[vpnc-devel] vpnc with Nortel Contivity Matt Chapman Thu Jun 9 21:51:50 CEST 2005 I've managed to get vpnc working with a Nortel Contivity VPN concentrator. Basically the differences are: * The group name and password are pre-transformed: key_id = SHA1(group_name) shared_key = HMAC_SHA1(group_name, SHA1(group_password)) * The XAUTH implementation follows draft-ietf-ipsec-isakmp-xauth-02.txt (whereas CISCO uses a later version). Specifically: - the encoding of the proposal is not defined in that spec, and Nortel does it differently - the XAUTH attributes have different numerical values (which overlap with Mode-Config, argh) - success/failure are encoded as Mode-Config message types 5/6 (or sometimes as an ISAKMP notify?) rather than in an attribute - the concentrator always sends 0 in XAUTH_TYPE and the client may have to return a different value (xauth-02 is not clear on whether this is allowed, it is not clarified until xauth-05). In my case I'm using an ActivCard token for which I have to specify 5 (SecurID). * Mode-Config is done as a push, i.e. the server sends SET, instead of a pull. * The concentrator wants to be the initiator in phase 2 quick mode, so we have to support being a responder. Thus the changes are fairly intrusive - phase 1 is common but XAUTH/Mode-Config/phase 2 diverge. If people are interested, I can clean up what I've done and send patches. Matt ---------------- I've tried to connect to my corporate VPN, but the only message I got was: vpnc: xauth packet unsupported: ATTRIBUTES_NOT_SUPPORTED Problem was found in xauth_type. In my case request attribute "xauth_type" consisted 5 as value. There is quick fix for this issue below. But... In the chapter 6.2 of the draft-beaulieu-ike-xauth-02.txt we can read: "XAUTH-TYPE - The type of extended authentication requested whose values are described in the next section. This is an optional attribute for the ISAKMP_CFG_REQUEST and ISAKMP_CFG_REPLY messages. If the XAUTH-TYPE is not present, then it is assumed to be Generic. The XAUTH-TYPE in a REPLY MUST be identical to the XAUTH-TYPE in the REQUEST." So I think the better way is to send reply with the same xauth_type value as in request. But I can't test it because our server always use 5 and never 0. Thanks. ---- Volodymyr Buell ------------ This ended up in the folowin patch if (ap->af != isakmp_attr_16 || !(ap->u.attr_16 == 0 || ap->u.attr_16 == 5)) reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED; xauth_type_requested = ap->u.attr_16; ---------------------- This patch didn't work in my NortelVPN setup I mad a buildflag of until a proper fix can be made so please set NORTELVPN_XAUTHTYPE_AS_REQUEST flag to vpnc.c to get this #ifdef NORTELVPN_XAUTHTYPE_AS_REQUEST if (ap->af != isakmp_attr_16 || !(ap->u.attr_16 == 0 || ap->u.attr_16 == 5)) reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED; xauth_type_requested = ap->u.attr_16; #else if (ap->af != isakmp_attr_16 || ap->u.attr_16 != 0) reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED; #endif /Zingo Andersen