[Openswan Users] Connection against a Lucent FW success!!!! but may be there's still room for improvement
Rolando J. Zappacosta
zappacor at yahoo.com.ar
Tue Sep 9 15:28:07 EDT 2008
> If you have the logs from the lucent side, to see what vendorid is logged
> on their side, I'd be interested so we can add it to our own recognised
> vendor list (and possible take action based on it)
I discussed this subject here:
http://lists.openswan.org/pipermail/users/2008-February/014030.html based on
what I could capture under Windows, the relevant part of it is:
"I'm trying to connect OpenSwan to a Lucent VPN Gateway, which according to
its ASCII interpretation of its Vendor ID payload is:
4C5647392E312E3235353A425249434B3A392E312E323535="LVG9.1.255:BRICK:9.1.255".
I can connect to it by means of the Lucent VPN Client V7.1.2 on a Windows XP
computer (Vendor ID= 4C5643372E312E323A5850="LVC7.1.2:XP")."
Seems one can know the running version of the client and server just looking
on the vendor id part of an ASCII capture dump.
Interesting thing is, as explained to you privatelly, the way the PSK gets
handled here. Under the LVC (windows) I had to configure a PSK like:
<MyCompanysPSK> where the real PSK is 9 ASCII characters long. However, I
could find that in order to have OSW establishing phase 1 succesfully I had
to add the string "01234567890" as a trailer, i.e. my ipsec.secrets looks
like:
!@#$% <MyCompanysGWipAddress> : PSK "<MyCompanysPSK>01234567890"
what gives a PSK of lenght 20. Not sure on how they handle it but my guess
is they just take the PSK the user configures, add the string
"01234567890123456789" and take the first 20 bytes of it. Easy way to hook
you on their client while still keeping it simply to develop.
And I'm not sure if the user !@#$% is the one the GW admin configured on it
or if it's the way they handle it but whatever else I configure, the GW just
don't respond anything back to me.
In any case, whatever else you need, just drop a line, I'd be glad to help
you in whatever I can.
>> I wonder if I should do something else because of these ones:
>> 1) 003 "Intranet" #1: discarding duplicate packet; already
>> STATE_XAUTH_I1
>> 2) 003 "Intranet" #2: ignoring informational payload, type
>> IPSEC_RESPONDER_LIFETIME
> Looks like a resend, you can ignore it.
Strangely, I *always* do receive the duplicate packet warning. Another
interesting thing is Lucent's VPN client doesn't exchange any CFG at all...
I'm wondering now if I need it indeed. The server sends it to me but seems
like OSW only configures the local IP address based on it. I supossed it was
going to be able to configure something else, such as DNS or things like
that. The LVC do more things with no CFG at all, configures the DNS and WINS
servers for instance, something I'll need to do manually via a script (or
can it be made automatically somehow by OSW?)
>> and this one from pluto's debug:
>> 3) "Intranet" #1: XAUTH: Unsupported attribute: INTERNAL_ADDRESS_EXPIRY
> You can also ignore this. Openswan does not support
> INTERNAL_ADDRESS_EXPIRY,
> so it wont drop the IP address or ask for a new one.
Same for "ignoring informational payload, type IPSEC_RESPONDER_LIFETIME"
above?
Rolando
More information about the Users
mailing list