[Openswan Users] site-to-site ipsec contivity 1750 with openswan
Peter McGill
petermcgill at goco.net
Tue May 22 10:34:27 EDT 2007
Marcos,
On contivity, turn off all encryptions that your not using, they confuse the nortel,
especially if it's the initiator, although openswan works better as initiator.
ie)
- ESP - Triple DES with SHA1 Integrity: Disabled
- ESP - Triple DES with MD5 Integrity: Enabled
- ESP - 56-bit DES with SHA1 Integrity: Disabled
- ESP - 56-bit DES with MD5 Integrity: Disabled
- ESP - 40-bit DES with SHA1 Integrity: Disabled
- ESP - 40-bit DES with MD5 Integrity: Disabled
- AH - Authentication Only (HMAC-SHA1): Disabled
- AH - Authentication Only (HMAC-MD5): Disabled
IKE Encryption and Diffie-Hellman Group: Triple DES with Group 2 (1024-bit prime)
Vendor ID: Enabled
Aggressive Mode ISAKMP Initial Contact Payload: Disabled
Perfect Forward Secrecy: Enabled
Compression: Enabled
Rekey Timeout: 08:00:00
The rekey timeout must match the following on openswan, so set these.
ikelifetime=8.0h
keylife=8.0h
You should at least set auto=add as well, this will setup the conn, but not start it.
Please also set klipsdebug=none and plutodebug=none, and send the new connection logs.
Peter McGill
________________________________
From: Marcos Abadi [mailto:marcosabadi at gmail.com]
Sent: May 22, 2007 10:16 AM
To: petermcgill at goco.net
Subject: Re: [Openswan Users] site-to-site ipsec contivity 1750 with openswan
fw1-imec:/etc/network/local# ipsec --version
Linux Openswan U2.2.0/K2.6.11.12-na1801r2-secure (native)
See `ipsec --copyright' for copyright information.
I am initiating manually the connection because I am only making a test, but still did not have success...
it follows below the configuration of contivity:
Encryption:
- ESP - Triple DES with SHA1 Integrity: Enabled
- ESP - Triple DES with MD5 Integrity: Enabled
- ESP - 56-bit DES with SHA1 Integrity: Enabled
- ESP - 56-bit DES with MD5 Integrity: Enabled
- ESP - 40-bit DES with SHA1 Integrity: Enabled
- ESP - 40-bit DES with MD5 Integrity: Enabled
- AH - Authentication Only (HMAC-SHA1): Enabled
- AH - Authentication Only (HMAC-MD5): Enabled
IKE Encryption and Diffie-Hellman Group: Triple DES with Group 2 (1024-bit prime)
Vendor ID: Enabled
Aggressive Mode ISAKMP Initial Contact Payload: Disabled
Perfect Forward Secrecy: Enabled
Compression: Enabled
Rekey Timeout: 08:00:00
Rekey Data Count: (None)
ISAKMP Retransmission Interval: 16
ISAKMP Retransmission Max Attempts: 4
Keepalive interval: 00:01:00
Keepalive (On-Demand connections): DISABLED
Anti Replay: ENABLED
IPsec DFBit: CLEAR
On 5/22/07, Peter McGill <petermcgill at goco.net <mailto:petermcgill at goco.net> > wrote:
Marcos,
Alright, the conf does not load the conn at all, otherwise the
Conn looks good. Do you start it manually?
Set auto=start, and initiate with the openswan, it works better
Than letting the nortel initiate.
If that doesn't solve for you, also try these.
Did you setup your ipsec.secrets file?
/etc/ipsec.secrets
200.186.xxx.xx 200.198.xxx.xxx : PSK "preshared secret here"
Also, set debug options to none, klipsdebug=none and plutodebug=none,
The standard logging is usually enouph, send us the full pluto log for
The connection then.
Just to verify, what openswan version are you running? 2.x?
ipsec --version
Peter McGill
________________________________
From: Marcos Abadi [mailto: marcosabadi at gmail.com]
Sent: May 20, 2007 7:07 PM
To: petermcgill at goco.net
Subject: Re: [Openswan Users] site-to-site ipsec contivity 1750 with openswan
I do not be getting to establish a connection using PSK, my server is Debian 3.1 kernel 2.6.11.12 with
Nortel 1750
My configuration
------------------------------------------
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces="ipsec0=eth3.300"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=all
plutodebug="control parsing"
nat_traversal=yes
uniqueids=yes
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
conn umesp
left=200.186.xxx.xx
leftsubnet=10.11.193.0/24
right=200.198.xxx.xxx
rightsubnet= 10.0.1.0/24
keyexchange=ike
ike=3des-md5-modp1024
esp=3DES-md5
compress=yes
authby=secret
type=tunnel
pfs=yes
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
----------------------------------------------------------------------
Log
May 20 20:01:48 fw1-imec ipsec__plutorun: Starting Pluto subsystem...
