[Openswan Users] site-to-site ipsec contivity 1750 with openswan

Peter McGill petermcgill at goco.net
Fri May 18 12:40:57 EDT 2007 

> -----Original Message-----
> Date: Fri, 18 May 2007 10:19:17 -0300
> From: "Marcos Abadi" <marcosabadi at gmail.com>
> Subject: [Openswan Users] site-to-site ipsec contivity 1750 with
> 	openswan
> To: users at openswan.org
> 
> somebody knows as to implement a connection vpn site-to-site 
> ipsec with
> contivity 1750 of the Nortel using openswan?

I have years of experience with Nortel and openswan, with
Multiple versions of each. Things don't change much between the
Versions.

For 3DES/Triple DES encryption...

Openswan setup
/etc/ipsec.conf
conn nortel-172-26-net-to-openswan-net
        left=<openswan public ip>
        leftnexthop=%defaultroute
        leftsubnet=172.21.0.0/16
        alsoflip=nortel-switch
        rightsubnet=172.26.0.0/16
        auto=start

conn nortel-192-168-net-to-openswan-net
        left=<openswan public ip>
        leftnexthop=%defaultroute
        leftsubnet=172.21.0.0/16
        alsoflip=nortel-switch
        rightsubnet=192.168.0.0/16
        auto=start

conn nortel-switch
        left=<nortel public ip>
        leftnexthop=%defaultroute
        also=nortel

conn nortel
        keyexchange=ike
        aggrmode=no
        auth=esp
        ike=3des-md5-modp1024
        esp=3des-md5
        pfs=yes
        compress=yes
        ikelifetime=12.0h # 1.0h
        keylife=12.0h # 8.0h
        authby=secret

To fix a glitch with connection renewals...
This + the 12 hour lifetime keeps conn running
during office hours 7am-6pm mon-fri.
crontab -e/l
# Reset nortel Connection at 7:00 every weekday:
0 7 * * 1-5 /root/nortel-reset > /dev/null 2>&1

/root/nortel-reset
#!/bin/bash
IPSEC=/usr/local/sbin/ipsec
$IPSEC auto --down nortel-192-168-net-to-openswan-net
$IPSEC auto --down nortel-172-26-net-to-openswan-net
$IPSEC auto --up nortel-192-168-net-to-openswan-net
$IPSEC auto --up nortel-172-26-net-to-openswan-net

Nortel setup
Branch office
	Connectivity
		Idle Timeout 00:00:00
	IPSec
		Encryption
			ESP - Triple DES with MD5 Integrity Checked/Enabled
			Others Unchecked/Disabled
		IKE Encryption and Diffie-Hellman Group
			Triple DES with Group 2 (1024-bit prime)
		Aggressive Mode ISAKMP Initial Contact Payload Disabled
		Perfect Forward Secrecy Enabled
		Compression Enabled
		Rekey Timeout 12:00:00 (hours)
		Keepalive (On-demand connections) Disabled

Peter

More information about the Users mailing list