[Openswan Users] Connecting to a Nortel Contivity IPsec VPN server

Juan Luis Baptiste juan.baptiste at gmail.com
Wed Jan 5 15:51:18 EST 2011 

Hi !!

I got it working. I had to do three changes to get it working:

leftsourceip=<left ip address>
leftsubnet=<left ip address>/31
rightsubnet=<right subnet ip address>/29

Notice the netmasks, in the case of leftsubnet it makes a subnet with
one host (the left ip address), and with rightsubnet we leave out the
Nortel box from the subnet range.  I know, this isn't a common
scenario.

This is the full working config:

Code:
conn OpenSwan-Nortel
    left=190.144.44.xxx
     leftsourceip=190.144.44.xxx
     leftsubnet=190.144.44.xxx/31
     leftnexthop=190.144.44.yyy
     right=200.1.124.aaa
     rightsubnet=200.1.124.bbb/29
     rightnexthop=200.1.124.aaa
     authby=secret
     keyexchange=ike
     ike=aes128-sha1-modp1024
     aggrmode=no
     ikelifetime=1h # 1.0h
     auth=esp
     esp=aes128-sha1
     pfs=no
     keylife=24h # 8.0h
     auto=start

I hope this helps someone else.

Cheers,

Juancho

On Mon, Dec 27, 2010 at 4:36 PM, Juan Luis Baptiste
<juan.baptiste at gmail.com> wrote:
> Ok I got to connect by adding:
>
> leftsubnet=<openswan server public ip address>/32  --> same as left param.
> rightsubnet=<subnet behind nortel box> -> curious thing: public
> subnet, and the nortel box public IP address is contained in it.
>
>
> I'm not sure why this did worked, talking to the Nortel box admin he
> tells me that only the openswan server will have access and if I want
> any client behind it to have access too I have to NAT them, I'm not
> sure if this is how this is supposed to work.
>
> Anyway, problems aren't over, I can connect but I can't reach the
> servers on the remote network from the openswan server. Looking at the
> firewall logs on the remote side, the Nortel admin tells me that the
> source IP address he's seeing on my connection attempts is a private
> IP address, which is the one the openswan server has on the network
> interface connected to the private LAN. I removed
> leftsourceip=<openswan server private LAN ip address> but the problem
> still happens.
>
> I really have no clue on what I'm missing, any hints would be greatly
> appreciated.
>
> Thanks,
>
> Juancho
>
> On Thu, Dec 23, 2010 at 5:56 PM, Juan Luis Baptiste
> <juan.baptiste at gmail.com> wrote:
>> Hi,
>>
>> I'm trying to connect to a Nortel Contivity 1750 server with no luck.
>> The configuration parameters I'm supposed to use to connect to the
>> Nortel box are the following:
>>
>> For phase 1:
>> authentication method: Preshared Key
>> IKE support
>> Diffie-Helman group: 2 or 5
>> encryption: AES 128
>> hashing: SHA-1
>> Main Mode or aggresive mode
>> IKE key life time: 3600 Seg
>>
>> For phase 2:
>> ESP support
>> encryption: AES 128
>> hashing: SHA-1
>> No PFS
>> key lifetime: 86400 Seg
>>
>>
>> Based on that info I wrote the following config:
>>
>> conn hqgateACH-satgateACH
>>     left=%defaultroute
>>     leftsourceip=192.168.200.10
>>     leftnexthop=<openswan gateway>
>>     right=<Nortel box>
>>     rightnexthop=<openswan server>
>>     authby=secret
>>     keyexchange=ike
>>     ike=aes128-sha1-modp1024
>>     aggrmode=no
>>     ikelifetime=1h # 1.0h
>>     auth=esp
>>     esp=aes128
>>     pfs=no
>>     keylife=24h # 8.0h
>>     auto=start
>>
>> Then I started ipsec service, and for what I can see (and understand)
>> on /var/log/secure log, phase 1 ends successfully, the problem is with
>> phase 2 (IP addresses removed):
>>
>> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH":
>> route-host output: RTNETLINK answers: No such process
>> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
>> initiating Main Mode
>> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
>> ignoring unknown Vendor ID payload [424e45530000000a]
>> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
>> received Vendor ID payload [Dead Peer Detection]
>> Dec 22 10:26:01 cancerbero pluto[17691]: pluto_do_crypto: helper (0) is  exiting
>> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
>> transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
>> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
>> STATE_MAIN_I2: sent MI2, expecting MR2
>> Dec 22 10:26:01 cancerbero pluto[17691]: pluto_do_crypto: helper (0) is  exiting
>> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
>> transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
>> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
>> STATE_MAIN_I3: sent MI3, expecting MR3
>> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
>> ignoring informational payload, type IPSEC_INITIAL_CONTACT
>> msgid=00000000
>> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
>> Main mode peer ID is ID_IPV4_ADDR: '<nortel box ip address>'
>> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
>> transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
>> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
>> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
>> cipher=aes_128 prf=oakley_sha group=modp1024}
>> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #2:
>> initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP+IKEv2ALLOW {using
>> isakmp#1 msgid:b1d29c92 proposal=AES(12)_128-SHA1(2)_160
>> pfsgroup=no-pfs}
>> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #2:
>> pluto_do_crypto: helper (0) is  exiting
>> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
>> ignoring informational payload, type INVALID_ID_INFORMATION
>> msgid=00000000
>> Dec 22 10:26:01 cancerbero pluto[17691]: "hqgateACH-satgateACH" #1:
>> received and ignored informational message
>>
>> and some minutes later:
>>
>> [b]Dec 22 11:10:21 cancerbero pluto[17691]: "hqgateACH-satgateACH"
>> #39: max number of retransmissions (2) reached STATE_QUICK_I1.  No
>> acceptable response to our first Quick Mode message: perhaps peer
>> likes no proposal[/b]
>> Dec 22 11:10:21 cancerbero pluto[17691]: "hqgateACH-satgateACH" #39:
>> starting keying attempt 39 of an unlimited number
>> Dec 22 11:10:21 cancerbero pluto[17691]: "hqgateACH-satgateACH" #41:
>> initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP+IKEv2ALLOW to
>> replace #39 {using isakmp#40 msgid:f062b173
>> proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
>>
>> I suppose I have one value on the esp parameter wrong, but I have
>> tried all the values I have found on the net with no luck
>> (3des-md5,3des-sha1,aes128-sha1,aes128-md5).
>>
>> What I'm missing ?
>>
>> Thanks your help in advance.
>>
>> Cheers,
>> --
>> Juancho
>>
>

More information about the Users mailing list