[Openswan Users] Nortel Mode-Config Interop

Ken Bantoft ken at xelerance.com
Wed May 19 07:22:58 CEST 2004 

I did some more thinking about this.

On Tue, 18 May 2004, David Mattes wrote:

> Hi,
> 
> I'm implementing OpenS/WAN Mode-Config client support for obtaining a 
> private IP address (and netmask, DNS) from a Nortel CES.  When I connect 
> with the Netlock client, an aggressive mode exchange (3 packets total) 
> is used to build the ISAKMP SA, then the Nortel box starts a Mode Config 
> Transaction exchange (these packets are encrypted by the ISAKMP SA, so I 
> can't see the content), and there are several of these.  Of course with 
> OpenS/WAN the ISAKMP SA is built using main mode exchanges, and once the 
> ISAKMP SA is built I never receive a Mode Config Transaction message 
> from the Nortel box.  So I tried building and sending an Mode Config 
> ISAKMP_CFG_REQUEST payload to the Nortel box, but I'm not getting 
> anything sensible in the reply.
> 
> Does anyone know how to get the Nortel box to initiate the Mode Config 
> Transaction?  Could it be that Nortel is expecting a particular VID from 
> a supported client (I will send this as part of the main mode exchange 
> to see if it helps)?  Maybe the Nortel will only initiate Mode Config 
> under an aggressive mode exchange? 

That's a possibility... difficult to confirm unless you get get Netlock or
Windows-based Nortel client to do mainmode.

> Would my leftsubnet= setting have any effect (must it be set to the
> target network from which the dynamic address comes from)?

Might need to use leftsubnetwithin=192.168.0.0/24 instead.  Or maybe not 
even one at all.

