[Openswan Users] Connection against a Lucent FW success!!!! but may be there's still room for improvement

Rolando J. Zappacosta zappacor at yahoo.com.ar
Tue Sep 9 15:28:07 EDT 2008

> If you have the logs from the lucent side, to see what vendorid is logged
> on their side, I'd be interested so we can add it to our own recognised
> vendor list (and possible take action based on it)
I discussed this subject here: 
http://lists.openswan.org/pipermail/users/2008-February/014030.html based on 
what I could capture under Windows, the relevant part of it is:
"I'm trying to connect OpenSwan to a Lucent VPN Gateway, which according to 
its ASCII interpretation of its Vendor ID payload is:
I can connect to it by means of the Lucent VPN Client V7.1.2 on a Windows XP 
computer (Vendor ID= 4C5643372E312E323A5850="LVC7.1.2:XP")."
Seems one can know the running version of the client and server just looking 
on the vendor id part of an ASCII capture dump.
Interesting thing is, as explained to you privatelly, the way the PSK gets 
handled here. Under the LVC (windows) I had to configure a PSK like:
<MyCompanysPSK> where the real PSK is 9 ASCII characters long. However, I 
could find that in order to have OSW establishing phase 1 succesfully I had 
to add the string "01234567890" as a trailer, i.e. my ipsec.secrets looks 
!@#$% <MyCompanysGWipAddress> : PSK "<MyCompanysPSK>01234567890"

what gives a PSK of lenght 20. Not sure on how they handle it but my guess 
is they just take the PSK the user configures, add the string 
"01234567890123456789" and take the first 20 bytes of it. Easy way to hook 
you on their client while still keeping it simply to develop.

And I'm not sure if the user !@#$% is the one the GW admin configured on it 
or if it's the way they handle it but whatever else I configure, the GW just 
don't respond anything back to me.

In any case, whatever else you need, just drop a line, I'd be glad to help 
you in whatever I can.

>> I wonder if I should do something else because of these ones:
>>  1) 003 "Intranet" #1: discarding duplicate packet; already 
>>  2) 003 "Intranet" #2: ignoring informational payload, type 
> Looks like a resend, you can ignore it.
Strangely, I *always* do receive the duplicate packet warning. Another 
interesting thing is Lucent's VPN client doesn't exchange any CFG at all... 
I'm wondering now if I need it indeed. The server sends it to me but seems 
like OSW only configures the local IP address based on it. I supossed it was 
going to be able to configure something else, such as DNS or things like 
that. The LVC do more things with no CFG at all, configures the DNS and WINS 
servers for instance, something I'll need to do manually via a script (or 
can it be made automatically somehow by OSW?)

>> and this one from pluto's debug:
>>  3) "Intranet" #1: XAUTH: Unsupported attribute: INTERNAL_ADDRESS_EXPIRY
> You can also ignore this. Openswan does not support 
> so it wont drop the IP address or ask for a new one.
Same for "ignoring informational payload, type IPSEC_RESPONDER_LIFETIME" 


More information about the Users mailing list