[Openswan Users] Nortel contivity and openswan

albert agusti aagusti at serialnet.net
Thu Dec 23 13:30:40 CET 2004


Hello, 

More data about the case :

Here I paste you tcpdump of IKE session (when Nortel is Initiator and
Openswan Responder). Any clues for you there ?
I used the Ipsec setting suggested in "ICSAlabs VPN troubleshooting
guide" (PSK, no PFS, SHA1, 3DES, same timers, only ESP, Diffie-Hellman
group 2)
looks good to me but some dubts (bold):
-what are vid's ? why are different lenght ? and could this be important
?
-can't see nothing about NAT-T there. normal ?
-Should this scenario work, or I'm in a worst case that some days ago ?
my idea is eliminate initiator-side NAT (every night I say NAT is evil
before going to sleep 10 times Michael ;-) )
-May be old RFC's supported on Nortel Contivity ? upgrade suggested if
possible ?

Notes:
N.N.N.N = Nortel device IP address
O.O.O.O = Openswan (visible and real IP address seen from outside)
192.168.5.2 = LAN Openswan gateway to the ADSL router
All packets captured in LAN segment between Openswan and DSL (Natting
router) because no other inspection point is possible.
-Openswan 2.2.0 [plus NAT-T rekey patch] (Linux 2.6)
-Nortel contivity 251 (RAS F/W Version: VA251_2.0.0.0.013 | 12/3/2003 
DSL FW Version: Alcatel, Version 3.9.122)

Thanks in advance
Albert Agustí


****** Nortel -> Openswan (1) 
18:06:04.607406 IP (tos 0x0, ttl 247, id 28657, offset 0, flags [none],
proto 17, length: 156) N.N.N.N.isakmp > 192.168.5.2.isakmp: [udp sum ok]
isakmp 1.0 msgid  cookie ->: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #1 id=ike (type=enc value=3des)(type=hash
value=sha1)(type=auth value=preshared)(type=group desc
value=modp1024)(type=lifetype value=sec)(type=lifeduration len=4
value=000004b0))))
    (vid: len=16 4485152d18b6bbcd0be8a8469579ddcc)
    (vid: len=20 625027749d5ab97f5616c1602765cf480a3b7d0b)

****** Openswan -> Nortel (2)
18:06:04.608214 IP (tos 0x0, ttl  64, id 366, offset 0, flags [DF],
proto 17, length: 132) 192.168.5.2.isakmp > N.N.N.N.isakmp: [udp sum ok]
isakmp 1.0 msgid  cookie ->: phase 1 R ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #1 id=ike (type=enc value=3des)(type=hash
value=sha1)(type=auth value=preshared)(type=group desc
value=modp1024)(type=lifetype value=sec)(type=lifeduration len=4
value=000004b0))))
    (vid: len=16 4485152d18b6bbcd0be8a8469579ddcc)

****** Nortel -> Openswan (3)
18:06:05.922748 IP (tos 0x0, ttl 247, id 28658, offset 0, flags [none],
proto 17, length: 260) N.N.N.N.isakmp > 192.168.5.2.isakmp: [udp sum ok]
isakmp 1.0 msgid  cookie ->: phase 1 I ident:
    (ke: key len=128
472879192d2248ef6e4494ec6985ddf5df917b12915ecb0b4ca8b22ff6525ef86748825a9a68a8a27a53a3fe453904b5b28df24f571a728ebb95b6104057de168228b11122140c7adf2c87d6c4280845c69a3c521630de9add9dd7c1add7bc70483970ccd886660588b54d1a76265e149b8b020ecb93d71e74d5eace42d3e069)
    (nonce: n len=20 54664dd3143a57eeedd914e704c69037870ab458)
    (#130)
    (#130)

