[Openswan Users] Nortel contivity and openswan

Wed Dec 22 21:15:05 CET 2004

Hello, 

Anybody has successfully deployed an IPsec tunnel using Openswan as
concentrator and nortel contivity (model 251) as branch office ?
I'd like to know about similar scenarios. I have a lot of data and logs
regarding my tests (for the moment not successfull)  but before loading
you with data, only a brief of the situation: 

my scenario looks like this

Linux Openswan --- DSL NAT router ---- Internet
----------------------------- Nortel contivity

So I need NAT-traversal in action. This family of Nortel devices seems
to be really full IPsec and NAT-T featured looking at config options and
it sould work ...

Tunnel gets up, but traffic only flows from branch office to the
Openswan. Openswan detects NAT and log shows:

Dec 22 17:32:48 tunnel pluto[4220]: packet from N.N.N.N:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]Dec 22 17:32:48 tunnel
pluto[4220]: packet from 80.28.216.105:500: ignoring Vendor ID payload
[625027749d5ab97f5616c1602765cf480a3b7d0b]
Dec 22 17:32:48 tunnel pluto[4220]: "vpn-sants-nortel" #10: responding
to Main Mode
Dec 22 17:32:48 tunnel pluto[4220]: "vpn-sants-nortel" #10: transition
from state (null) to state STATE_MAIN_R1
Dec 22 17:32:50 tunnel pluto[4220]: "vpn-sants-nortel" #10:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-00/01: i am NATed
Dec 22 17:32:50 tunnel pluto[4220]: "vpn-sants-nortel" #10: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 22 17:32:51 tunnel pluto[4220]: "vpn-sants-nortel" #10: ignoring
informational payload, type IPSEC_INITIAL_CONTACT
Dec 22 17:32:51 tunnel pluto[4220]: "vpn-sants-nortel" #10: Peer ID is
ID_IPV4_ADDR: 'N.N.N.N'
Dec 22 17:32:51 tunnel pluto[4220]: "vpn-sants-nortel" #10: I did not
send a certificate because I do not have one.
Dec 22 17:32:51 tunnel pluto[4220]: "vpn-sants-nortel" #10: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 22 17:32:51 tunnel pluto[4220]: "vpn-sants-nortel" #10: sent MR3,
ISAKMP SA established
Dec 22 17:32:53 tunnel pluto[4220]: "vpn-sants-nortel" #11:
NAT-Traversal: received 1 NAT-OA. ignored because peer is not NATed
Dec 22 17:32:53 tunnel pluto[4220]: "vpn-sants-nortel" #11: responding
to Quick Mode
Dec 22 17:32:53 tunnel pluto[4220]: "vpn-sants-nortel" #11: transition
from state (null) to state STATE_QUICK_R1
Dec 22 17:32:54 tunnel pluto[4220]: "vpn-sants-nortel" #11: transition
from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 22 17:32:54 tunnel pluto[4220]: "vpn-sants-nortel" #11: IPsec SA
established {ESP=>0x5a9852fe <0xb6566bf4 NATOA=0.0.0.0}

Route installed and all seems ok. In Nortel side IPSEC SA looks ok.
Nothing is seen over UDP 4500. Until now all NAT-T proves with openswan
used this port for NAT traversal, but now traffic encapsulated seems to
travel over UDP 500
When traffic goes out Openswan (ping to remote end) and must enter the
tunnel tcpdump shows things like that :

21:11:16.563563 IP (tos 0x0, ttl  64, id 1258, offset 0, flags [DF],
proto 17, length: 154) 192.168.5.2.isakmp > vallfogona.isakmp: [no
cksum] isakmp 4.4 msgid  cookie ->: phase 2/others ? #241[C]: [|#139]
(len mismatch: isakmp 1992383718/ip 126)
21:11:17.563396 IP (tos 0x0, ttl  64, id 1258, offset 0, flags [DF],
proto 17, length: 154) 192.168.5.2.isakmp > vallfogona.isakmp: [no
cksum] isakmp 12.14 msgid  cookie ->: phase 2/others ? #135[]: [|#201]
(len mismatch: isakmp 3582546107/ip 126)
21:11:18.563258 IP (tos 0x0, ttl  64, id 1258, offset 0, flags [DF],
proto 17, length: 154) 192.168.5.2.isakmp > vallfogona.isakmp: [no
cksum] isakmp 11.3 msgid  cookie ->: phase 2/others ? #45[C]: [|sig]
(len mismatch: isakmp 176508591/ip 126)
....

anyone knows what does this mean ? what is intented for IKE fase 2 ? and
what could be the reason for constant len mismatch errors. When packets
reach remote end (branch office) are discarted

Thanks in advance
Albert Agustí

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20041222/68a6d056/attachment.htm