-
Notifications
You must be signed in to change notification settings - Fork 0
/
nortel.txt
89 lines (66 loc) · 3.13 KB
/
nortel.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
[vpnc-devel] vpnc with Nortel Contivity
Matt Chapman <matthewc@cse.unsw.edu.au>
Thu Jun 9 21:51:50 CEST 2005
I've managed to get vpnc working with a Nortel Contivity VPN
concentrator.
Basically the differences are:
* The group name and password are pre-transformed:
key_id = SHA1(group_name)
shared_key = HMAC_SHA1(group_name, SHA1(group_password))
* The XAUTH implementation follows
draft-ietf-ipsec-isakmp-xauth-02.txt (whereas CISCO uses a
later version). Specifically:
- the encoding of the proposal is not defined in that spec,
and Nortel does it differently
- the XAUTH attributes have different numerical values
(which overlap with Mode-Config, argh)
- success/failure are encoded as Mode-Config message types
5/6 (or sometimes as an ISAKMP notify?) rather than in
an attribute
- the concentrator always sends 0 in XAUTH_TYPE and the
client may have to return a different value (xauth-02 is
not clear on whether this is allowed, it is not
clarified until xauth-05). In my case I'm using an
ActivCard token for which I have to specify 5 (SecurID).
* Mode-Config is done as a push, i.e. the server sends SET,
instead of a pull.
* The concentrator wants to be the initiator in phase 2
quick mode, so we have to support being a responder.
Thus the changes are fairly intrusive - phase 1 is common
but XAUTH/Mode-Config/phase 2 diverge.
If people are interested, I can clean up what I've done
and send patches.
Matt
----------------
I've tried to connect to my corporate VPN, but the only message I got was:
vpnc: xauth packet unsupported: ATTRIBUTES_NOT_SUPPORTED
Problem was found in xauth_type. In my case request attribute "xauth_type" consisted 5 as value. There is quick
fix for this issue below. But...
In the chapter 6.2 of the draft-beaulieu-ike-xauth-02.txt we can read:
"XAUTH-TYPE - The type of extended authentication requested whose
values are described in the next section. This is an optional
attribute for the ISAKMP_CFG_REQUEST and ISAKMP_CFG_REPLY messages.
If the XAUTH-TYPE is not present, then it is assumed to be Generic.
The XAUTH-TYPE in a REPLY MUST be identical to the XAUTH-TYPE in the
REQUEST."
So I think the better way is to send reply with the same xauth_type value as in request. But I can't test it
because our server always use 5 and never 0.
Thanks.
----
Volodymyr Buell
------------ This ended up in the folowin patch
if (ap->af != isakmp_attr_16 || !(ap->u.attr_16 == 0 || ap->u.attr_16 == 5))
reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
xauth_type_requested = ap->u.attr_16;
----------------------
This patch didn't work in my NortelVPN setup I mad a buildflag of until a proper fix can be made
so please set NORTELVPN_XAUTHTYPE_AS_REQUEST flag to vpnc.c to get this
#ifdef NORTELVPN_XAUTHTYPE_AS_REQUEST
if (ap->af != isakmp_attr_16 || !(ap->u.attr_16 == 0 || ap->u.attr_16 == 5))
reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
xauth_type_requested = ap->u.attr_16;
#else
if (ap->af != isakmp_attr_16 || ap->u.attr_16 != 0)
reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
#endif
/Zingo Andersen