[Openswan Users] Nortel Mode-Config Interop

Ken Bantoft ken at xelerance.com
Wed May 19 05:07:46 CEST 2004


On Tue, 18 May 2004, David Mattes wrote:

> Hi,
> 
> I'm implementing OpenS/WAN Mode-Config client support for obtaining a 
> private IP address (and netmask, DNS) from a Nortel CES.  When I connect 
> with the Netlock client, an aggressive mode exchange (3 packets total) 
> is used to build the ISAKMP SA, then the Nortel box starts a Mode Config 
> Transaction exchange (these packets are encrypted by the ISAKMP SA, so I 
> can't see the content), and there are several of these.  Of course with 
> OpenS/WAN the ISAKMP SA is built using main mode exchanges, and once the 
> ISAKMP SA is built I never receive a Mode Config Transaction message 
> from the Nortel box.  So I tried building and sending an Mode Config 
> ISAKMP_CFG_REQUEST payload to the Nortel box, but I'm not getting 
> anything sensible in the reply.
> 
> Does anyone know how to get the Nortel box to initiate the Mode Config 
> Transaction?  Could it be that Nortel is expecting a particular VID from 
> a supported client (I will send this as part of the main mode exchange 
> to see if it helps)?  Maybe the Nortel will only initiate Mode Config 
> under an aggressive mode exchange?  Would my leftsubnet= setting have 
> any effect (must it be set to the target network from which the dynamic 
> address comes from)?

tcpdump/ethereal a negotiation from the Nortel client itself to the
Contivity.  You will need to send XAUTH Vendor ID's IIRC, and perhaps one
or two others - a tcpdump would show these.

Also, perhaps try with SSH Sentinel and/or SafeNet to see if they respect
the ModeConfig attributes.


-- 
Ken Bantoft			VP Business Development
ken at xelerance.com		Xelerance Corporation
sip://toronto.xelerance.com	http://www.xelerance.com

The future is here. It's just not evenly distributed yet. 
        -- William Gibson




More information about the Users mailing list