> This is my pluto debug (only where it gets interesting - once the ISAKMP SA is built):
> ------------------------------------------------
> May 18 15:48:25 gandalf pluto[26265]: | authentication succeeded
> May 18 15:48:25 gandalf pluto[26265]: "getaddr" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> May 18 15:48:25 gandalf pluto[26265]: | inserting event EVENT_SA_REPLACE, timeout in 2681 seconds for #1
> May 18 15:48:25 gandalf pluto[26265]: "getaddr" #1: ISAKMP SA established
> May 18 15:48:25 gandalf pluto[26265]: "getaddr" #1: Checking Mode Config situation
> May 18 15:48:25 gandalf pluto[26265]: "getaddr" #1: Kicking off Mode Config state R0
> May 18 15:48:25 gandalf pluto[26265]: | MODECFG: Moving from STATE_MAIN_I3 to STATE_MAIN_I4
> May 18 15:48:25 gandalf pluto[26265]: | **emit ISAKMP Message:
> May 18 15:48:25 gandalf pluto[26265]: |    initiator cookie:
> May 18 15:48:25 gandalf pluto[26265]: |   f0 80 a5 06  ee 66 db 12
> May 18 15:48:25 gandalf pluto[26265]: |    responder cookie:
> May 18 15:48:25 gandalf pluto[26265]: |   d5 00 28 6e  42 35 ef 32
> May 18 15:48:25 gandalf pluto[26265]: |    next payload type: ISAKMP_NEXT_HASH
> May 18 15:48:25 gandalf pluto[26265]: |    ISAKMP version: ISAKMP Version 1.0
> May 18 15:48:25 gandalf pluto[26265]: |    exchange type: ISAKMP_XCHG_MODE_CFG
> May 18 15:48:25 gandalf pluto[26265]: |    flags: ISAKMP_FLAG_ENCRYPTION
> May 18 15:48:25 gandalf pluto[26265]: |    message ID:  cc a4 82 83
> May 18 15:48:25 gandalf pluto[26265]: | ***emit ISAKMP Hash Payload:
> May 18 15:48:25 gandalf pluto[26265]: |    next payload type: ISAKMP_NEXT_MODECFG
> May 18 15:48:25 gandalf pluto[26265]: | emitting 20 zero bytes of HASH into ISAKMP Hash Payload
> May 18 15:48:25 gandalf pluto[26265]: | emitting length of ISAKMP Hash Payload: 24
> May 18 15:48:25 gandalf pluto[26265]: | ***emit ISAKMP Mode Attribute:
> May 18 15:48:25 gandalf pluto[26265]: |    next payload type: ISAKMP_NEXT_NONE
> May 18 15:48:25 gandalf pluto[26265]: |    Attr Msg Type: ISAKMP_CFG_REQUEST
> May 18 15:48:25 gandalf pluto[26265]: |    Identifier: 0
> May 18 15:48:25 gandalf pluto[26265]: | ****emit ISAKMP ModeCfg attribute:
> May 18 15:48:25 gandalf pluto[26265]: |    ModeCfg attr type: INTERNAL_IP4_ADDRESS
> May 18 15:48:25 gandalf pluto[26265]: |    length/value: 0
> May 18 15:48:25 gandalf pluto[26265]: | emitting length of ISAKMP ModeCfg attribute: 0
> May 18 15:48:25 gandalf pluto[26265]: | ****emit ISAKMP ModeCfg attribute:
> May 18 15:48:25 gandalf pluto[26265]: |    ModeCfg attr type: INTERNAL_IP4_NETMASK
> May 18 15:48:25 gandalf pluto[26265]: |    length/value: 0
> May 18 15:48:25 gandalf pluto[26265]: | emitting length of ISAKMP ModeCfg attribute: 0
> May 18 15:48:25 gandalf pluto[26265]: | ****emit ISAKMP ModeCfg attribute:
> May 18 15:48:25 gandalf pluto[26265]: |    ModeCfg attr type: INTERNAL_IP4_DNS
> May 18 15:48:25 gandalf pluto[26265]: |    length/value: 0
> May 18 15:48:25 gandalf pluto[26265]: | emitting length of ISAKMP ModeCfg attribute: 0
> May 18 15:48:25 gandalf pluto[26265]: | emitting length of ISAKMP Mode Attribute: 20
> May 18 15:48:25 gandalf pluto[26265]: | XAUTH: HASH computed:
> May 18 15:48:25 gandalf pluto[26265]: |   1d 70 8d 2e  a3 6d 89 8a  88 34 20 c6  cb a2 a5 25
> May 18 15:48:25 gandalf pluto[26265]: |   6f 67 8e cd
> May 18 15:48:25 gandalf pluto[26265]: | emitting length of ISAKMP Message: 72
> May 18 15:48:25 gandalf pluto[26265]: | last Phase 1 IV:  60 a5 c6 1c  22 89 34 d3
> May 18 15:48:25 gandalf pluto[26265]: | computed Phase 2 IV:
> May 18 15:48:25 gandalf pluto[26265]: |   7c f3 86 e0  d8 a9 94 c3  5b 9b 8d 4e  58 1c f0 7a
> May 18 15:48:25 gandalf pluto[26265]: |   89 d1 b2 9e
> May 18 15:48:25 gandalf pluto[26265]: | encrypting:
> May 18 15:48:25 gandalf pluto[26265]: |   0e 00 00 18  1d 70 8d 2e  a3 6d 89 8a  88 34 20 c6
