[Openswan Users] Openswan and Nortel Interop Problem
Peter McGill
petermcgill at goco.net
Thu Dec 13 09:32:57 EST 2007
Not exactly. This was never "fixed", however I implemented a workaround,
Which may or may not work for you. If you have any other questions with
Nortel and Openswan interop, I have a lot of experience with this.
Although, I haven't tested since I implemented the workaround a couple
years ago, so I cannot say for certain the bug still exists. My workaround
continues to work well for me, so that was good enough.
Since the connection was good for the first few hours until it needed to rekey,
And since I only needed the connection working during office hours (approx 8-5).
I set the rekey timeout on both switches to 12 hours, and wrote a script to
Manually reset the connection every morning at 7. This essentially gives me
Reliable service from 7am to 6pm Mon-Fri. Details follow:
ipsec version: (This is what I'm currently running, but 2.4.6 should be fine too.)
Linux Openswan 2.4.7 (klips)
ipsec.conf:
version 2.0
config setup
interfaces=%defaultroute
uniqueids=yes
conn sunoco-172-16-19-net-to-london-office-net
left=<my openswan internet ip>
leftnexthop=%defaultroute
leftsubnet=172.21.0.0/16
alsoflip=sunoco-toronto
rightsubnet=172.16.0.0/14
auto=start
conn sunoco-172-26-net-to-london-office-net
left=<my openswan internet ip>
leftnexthop=%defaultroute
leftsubnet=172.21.0.0/16
alsoflip=sunoco-toronto
rightsubnet=172.26.0.0/16
auto=start
conn sunoco-192-168-net-to-london-office-net
left=<my openswan internet ip>
leftnexthop=%defaultroute
leftsubnet=172.21.0.0/16
alsoflip=sunoco-toronto
rightsubnet=192.168.0.0/16
auto=start
conn sunoco-toronto
left=<sunoco nortel internet ip>
leftnexthop=%defaultroute
also=sunoco
conn sunoco
keyexchange=ike
aggrmode=no
auth=esp
ike=3des-md5-modp1024
esp=3des-md5
pfs=yes
compress=yes
ikelifetime=12.0h # 1.0h
keylife=12.0h # 8.0h
rekey=yes
keyingtries=%forever
rekeymargin=9m
rekeyfuzz=100%
dpddelay=30
dpdtimeout=120
dpdaction=restart # hold
authby=secret
crontab -l:
# Reset Sunoco Connection at 7:00 every weekday:
0 7 * * 1-5 /root/sunoco-reset > /dev/null 2>&1
/root/sunoco-reset:
#!/bin/bash
# Change the following line to your ipsec executable location.
IPSEC=/usr/local/sbin/ipsec
$IPSEC auto --down sunoco-192-168-net-to-london-office-net
$IPSEC auto --down sunoco-172-26-net-to-london-office-net
$IPSEC auto --down sunoco-172-16-19-net-to-london-office-net
while [ "$1" != "" ]
do
if [ "$1" == "--debug" ]
then
$IPSEC whack --name sunoco-192-168-net-to-london-office-net --debug-control --debug-lifecycle --label sunoco-live
$IPSEC whack --name sunoco-172-26-net-to-london-office-net --debug-control --debug-lifecycle --label sunoco-live
$IPSEC whack --name sunoco-172-16-19-net-to-london-office-net --debug-control --debug-lifecycle --label sunoco-live
fi
if [ "$1" == "--replace" ]
then
$IPSEC auto --rereadsecrets
$IPSEC auto --replace sunoco-192-168-net-to-london-office-net
$IPSEC auto --replace sunoco-172-26-net-to-london-office-net
$IPSEC auto --replace sunoco-172-16-19-net-to-london-office-net
fi
shift
done
$IPSEC auto --up sunoco-192-168-net-to-london-office-net
$IPSEC auto --up sunoco-172-26-net-to-london-office-net
$IPSEC auto --up sunoco-172-16-19-net-to-london-office-net
exit 0
Peter McGill
> -----Original Message-----
> From: Kari Asikainen [mailto:kari.asikainen at protacon.fi]
> Sent: December 13, 2007 4:08 AM
> To: petermcgill at goco.net
> Subject: [Openswan Users] Openswan and Nortel Interop Problem
>
> Hi,
>
> I spotted your message from Aug 23 2006 at:
>
> http://lists.openswan.org/pipermail/users/2006-August/010459.html
>
> Did you ever manage to resolve your problem?
>
> I'm asking because I'm struggling with the exact same issue and it's
> driving me crazy. (Same FW revision on Contivity, though
> model is 1010,
> Openswan 2.4.6, Linux kernel Debian 2.6.9 (Etch))
>
> Before I take the next step (upgrade kernel and openswan on
> the firewall
> manually to newer version) I though that I'd ask you if you found a
> solution.
>
> Thanks in advance,
>
> -Kari Asikainen
>
> --
> Kari Asikainen
> Protacon Solutions Oy
> tel: +358 10 347 2713
More information about the Users
mailing list