***** Openswan -> Nortel (4)
18:06:05.928925 IP (tos 0x0, ttl  64, id 367, offset 0, flags [DF],
proto 17, length: 256) 192.168.5.2.isakmp > N.N.N.N.isakmp: [udp sum ok]
isakmp 1.0 msgid  cookie ->: phase 1 R ident:
    (ke: key len=128
998f13ed8d4f20ddd362f8a0017e62583f0a85ad7e86f0b394d03c8c2e129c3a76effeabe793bb98468ebd10c65c8e34ba904c1999318a115d4680bfd6b97e299b9517a1eedf79ef55f215e452010d214f80e09bb24c0ebd8e65e556cbb0e933d8f4783aa250f53eab8783d8d512b95a06d5eee61fefe135031bad2a7f844e6f)
    (nonce: n len=16 44d60557d92e63d6e130c0f463480c69)
    (#130)
    (#130)

***** Nortel -> Openswan (5)
18:06:07.522104 IP (tos 0x0, ttl 247, id 28659, offset 0, flags [none],
proto 17, length: 120) N.N.N.N.isakmp > 192.168.5.2.isakmp: [udp sum ok]
isakmp 1.0 msgid  cookie ->: phase 1 I ident[E]: [encrypted id]

***** Openswan -> Nortel (6)
18:06:07.522764 IP (tos 0x0, ttl  64, id 368, offset 0, flags [DF],
proto 17, length: 96) 192.168.5.2.isakmp > N.N.N.N.isakmp: [udp sum ok]
isakmp 1.0 msgid  cookie ->: phase 1 R ident[E]: [encrypted id]

------------------------------------------------------------


18:06:08.857723 IP (tos 0x0, ttl 247, id 28660, offset 0, flags [none],
proto 17, length: 336) N.N.N.N.isakmp > 192.168.5.2.isakmp: [udp sum ok]
isakmp 1.0 msgid  cookie ->: phase 2/others I oakley-quick[E]:
[encrypted hash]

18:06:08.863717 IP (tos 0x0, ttl  64, id 369, offset 0, flags [DF],
proto 17, length: 320) 192.168.5.2.isakmp > N.N.N.N.isakmp: [udp sum ok]
isakmp 1.0 msgid  cookie ->: phase 2/others R oakley-quick[E]:
[encrypted hash]

18:06:10.473243 IP (tos 0x0, ttl 247, id 28661, offset 0, flags [none],
proto 17, length: 80) N.N.N.N.isakmp > 192.168.5.2.isakmp: [udp sum ok]
isakmp 1.0 msgid  cookie ->: phase 2/others I oakley-quick[E]:
[encrypted hash]


Is all really fine ? looks like success tunnel stablishment for you ?
Seems ok for me and the problem arises when traffic should go out from
Openswan to Nortel showing the messages I send to you in first e-mail
that I can understand:

21:11:16.563563 IP (tos 0x0, ttl  64, id 1258, offset 0, flags [DF],
proto 17, length: 154) 192.168.5.2.isakmp > vallfogona.isakmp: [no
cksum] isakmp 4.4 msgid  cookie ->: phase 2/others ? #241[C]: [|#139]
(len mismatch: isakmp 1992383718/ip 126)
21:11:17.563396 IP (tos 0x0, ttl  64, id 1258, offset 0, flags [DF],
proto 17, length: 154) 192.168.5.2.isakmp > vallfogona.isakmp: [no
cksum] isakmp 12.14 msgid  cookie ->: phase 2/others ? #135[]: [|#201]
(len mismatch: isakmp 3582546107/ip 126)
21:11:18.563258 IP (tos 0x0, ttl  64, id 1258, offset 0, flags [DF],
proto 17, length: 154) 192.168.5.2.isakmp > vallfogona.isakmp: [no
cksum] isakmp 11.3 msgid  cookie ->: phase 2/others ? #45[C]: [|sig]
(len mismatch: isakmp 176508591/ip 126)


*********************************************

All the same but, Nortel responder and Openswan Initiator. Looks not so
good but I'm not sure why it breaks. Peers don't get agree as in first
case and nothing is changed (relating to configuration)

