[Openswan Users] connecting as a client to Nortel Contivity switch

Ken Bantoft ken at xelerance.com
Fri Oct 1 04:45:27 CEST 2004

On Wed, 29 Sep 2004, Paul Wouters wrote:

> On Tue, 28 Sep 2004, Steve Maring wrote:
> > I'd like to use OpenSwan to connect to a Nortel Contivity switch that uses 
> > a group id / password, user id, pin, and an RSA SecurID token.  I do NOT 
> > have access to the Contivity switch itself.
> >
> > I've tried fruitlessly to prepend a new ip table in front of NetFilters 
> > main ip table while using the Nortel Contivity Netlock Client and have 
> > turned to OpenSwan as a vestige of hope.
> >
> > Can anyone confirm as to whether the most recent OpenSwan is capable of 
> > acting in this capacity?
> AFAIK, Nortel uses proprietary extensions. Openswan does not support those.
> Paul

I'll confirm this - I did interop with the Contivity a year ago.

Currently, the parts missing from Openswan to do this are:

1. Aggressive Mode Client support.  Note that Openswan-1 has this, but 2.x 
doesn't - it's considered insecure, and trivial to DoS attack.

2. UserID/PIN/SecureID.  This is part of XAUTH Client support, but only
Username/Password support have been written so far.  We'd need someone
w/access to SecureID hardware + software to sponsor this functionality.

3. Complete IKE Mode Config - this assigns IP, DNS, WINS to the client 
side.  Some of this code is present, but not tested.  Some of it isn't - 
eg: managing /etc/resolv.conf

Note: Even if 1,2,3 were solved, the Contivity uses proprietary 
extensions to push policy down to the client side.  Even if you make the 
client ignore it, there's a setting on the Contivity for 'Allow only 
Nortel Clients' to connect, which if your Contivity Admins are paranoid is 
probably enabled too :(

Ken Bantoft			VP Business Development
ken at xelerance.com		Xelerance Corporation
sip://toronto.xelerance.com	http://www.xelerance.com

The future is here. It's just not evenly distributed yet. 
        -- William Gibson

More information about the Users mailing list