May 20 20:01:48 fw1-imec pluto[1331]: Starting Pluto (Openswan Version 2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
May 20 20:01:48 fw1-imec pluto[1331]: including NAT-Traversal patch (Version 0.6c)
May 20 20:01:48 fw1-imec pluto[1331]: | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
May 20 20:01:48 fw1-imec pluto[1331]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
May 20 20:01:48 fw1-imec pluto[1331]: Using Linux 2.6 IPsec interface code
May 20 20:01:48 fw1-imec pluto[1331]: Changing to directory '/etc/ipsec.d/cacerts'
May 20 20:01:48 fw1-imec pluto[1331]: Could not change to directory '/etc/ipsec.d/aacerts'
May 20 20:01:48 fw1-imec pluto[1331]: Changing to directory '/etc/ipsec.d/ocspcerts'
May 20 20:01:48 fw1-imec pluto[1331]: Changing to directory '/etc/ipsec.d/crls'
May 20 20:01:48 fw1-imec pluto[1331]: Warning: empty directory
May 20 20:01:48 fw1-imec pluto[1331]: | inserting event 11??, timeout in 14292 seconds
May 20 20:01:48 fw1-imec pluto[1331]: | next event EVENT_REINIT_SECRET in 3600 seconds
May 20 20:01:48 fw1-imec pluto[1331]: |
May 20 20:01:48 fw1-imec pluto[1331]: | *received w
packet from 200.186.xxx.xx:500: ignoring Vendor ID payload [424e45530000000a]
May 20 20:02:42 fw1-imec pluto[1331]: packet from 200.186.xxx.xx:500: received Vendor ID payload [Dead Peer
Detection]
May 20 20:02:42 fw1-imec pluto[1331]: packet from 200.186.xxx.xx:500: initial Main Mode message received on
200.198.105.235:500 but no connection has been authorized
May 20 20:02:42 fw1-imec pluto[1331]: | next event EVENT_REINIT_SECRET in 3546 seconds
On 5/18/07, Peter McGill < petermcgill at goco.net> wrote:
Well I use Slackware Linux, but it shouldn't really matter, any Linux/BSD should do.
More important is get the latest Openswan, 2.4.7, to get all bug fixes, features, etc...
Have you used Openswan before, if not be sure to read up on it.
You'll need to setup your firewall rules to allow the IPSec encrypted and unencrypted
traffic.
Peter McGill
________________________________
From: Marcos Abadi [mailto:marcosabadi at gmail.com <mailto:marcosabadi at gmail.com> ]
Sent: May 18, 2007 3:08 PM
To: petermcgill at goco.net
Subject: Re: [Openswan Users] site-to-site ipsec contivity 1750 with openswan
Thanks Peter,
Which the operation system that you use to connect the Nortel ??
On 5/18/07, Peter McGill < petermcgill at goco.net <mailto:petermcgill at goco.net> > wrote:
> -----Original Message-----
> Date: Fri, 18 May 2007 10:19:17 -0300
> From: "Marcos Abadi" <marcosabadi at gmail.com>
> Subject: [Openswan Users] site-to-site ipsec contivity 1750 with
> openswan
> To: users at openswan.org
>
> somebody knows as to implement a connection vpn site-to-site
> ipsec with
> contivity 1750 of the Nortel using openswan?
I have years of experience with Nortel and openswan, with
Multiple versions of each. Things don't change much between the
Versions.
For 3DES/Triple DES encryption...
Openswan setup
/etc/ipsec.conf
conn nortel-172-26-net-to-openswan-net
left=<openswan public ip>
leftnexthop=%defaultroute
leftsubnet= 172.21.0.0/16 <http://172.21.0.0/16>
alsoflip=nortel-switch
rightsubnet=172.26.0.0/16
auto=start
conn nortel-192-168-net-to-openswan-net
left=<openswan public ip>
leftnexthop=%defaultroute
leftsubnet=172.21.0.0/16
alsoflip=nortel-switch
rightsubnet= 192.168.0.0/16
auto=start
conn nortel-switch
left=<nortel public ip>
leftnexthop=%defaultroute
also=nortel
conn nortel
keyexchange=ike
aggrmode=no
auth=esp
ike=3des-md5-modp1024
esp=3des-md5
pfs=yes
compress=yes
ikelifetime=12.0h # 1.0h
keylife= 12.0h # 8.0h
authby=secret
To fix a glitch with connection renewals...
This + the 12 hour lifetime keeps conn running
during office hours 7am-6pm mon-fri.
crontab -e/l
# Reset nortel Connection at 7:00 every weekday:
0 7 * * 1-5 /root/nortel-reset > /dev/null 2>&1
/root/nortel-reset
#!/bin/bash
IPSEC=/usr/local/sbin/ipsec
$IPSEC auto --down nortel-192-168-net-to-openswan-net
$IPSEC auto --down nortel-172-26-net-to-openswan-net
$IPSEC auto --up nortel-192-168-net-to-openswan-net
$IPSEC auto --up nortel-172-26-net-to-openswan-net
Nortel setup
Branch office
Connectivity
Idle Timeout 00:00:00
IPSec
Encryption
ESP - Triple DES with MD5 Integrity Checked/Enabled
Others Unchecked/Disabled
IKE Encryption and Diffie-Hellman Group
Triple DES with Group 2 (1024-bit prime)
Aggressive Mode ISAKMP Initial Contact Payload Disabled
Perfect Forward Secrecy Enabled
Compression Enabled
Rekey Timeout 12:00:00 (hours)
Keepalive (On-demand connections) Disabled
Peter
--
Marcos Abadi
CCNA - Cisco Certified
CSCO10868158
LPI - Linux Cerfified
LPI ID: LPI000064006
User Linux #385452
Porto Alegre - RS
Fone:(51)9975-2060
--
Marcos Abadi
CCNA - Cisco Certified
CSCO10868158
LPI - Linux Cerfified
LPI ID: LPI000064006
User Linux #385452
Porto Alegre - RS
Fone:(51)9975-2060
--
Marcos Abadi
CCNA - Cisco Certified
CSCO10868158
LPI - Linux Cerfified
LPI ID: LPI000064006
User Linux #385452
Porto Alegre - RS
Fone:(51)9975-2060
More information about the Users
mailing list