[Openswan Users] Connecting to a Nortel Contivity IPsec VPN server

Juan Luis Baptiste juan.baptiste at gmail.com
Thu Dec 23 17:56:54 EST 2010 

Hi,

I'm trying to connect to a Nortel Contivity 1750 server with no luck.
The configuration parameters I'm supposed to use to connect to the
Nortel box are the following:

For phase 1:
authentication method: Preshared Key
IKE support
Diffie-Helman group: 2 or 5
encryption: AES 128
hashing: SHA-1
Main Mode or aggresive mode
IKE key life time: 3600 Seg

For phase 2:
ESP support
encryption: AES 128
hashing: SHA-1
No PFS
key lifetime: 86400 Seg


Based on that info I wrote the following config:

conn hqgateACH-satgateACH
     left=%defaultroute
     leftsourceip=192.168.200.10
     leftnexthop=<openswan gateway>
     right=<Nortel box>
     rightnexthop=<openswan server>
     authby=secret
     keyexchange=ike
     ike=aes128-sha1-modp1024
     aggrmode=no
     ikelifetime=1h # 1.0h
     auth=esp
     esp=aes128
     pfs=no
     keylife=24h # 8.0h
     auto=start

Then I started ipsec service, and for what I can see (and understand)
on /var/log/secure log, phase 1 ends successfully, the problem is with
phase 2 (IP addresses removed):

Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH":
route-host output: RTNETLINK answers: No such process
Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
initiating Main Mode
Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
ignoring unknown Vendor ID payload [424e45530000000a]
Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
received Vendor ID payload [Dead Peer Detection]
Dec 22 10:26:01 cancerbero pluto[17691]: pluto_do_crypto: helper (0) is  exiting
Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
STATE_MAIN_I2: sent MI2, expecting MR2
Dec 22 10:26:01 cancerbero pluto[17691]: pluto_do_crypto: helper (0) is  exiting
Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
STATE_MAIN_I3: sent MI3, expecting MR3
Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
msgid=00000000
Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
Main mode peer ID is ID_IPV4_ADDR: '<nortel box ip address>'
Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_128 prf=oakley_sha group=modp1024}
Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #2:
initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP+IKEv2ALLOW {using
isakmp#1 msgid:b1d29c92 proposal=AES(12)_128-SHA1(2)_160
pfsgroup=no-pfs}
Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #2:
pluto_do_crypto: helper (0) is  exiting
Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
ignoring informational payload, type INVALID_ID_INFORMATION
msgid=00000000
Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
received and ignored informational message

and some minutes later:

[b]Dec 22 11:10:21 cancerbero pluto[17691]: "hqgateACH-satgateACH"
#39: max number of retransmissions (2) reached STATE_QUICK_I1.  No
acceptable response to our first Quick Mode message: perhaps peer
likes no proposal[/b]
Dec 22 11:10:21 cancerbero pluto[17691]: "hqgateACH-satgateACH" #39:
starting keying attempt 39 of an unlimited number
Dec 22 11:10:21 cancerbero pluto[17691]: "hqgateACH-satgateACH" #41:
initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP+IKEv2ALLOW to
replace #39 {using isakmp#40 msgid:f062b173
proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}

I suppose I have one value on the esp parameter wrong, but I have
tried all the values I have found on the net with no luck
(3des-md5,3des-sha1,aes128-sha1,aes128-md5).

What I'm missing ?

Thanks your help in advance.

Cheers,
-- 
Juancho

More information about the Users mailing list