[Openswan Users] Connecting to a Nortel Contivity IPsec VPN server

Juan Luis Baptiste juan.baptiste at gmail.com
Mon Dec 27 16:36:07 EST 2010 

Ok I got to connect by adding:

leftsubnet=<openswan server public ip address>/32  --> same as left param.
rightsubnet=<subnet behind nortel box> -> curious thing: public
subnet, and the nortel box public IP address is contained in it.


I'm not sure why this did worked, talking to the Nortel box admin he
tells me that only the openswan server will have access and if I want
any client behind it to have access too I have to NAT them, I'm not
sure if this is how this is supposed to work.

Anyway, problems aren't over, I can connect but I can't reach the
servers on the remote network from the openswan server. Looking at the
firewall logs on the remote side, the Nortel admin tells me that the
source IP address he's seeing on my connection attempts is a private
IP address, which is the one the openswan server has on the network
interface connected to the private LAN. I removed
leftsourceip=<openswan server private LAN ip address> but the problem
still happens.

I really have no clue on what I'm missing, any hints would be greatly
appreciated.

Thanks,

Juancho

On Thu, Dec 23, 2010 at 5:56 PM, Juan Luis Baptiste
<juan.baptiste at gmail.com> wrote:
> Hi,
>
> I'm trying to connect to a Nortel Contivity 1750 server with no luck.
> The configuration parameters I'm supposed to use to connect to the
> Nortel box are the following:
>
> For phase 1:
> authentication method: Preshared Key
> IKE support
> Diffie-Helman group: 2 or 5
> encryption: AES 128
> hashing: SHA-1
> Main Mode or aggresive mode
> IKE key life time: 3600 Seg
>
> For phase 2:
> ESP support
> encryption: AES 128
> hashing: SHA-1
> No PFS
> key lifetime: 86400 Seg
>
>
> Based on that info I wrote the following config:
>
> conn hqgateACH-satgateACH
>     left=%defaultroute
>     leftsourceip=192.168.200.10
>     leftnexthop=<openswan gateway>
>     right=<Nortel box>
>     rightnexthop=<openswan server>
>     authby=secret
>     keyexchange=ike
>     ike=aes128-sha1-modp1024
>     aggrmode=no
>     ikelifetime=1h # 1.0h
>     auth=esp
>     esp=aes128
>     pfs=no
>     keylife=24h # 8.0h
>     auto=start
>
> Then I started ipsec service, and for what I can see (and understand)
> on /var/log/secure log, phase 1 ends successfully, the problem is with
> phase 2 (IP addresses removed):
>
> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH":
> route-host output: RTNETLINK answers: No such process
> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
> initiating Main Mode
> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
> ignoring unknown Vendor ID payload [424e45530000000a]
> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
> received Vendor ID payload [Dead Peer Detection]
> Dec 22 10:26:01 cancerbero pluto[17691]: pluto_do_crypto: helper (0) is  exiting
> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
> transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
> STATE_MAIN_I2: sent MI2, expecting MR2
> Dec 22 10:26:01 cancerbero pluto[17691]: pluto_do_crypto: helper (0) is  exiting
> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
> transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
> STATE_MAIN_I3: sent MI3, expecting MR3
> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
> ignoring informational payload, type IPSEC_INITIAL_CONTACT
> msgid=00000000
> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
> Main mode peer ID is ID_IPV4_ADDR: '<nortel box ip address>'
> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
> transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=aes_128 prf=oakley_sha group=modp1024}
> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #2:
> initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP+IKEv2ALLOW {using
> isakmp#1 msgid:b1d29c92 proposal=AES(12)_128-SHA1(2)_160
> pfsgroup=no-pfs}
> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #2:
> pluto_do_crypto: helper (0) is  exiting
> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
> ignoring informational payload, type INVALID_ID_INFORMATION
> msgid=00000000
> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
> received and ignored informational message
>
> and some minutes later:
>
> [b]Dec 22 11:10:21 cancerbero pluto[17691]: "hqgateACH-satgateACH"
> #39: max number of retransmissions (2) reached STATE_QUICK_I1.  No
> acceptable response to our first Quick Mode message: perhaps peer
> likes no proposal[/b]
> Dec 22 11:10:21 cancerbero pluto[17691]: "hqgateACH-satgateACH" #39:
> starting keying attempt 39 of an unlimited number
> Dec 22 11:10:21 cancerbero pluto[17691]: "hqgateACH-satgateACH" #41:
> initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP+IKEv2ALLOW to
> replace #39 {using isakmp#40 msgid:f062b173
> proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
>
> I suppose I have one value on the esp parameter wrong, but I have
> tried all the values I have found on the net with no luck
> (3des-md5,3des-sha1,aes128-sha1,aes128-md5).
>
> What I'm missing ?
>
> Thanks your help in advance.
>
> Cheers,
> --
> Juancho
>

More information about the Users mailing list