Nortel shows:
9 	01/03/2000 00:45:04	Send:[SA][VID][VID]	N.N.N.N	O.O.O.O	IKE
10 	01/03/2000 00:45:06	Send:[HASH][DEL]	N.N.N.N	O.O.O.O	IKE
11 	01/03/2000
00:45:06	Send:[HASH][NOTFY:NO_PROP_CHOSEN]	N.N.N.N	O.O.O.O	IKE
12 	01/03/2000 00:45:06	!! No proposal chosen	O.O.O.O	N.N.N.N	IKE
13 	01/03/2000 00:45:06	Rule [1] Phase 2 encryption algorithm
mismatch	O.O.O.O	N.N.N.N	IKE
14 	01/03/2000 00:45:06	Start Phase 2: Quick Mode	O.O.O.O	N.N.N.N	IKE
15 	01/03/2000
00:45:06	Recv:[HASH][SA][NONCE][ID][ID]	O.O.O.O	N.N.N.N	IKE
16 	01/03/2000
00:45:06	Send:[ID][HASH][NOTFY:INIT_CONTACT]	N.N.N.N	O.O.O.O	IKE
17 	01/03/2000 00:45:06	Recv:[ID][HASH]	O.O.O.O	N.N.N.N	IKE
18 	01/03/2000 00:45:06	Send:[KE][NONCE]	N.N.N.N	O.O.O.O	IKE

The desired escenario is the first, but the different behaviour could
make sense for you or suggest any idea. I thought in reduce the Openswan
proposals to the one I know is good (#3) but I don't know how. 

tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size
1514 bytes
19:33:08.167007 IP (tos 0x0, ttl  64, id 702, offset 0, flags [DF],
proto 17, length: 264) 192.168.5.2.isakmp > vallfogona.isakmp: [udp sum
ok] isakmp 1.0 msgid  cookie ->: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #0 protoid=isakmp transform=4
            (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=preshared)(type=group desc value=0005))
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=preshared)(type=group desc value=modp1024))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=preshared)(type=group desc value=0005))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=preshared)(type=group desc value=modp1024))))
    (vid: len=16 7d9419a65310ca6f2c179d9215529d56)
    (vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
    (vid: len=16 4485152d18b6bbcd0be8a8469579ddcc)
19:33:09.480576 IP (tos 0x0, ttl 247, id 32047, offset 0, flags [none],
proto 17, length: 156) vallfogona.isakmp > 192.168.5.2.isakmp: [udp sum
ok] isakmp 1.0 msgid  cookie ->: phase 1 R ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #1 id=ike (type=enc value=3des)(type=hash
value=sha1)(type=auth value=preshared)(type=group desc
value=modp1024)(type=lifetype value=sec)(type=lifeduration len=4
value=00000e10))))
    (vid: len=16 4485152d18b6bbcd0be8a8469579ddcc)
    (vid: len=20 625027749d5ab97f5616c1602765cf480a3b7d0b)
19:33:09.484055 IP (tos 0x0, ttl  64, id 703, offset 0, flags [DF],
proto 17, length: 256) 192.168.5.2.isakmp > vallfogona.isakmp: [udp sum
ok] isakmp 1.0 msgid  cookie ->: phase 1 I ident:
    (ke: key len=128
ab43d89d741157e0be227dd0c789793f100041315cee19d3648fcc37672ab4982ade6ea534d2ee4c4bf45d36a75a404cee1172ed4f8f378e24cd2d6120d4e9433a71ba2dd76401462c37e696d53edf0a2eece7f754f86e2be373c89b91e06fd228549b78b67922d32891bb145463858b0eef52cd811314928adbbcf196c4c99d)
    (nonce: n len=16 b953df268c83b71d0032dfa5ebf4a37e)
    (#130)
    (#130)
19:33:11.063889 IP (tos 0x0, ttl 247, id 32048, offset 0, flags [none],
proto 17, length: 260) vallfogona.isakmp > 192.168.5.2.isakmp: [udp sum
ok] isakmp 1.0 msgid  cookie ->: phase 1 R ident:
    (ke: key len=128
58507f4e442d7b7f9e066ab0889c0752bc3c7782221e8d3fb8e93561b6f61e778aa1ff5a096bd7f14913ae49191fa2bed7f07c5dfa115118f2cd2ae48341fca98b708467828464a1fea82dcc5c1ce0fb4b006cc5b70950821f96e49b1920b3a206775fda080f7fc3d9cbe15a8fe527a9f7a6255c98f60efa6f5a84d8da68a023)
    (nonce: n len=20 fdf809aef72fd743d3ff95c8c05a02b0117b2d66)
    (#130)
    (#130)
19:33:11.066983 IP (tos 0x0, ttl  64, id 704, offset 0, flags [DF],
proto 17, length: 96) 192.168.5.2.isakmp > vallfogona.isakmp: [udp sum
ok] isakmp 1.0 msgid  cookie ->: phase 1 I ident[E]: [encrypted id]
19:33:11.182885 IP (tos 0x0, ttl 247, id 32049, offset 0, flags [none],
proto 17, length: 120) vallfogona.isakmp > 192.168.5.2.isakmp: [udp sum
ok] isakmp 1.0 msgid  cookie ->: phase 1 R ident[E]: [encrypted id]
19:33:11.183960 IP (tos 0x0, ttl  64, id 705, offset 0, flags [DF],
proto 17, length: 208) 192.168.5.2.isakmp > vallfogona.isakmp: [udp sum
ok] isakmp 1.0 msgid  cookie ->: phase 2/others I oakley-quick[E]:
[encrypted hash]
19:33:11.308663 IP (tos 0x0, ttl 247, id 32050, offset 0, flags [none],
proto 17, length: 96) vallfogona.isakmp > 192.168.5.2.isakmp: [udp sum
ok] isakmp 1.0 msgid  cookie ->: phase 2/others R inf[E]: [encrypted
hash]
19:33:11.318585 IP (tos 0x0, ttl 247, id 32051, offset 0, flags [none],
proto 17, length: 112) vallfogona.isakmp > 192.168.5.2.isakmp: [udp sum
ok] isakmp 1.0 msgid  cookie ->: phase 2/others R inf[E]: [encrypted
hash]
19:33:16.317470 IP (tos 0x0, ttl  64, id 706, offset 0, flags [DF],
proto 17, length: 29) 192.168.5.2.isakmp > vallfogona.isakmp: [udp sum
ok] [|isakmp]
19:33:21.316747 IP (tos 0x0, ttl  64, id 707, offset 0, flags [DF],
proto 17, length: 208) 192.168.5.2.isakmp > vallfogona.isakmp: [udp sum
ok] isakmp 1.0 msgid  cookie ->: phase 2/others I oakley-quick[E]:
[encrypted hash]
19:33:36.314441 IP (tos 0x0, ttl  64, id 708, offset 0, flags [DF],
proto 17, length: 29) 192.168.5.2.isakmp > vallfogona.isakmp: [udp sum
ok] [|isakmp]
19:33:41.178778 IP (tos 0x0, ttl  64, id 709, offset 0, flags [DF],
proto 17, length: 208) 192.168.5.2.isakmp > vallfogona.isakmp: [udp sum
ok] isakmp 1.0 msgid  cookie ->: phase 2/others I oakley-quick[E]:
[encrypted hash]
19:33:56.176423 IP (tos 0x0, ttl  64, id 710, offset 0, flags [DF],
proto 17, length: 29) 192.168.5.2.isakmp > vallfogona.isakmp: [udp sum
ok] [|isakmp]
19:34:16.254374 IP (tos 0x0, ttl  64, id 711, offset 0, flags [DF],
proto 17, length: 29) 192.168.5.2.isakmp > vallfogona.isakmp: [udp sum
ok] [|isakmp]
19:34:21.254290 IP (tos 0x0, ttl  64, id 712, offset 0, flags [DF],
proto 17, length: 208)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20041223/514fa8ed/attachment-0001.htm


More information about the Users mailing list