[Openswan Users] connecting as a client to Nortel Contivity
switch
Ken Bantoft
ken at xelerance.com
Fri Oct 1 04:45:27 CEST 2004
On Wed, 29 Sep 2004, Paul Wouters wrote:
> On Tue, 28 Sep 2004, Steve Maring wrote:
>
> > I'd like to use OpenSwan to connect to a Nortel Contivity switch that uses
> > a group id / password, user id, pin, and an RSA SecurID token. I do NOT
> > have access to the Contivity switch itself.
> >
> > I've tried fruitlessly to prepend a new ip table in front of NetFilters
> > main ip table while using the Nortel Contivity Netlock Client and have
> > turned to OpenSwan as a vestige of hope.
> >
> > Can anyone confirm as to whether the most recent OpenSwan is capable of
> > acting in this capacity?
>
> AFAIK, Nortel uses proprietary extensions. Openswan does not support those.
>
> Paul
I'll confirm this - I did interop with the Contivity a year ago.
Currently, the parts missing from Openswan to do this are:
1. Aggressive Mode Client support. Note that Openswan-1 has this, but 2.x
doesn't - it's considered insecure, and trivial to DoS attack.
2. UserID/PIN/SecureID. This is part of XAUTH Client support, but only
Username/Password support have been written so far. We'd need someone
w/access to SecureID hardware + software to sponsor this functionality.
3. Complete IKE Mode Config - this assigns IP, DNS, WINS to the client
side. Some of this code is present, but not tested. Some of it isn't -
eg: managing /etc/resolv.conf
Note: Even if 1,2,3 were solved, the Contivity uses proprietary
extensions to push policy down to the client side. Even if you make the
client ignore it, there's a setting on the Contivity for 'Allow only
Nortel Clients' to connect, which if your Contivity Admins are paranoid is
probably enabled too :(
--
Ken Bantoft VP Business Development
ken at xelerance.com Xelerance Corporation
sip://toronto.xelerance.com http://www.xelerance.com
The future is here. It's just not evenly distributed yet.
-- William Gibson
More information about the Users
mailing list