tos 0xe0]
(ttl 53, id 6939, len 88)
11:40:34.912995 200.xxx.xxx.2.500 > 65.xxx.xxx.65.500: isakmp 1.0 msgid
: phase 1 I ident[E]: [encrypted id] (DF) (ttl 64
, id 0, len 96)
11:40:35.361100 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: isakmp 1.0 msgid
: phase 1 R ident[E]: [encrypted id] [tos 0xe0]
(ttl 53, id 6961, len 96)
11:40:50.319664 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: isakmp 1.0 msgid
: phase 1 I ident[E]: [encrypted id] [tos 0xe0]
(ttl 53, id 7192, len 88)
11:41:01.305440 200.xxx.xxx.2.500 > 65.xxx.xxx.65.500: isakmp 1.0 msgid
: phase 2/others I oakley-quick[E]: [encrypted ha
sh] (DF) (ttl 64, id 0, len 344)
11:41:10.594172 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: isakmp 1.0 msgid
: phase 2/others R oakley-quick[E]: [encrypted ha
sh] [tos 0xe0] (ttl 53, id 7615, len 320)
11:41:11.100647 200.xxx.xxx.2.500 > 65.xxx.xxx.65.500: isakmp 1.0 msgid
: phase 1 R ident[E]: [encrypted id] (DF) (ttl 64
, id 0, len 88)
11:41:12.684555 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: [udp sum
ok]isakmp 1.0 msgid : phase 1 I inf:
(n: doi=ipsec proto=isakmp type=INVALID-COOKIE) [tos 0xe0] (ttl
53, id 7654, len 68)
11:41:14.551198 200.xxx.xxx.2.500 > 65.xxx.xxx.65.500: isakmp 1.0 msgid
: phase 2/others I oakley-quick[E]: [encrypted ha
sh] (DF) (ttl 64, id 0, len 344)
11:41:26.143745 200.xxx.xxx.2.500 > 65.xxx.xxx.65.500: isakmp 1.0 msgid
: phase 1 R ident[E]: [encrypted id] (DF) (ttl 64
, id 0, len 88)
11:41:27.501807 200.xxx.xxx.2.500 > 65.xxx.xxx.65.500: isakmp 1.0 msgid
: phase 1 R ident[E]: [encrypted id] (DF) (ttl 64
, id 0, len 88)
11:41:30.928968 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: isakmp 1.0 msgid
: phase 2/others R oakley-quick[E]: [encrypted ha
sh] [tos 0xe0] (ttl 53, id 8042, len 320)
More information about the Users
mailing list