[Openswan Users] Connecting a branch office to nortel contivity

Bento Loewenstein bento at tks.com.br
Tue Dec 14 12:11:15 CET 2004 

Hi ppl,

I'kind of desperate here. I'm trying to connect our branch office in 
brasil to a Nortel Contivity switch in the head office using openswan 
without luck.

bellow is my ipsec.conf file. what happens is even when the tunnel is 
that the tunnel is not established. even when phase 2 negotiation 
completes my side doesen't send IKE packet to the head office according 
to my contact there. i'm also sending a packet dump.

my setup is:

Red hat linux 7.3 (updated with packages from fedoralegacy.org)
vanila kernel 2.4.28 with nat-traversal patch
openswan 2.1.6 (also tried 2.4.0dr4)


a log with "klipsdebug=all" and "plutodebug=all" is available at 
http://sprints.tks.com.br/messages.log

- any idea of what i'm doing wrong ?
- would a complete upgrade (maybe debian sarge with 2.6 kernel) help ?


Any help would be apreciated.

TIA,

Bento Loewenstein

PS.: if possible CC me in the reply, i'm not currently subscribed to the 
list.


# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
         # Debug-logging controls:  "none" for (almost) none, "all" for 
lots.
         interfaces="ipsec0=eth1"
         klipsdebug=all
         plutodebug=all

conn %default
        left=200.xxx.xxx.2
        leftnexthop=200.xxx.xxx.1
        leftsubnet=10.1.0.0/21
        keyingtries=10
        disablearrivalcheck=no
        auto=start
        keylife=8h
        rekeymargin=5m
        ikelifetime=3h

include /etc/ipsec.d/examples/no_oe.conf

conn nortel
  right=65.xxx.xxx.65
  rightsubnet=198.36.64.0/22
  pfs=yes
  compress=no
  authby=secret
  type=tunnel
  auto=route
  auth=esp
  esp=3des-md5-96 

  keyexchange=ike
  keylife=8h
  keyingtries=3

packet dump (with tcpdump -vnni host 65.xxx.xxx.65)

11:40:09.637570 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: isakmp 1.0 msgid 
: phase 1 R ident[E]: [encrypted id] [tos 0xe0]
(ttl 53, id 6439, len 96) 

11:40:19.014517 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: isakmp 1.0 msgid 
: phase 1 I ident[E]: [encrypted id] [tos 0xe0]
(ttl 53, id 6634, len 88) 

11:40:26.127226 200.xxx.xxx.2.500 > 65.xxx.xxx.65.500: isakmp 1.0 msgid 
: phase 1 R ident: [|ke] (DF) (ttl 64, id 0, len
208) 

11:40:33.834634 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: isakmp 1.0 msgid 
: phase 1 I ident[E]: [encrypted id] [tos 0xe0]
(ttl 53, id 6939, len 88) 

11:40:34.912995 200.xxx.xxx.2.500 > 65.xxx.xxx.65.500: isakmp 1.0 msgid 
: phase 1 I ident[E]: [encrypted id] (DF) (ttl 64
, id 0, len 96) 

11:40:35.361100 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: isakmp 1.0 msgid 
: phase 1 R ident[E]: [encrypted id] [tos 0xe0]
(ttl 53, id 6961, len 96) 

11:40:50.319664 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: isakmp 1.0 msgid 
: phase 1 I ident[E]: [encrypted id] [tos 0xe0]
(ttl 53, id 7192, len 88) 

11:41:01.305440 200.xxx.xxx.2.500 > 65.xxx.xxx.65.500: isakmp 1.0 msgid 
: phase 2/others I oakley-quick[E]: [encrypted ha
sh] (DF) (ttl 64, id 0, len 344) 

11:41:10.594172 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: isakmp 1.0 msgid 
: phase 2/others R oakley-quick[E]: [encrypted ha
sh] [tos 0xe0]  (ttl 53, id 7615, len 320) 

11:41:11.100647 200.xxx.xxx.2.500 > 65.xxx.xxx.65.500: isakmp 1.0 msgid 
: phase 1 R ident[E]: [encrypted id] (DF) (ttl 64
, id 0, len 88) 

11:41:12.684555 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500:  [udp sum 
ok]isakmp 1.0 msgid : phase 1 I inf:
     (n: doi=ipsec proto=isakmp type=INVALID-COOKIE) [tos 0xe0]  (ttl 
53, id 7654, len 68)
11:41:14.551198 200.xxx.xxx.2.500 > 65.xxx.xxx.65.500: isakmp 1.0 msgid 
: phase 2/others I oakley-quick[E]: [encrypted ha
sh] (DF) (ttl 64, id 0, len 344) 

11:41:26.143745 200.xxx.xxx.2.500 > 65.xxx.xxx.65.500: isakmp 1.0 msgid 
: phase 1 R ident[E]: [encrypted id] (DF) (ttl 64
, id 0, len 88) 

11:41:27.501807 200.xxx.xxx.2.500 > 65.xxx.xxx.65.500: isakmp 1.0 msgid 
: phase 1 R ident[E]: [encrypted id] (DF) (ttl 64
, id 0, len 88) 

11:41:30.928968 65.xxx.xxx.65.500 > 200.xxx.xxx.2.500: isakmp 1.0 msgid 
: phase 2/others R oakley-quick[E]: [encrypted ha
sh] [tos 0xe0]  (ttl 53, id 8042, len 320)

More information about the Users mailing list