[Openswan Users] Nortel interoperability questions

David Mattes david.mattes at boeing.com
Mon May 3 12:47:20 CEST 2004


Hi,

I'm interoperating with a Nortel CES VPN server.  The Nortel maintains 
an address pool to allocate to connecting clients (approximately DHCP).  
I'm not sure if the address is coming down as part of the ISAKMP SA 
(main mode) or IPSec SA (Quick mode).  Does OpenS/WAN 2.x.x have any way 
of handling this address allocation mechanism for the virtual private 
interface?

I'm also having a hard time specifying a static virtual private address 
on the OpenS/WAN side of the connection.  Here is my connection diagram 
and connection specification in ipsec.conf:

|-------------------------------|       |-------------|
|     eth0            ipsec0    |       |    Router   |
| 130.42.32.235   130.42.160.12 |-------| 130.42.32.1 |
|                               |       |     /24     |
|-------------------------------|       |-------------|
        |                                      |
        |                                      |
        |                                      |
        |      |----------------|       |--------------|
        |      |     Nortel     |       |    Router    |
        |      | 130.42.160.10  |-------| 130.42.160.1 |
        |      |                |       |     /22      |
        |      |----------------|       |--------------|
        |                |
        |                |
        |                |
|--------------------------------|
|        Intranet                |
|--------------------------------|

conn cert
    authby=rsasig
    left=%defaultroute
    leftsubnet=130.42.160.12/32
    leftcert=foo.pem
    leftid="C=us, O=b, OU=p, CN=dm"
    right=130.42.160.10
    rightnexthop=130.42.160.1
    rightsubnet=130.42.160.0/22
    rightrsasigkey=%cert
    rightid="C=us, O=b, CN=nortel"
    auto=add


The Nortel is also sending down long routing tables to the client 
through some (Nortel/Apani client specific) [proprietary] protocol.  
Does anyone know what this is or how to use it - is it part of XAuth?  
Better, how about fooling the Nortel that my client runs the proprietary 
client software?

Thanks,
David



More information about the Users mailing list