[Openswan Users] Nortel Mode-Config Interop
Ken Bantoft
ken at xelerance.com
Wed May 19 05:07:46 CEST 2004
On Tue, 18 May 2004, David Mattes wrote:
> Hi,
>
> I'm implementing OpenS/WAN Mode-Config client support for obtaining a
> private IP address (and netmask, DNS) from a Nortel CES. When I connect
> with the Netlock client, an aggressive mode exchange (3 packets total)
> is used to build the ISAKMP SA, then the Nortel box starts a Mode Config
> Transaction exchange (these packets are encrypted by the ISAKMP SA, so I
> can't see the content), and there are several of these. Of course with
> OpenS/WAN the ISAKMP SA is built using main mode exchanges, and once the
> ISAKMP SA is built I never receive a Mode Config Transaction message
> from the Nortel box. So I tried building and sending an Mode Config
> ISAKMP_CFG_REQUEST payload to the Nortel box, but I'm not getting
> anything sensible in the reply.
>
> Does anyone know how to get the Nortel box to initiate the Mode Config
> Transaction? Could it be that Nortel is expecting a particular VID from
> a supported client (I will send this as part of the main mode exchange
> to see if it helps)? Maybe the Nortel will only initiate Mode Config
> under an aggressive mode exchange? Would my leftsubnet= setting have
> any effect (must it be set to the target network from which the dynamic
> address comes from)?
tcpdump/ethereal a negotiation from the Nortel client itself to the
Contivity. You will need to send XAUTH Vendor ID's IIRC, and perhaps one
or two others - a tcpdump would show these.
Also, perhaps try with SSH Sentinel and/or SafeNet to see if they respect
the ModeConfig attributes.
--
Ken Bantoft VP Business Development
ken at xelerance.com Xelerance Corporation
sip://toronto.xelerance.com http://www.xelerance.com
The future is here. It's just not evenly distributed yet.
-- William Gibson
More information about the Users
mailing list