[Openswan Users] Connection against a Lucent FW success!!!! but may be there's still room for improvement

Rolando J. Zappacosta zappacor at yahoo.com.ar
Wed Sep 10 02:27:30 EDT 2008

>> "I'm trying to connect OpenSwan to a Lucent VPN Gateway, which according 
>> to
>> its ASCII interpretation of its Vendor ID payload is:
>> 4C5647392E312E3235353A425249434B3A392E312E323535="LVG9.1.255:BRICK:9.1.255". 
>> I
>> can connect to it by means of the Lucent VPN Client V7.1.2 on a Windows 
>> XP
>> computer (Vendor ID= 4C5643372E312E323A5850="LVC7.1.2:XP")."
> Thanks. Normally vendorids are md5sum's of some text, though in this case
> that does not seem to be the case. I added them as-is to vendor.c for now.

Then,... thank *you* buddy!!!!

>> Interesting thing is, as explained to you privatelly, the way the PSK 
>> gets
>> handled here. Under the LVC (windows) I had to configure a PSK like:
>> <MyCompanysPSK> where the real PSK is 9 ASCII characters long. However, I
>> could find that in order to have OSW establishing phase 1 succesfully I 
>> had to
>> add the string "01234567890" as a trailer, i.e. my ipsec.secrets looks 
>> like:
>> !@#$% <MyCompanysGWipAddress> : PSK "<MyCompanysPSK>01234567890"
>> what gives a PSK of lenght 20. Not sure on how they handle it but my 
>> guess is
>> they just take the PSK the user configures, add the string
>> "01234567890123456789" and take the first 20 bytes of it. Easy way to 
>> hook you
>> on their client while still keeping it simply to develop.
>> And I'm not sure if the user !@#$% is the one the GW admin configured on 
>> it or
>> if it's the way they handle it but whatever else I configure, the GW just
>> don't respond anything back to me.
> Thanks! I put a note of this in docs/lucent-client.txt, and it will end up
> in the new wiki once we have it online.

I thought about it last night and my conclusion is the string !@#$% is 
hard-coded within the LVC as I never configure that on it. In fact, only 
stuff one configures on it is what you can see on the attached picture: just 
the "tunnel name" (whatever name you want to give to it), the LVG IP address 
(AAA.BBB.CCC.DDD) as the "primary tunnel end point" (my company don't use a 
secondary one and I don't know how to configure it on OSW nor if it's 
possible). The "user identity" is the user name for the XAUTH part and not 
the one for the phase 1 that's, again, !@#$%
Then the "password", that in my case is a 4 digits PIN+6 digits from a token 
(but this password may be whatever else the admin sets on the LVG) and 
finally the "group key", that's the PSK, configured as <MyCompanysPSK> on it 
so as "<MyCompanysPSK>01234567890" on OSW. BTW, can you see the stars 
hidding its value there? They are 20, so my guess above might be closer to 
reality!!!  :-)
I'm attaching a copy of my working ipsec.conf and ipsec.secrets too.

> Openswan does support DNS/WINS via XAUTH/ModeConfig. Though as a client, 
> we
> might be ignoring it, since we have no structured way of modifying 
> resolv.conf
> in any modern way (eg dbus/networkmanager). I believe we might only pass 
> it
> as env variables to the updown script.

Well, that would be better than nothing. I'm running Gentoo and the latest 
ebuilds on it are for OSW 2.4.13, does it have this env setting already? If 
yes, please forward me some info on those vars.
BTW, anybody has ebuilds for the latest versions??? I'm desperatelly 
searching for them

> You can copy the stock _updown script and add resolv.conf rewriting to it,
> and configure the new script using leftupdown=
Will definitivelly give it a try but the problem is the assigned DNS / WINS 
servers change depending on what country I bring the VPN up so having a way 
to take advantage of  ModeConfig as explained above would be great even 
though I can just use only and always a given one.

HTH all of you out there wishing to connect to a Lucent Brick with no luck 
yet. I took my some months and definitevelly a hughe amount of work and 
hours of debugging to get it to work, mainly due to the fckg PSK trick. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: LucentVPNclientConfig.JPG
Type: image/jpeg
Size: 24396 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080910/a66ba6b0/attachment-0001.jpe 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsec.secrets.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20080910/a66ba6b0/attachment-0002.txt 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsec.conf.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20080910/a66ba6b0/attachment-0003.txt 

More information about the Users mailing list