> May 18 15:48:25 gandalf pluto[26265]: |   cb a2 a5 25  6f 67 8e cd  00 00 00 14  01 00 00 00
> May 18 15:48:25 gandalf pluto[26265]: |   00 01 00 00  00 02 00 00  00 03 00 00
> May 18 15:48:25 gandalf pluto[26265]: | emitting 4 zero bytes of encryption padding into ISAKMP Message
> May 18 15:48:25 gandalf pluto[26265]: | encrypting using OAKLEY_3DES_CBC
> May 18 15:48:25 gandalf pluto[26265]: | next IV:  b9 3f 47 85  5c 51 3e 14
> May 18 15:48:25 gandalf pluto[26265]: | emitting length of ISAKMP Message: 76
> May 18 15:48:25 gandalf pluto[26265]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
> May 18 15:48:25 gandalf pluto[26265]: "getaddr" #1: Sending ModeCfg request
> May 18 15:48:25 gandalf pluto[26265]: | sending 76 bytes for ModeCfg: request through eth2 to 130.42.72.249:500:
> May 18 15:48:25 gandalf pluto[26265]: |   f0 80 a5 06  ee 66 db 12  d5 00 28 6e  42 35 ef 32
> May 18 15:48:25 gandalf pluto[26265]: |   08 10 06 01  cc a4 82 83  00 00 00 4c  56 18 cb 3c
> May 18 15:48:25 gandalf pluto[26265]: |   03 90 12 e3  de 9d 05 c3  91 24 d7 ce  35 18 14 94
> May 18 15:48:25 gandalf pluto[26265]: |   9a 77 50 d3  45 35 15 9a  54 2c 01 13  22 be 37 c7
> May 18 15:48:25 gandalf pluto[26265]: |   5b 57 5f 06  b9 3f 47 85  5c 51 3e 14
> May 18 15:48:25 gandalf pluto[26265]: | next event EVENT_RETRANSMIT in 10 seconds for #1
> May 18 15:48:25 gandalf pluto[26265]: |
> May 18 15:48:25 gandalf pluto[26265]: | *received 40 bytes from 130.42.72.249:500 on eth2
> May 18 15:48:25 gandalf pluto[26265]: |   f0 80 a5 06  ee 66 db 12  d5 00 28 6e  42 35 ef 32
> May 18 15:48:25 gandalf pluto[26265]: |   0b 10 05 00  cc a4 82 83  00 00 00 28  00 00 00 0c
> May 18 15:48:25 gandalf pluto[26265]: |   00 00 00 01  01 00 01 00
> May 18 15:48:25 gandalf pluto[26265]: | **parse ISAKMP Message:
> May 18 15:48:25 gandalf pluto[26265]: |    initiator cookie:
> May 18 15:48:25 gandalf pluto[26265]: |   f0 80 a5 06  ee 66 db 12
> May 18 15:48:25 gandalf pluto[26265]: |    responder cookie:
> May 18 15:48:25 gandalf pluto[26265]: |   d5 00 28 6e  42 35 ef 32
> May 18 15:48:25 gandalf pluto[26265]: |    next payload type: ISAKMP_NEXT_N
> May 18 15:48:25 gandalf pluto[26265]: |    ISAKMP version: ISAKMP Version 1.0
> May 18 15:48:25 gandalf pluto[26265]: |    exchange type: ISAKMP_XCHG_INFO
> May 18 15:48:25 gandalf pluto[26265]: |    flags: none
> May 18 15:48:25 gandalf pluto[26265]: |    message ID:  cc a4 82 83
> May 18 15:48:25 gandalf pluto[26265]: |    length: 40
> May 18 15:48:25 gandalf pluto[26265]: | ICOOKIE:  f0 80 a5 06  ee 66 db 12
> May 18 15:48:25 gandalf pluto[26265]: | RCOOKIE:  d5 00 28 6e  42 35 ef 32
> May 18 15:48:25 gandalf pluto[26265]: | peer:  82 2a 48 f9
> May 18 15:48:25 gandalf pluto[26265]: | state hash entry 12
> May 18 15:48:25 gandalf pluto[26265]: | peer and cookies match on #1, provided msgid 00000000 vs cca48283
> May 18 15:48:25 gandalf pluto[26265]: | state object #1 found, in STATE_MODE_CFG_R0
> May 18 15:48:25 gandalf pluto[26265]: "getaddr" #1: Notify Message Type of ISAKMP Notification Payload has an unknown value: 256
> May 18 15:48:25 gandalf pluto[26265]: "getaddr" #1: malformed payload in packet

256 seems like an odd number.  The registry[1] isn't helpfull in figuring 
out what it means either.

ietf_constants.h defines 0-30, and a few others from various RFC/drafts 
(we have more defined tha tthe registry does).

I would assume since it's >255, it's an error of some kind, but not sure 
what it points to.


[1] http://www.iana.org/assignments/isakmp-registry

-- 
Ken Bantoft			VP Business Development
ken at xelerance.com		Xelerance Corporation
sip://toronto.xelerance.com	http://www.xelerance.com

The future is here. It's just not evenly distributed yet. 
        -- William Gibson

More information about the Users mailing list