Mailing List Archive: vpnc-nortel disconnects after 30 seconds

vpnc-nortel disconnects after 30 seconds

Nov 8, 2011, 5:23 PM

Post #1 of 4 (1483 views)

I'm trying to get vpnc-nortel working with the company's VPN. On Windows we
use the Nortel Conivity client but I prefer working with Linux and want to
get that going. I tried vpnc-nortel a few months ago and had no issue with
it working, however I got a cease and desist e-mail from the administrators
saying it was causing an issue but no details. A couple of months later
they said a patch had been applied to fix the problem and I could now
proceed. However now when I try the client it disconnects after
approximately 30 seconds, during that 30 seconds the tunnel works fine but
it always terminates. Here is the output of a session on debug 2, any ideas
what I could be doing wrong?

vpnc version 0.5.3-469M

S1 init_sockaddr
[2011-11-08 20:06:49]

S2 make_socket
[2011-11-08 20:06:49]

S3 setup_tunnel
[2011-11-08 20:06:49]
using interface tun0

S4 do_phase1_am
[2011-11-08 20:06:49]

S4.1 create_nonce
[2011-11-08 20:06:49]

S4.2 dh setup
[2011-11-08 20:06:49]

S4.3 AM packet_1
[2011-11-08 20:06:49]

S4.4 AM_packet2
[2011-11-08 20:06:49]
(Nortel Contivity)
(Netlock NaT-SI)
IKE SA selected psk-3des-sha1
peer is Netlock NaT-SI
NAT status: NaT-SI

S4.5 AM_packet3
[2011-11-08 20:06:49]

S4.6 cleanup
[2011-11-08 20:06:49]

S5 do_phase2_xauth [1]
[2011-11-08 20:06:49]

S5.1 xauth_request
[2011-11-08 20:06:49]

S5.2 notice_check
[2011-11-08 20:06:49]

S5.3 type-is-xauth check
[2011-11-08 20:06:49]

S5.4 xauth type check
[2011-11-08 20:06:49]

S5.5 do xauth reply
[2011-11-08 20:06:49]

S5.2 notice_check
[2011-11-08 20:06:51]

S5.3 type-is-xauth check
[2011-11-08 20:06:51]

S5.6 process xauth set
[2011-11-08 20:06:51]

S5.8 xauth done
[2011-11-08 20:06:51]

S6 do_phase2_config [1]
[2011-11-08 20:06:51]

S6.2 phase2_config receive modecfg
[2011-11-08 20:06:51]
unknown attribute 6 / 0x6
unknown attribute 16392 / 0x4008
unknown attribute 16393 / 0x4009
unknown attribute 16394 / 0x400A
unknown attribute 16396 / 0x400C
QOTD server: run:
telnet x.x.x.x 17
Alternate server: x.x.x.x
unknown attribute 16399 / 0x400F
unknown attribute 16403 / 0x4013
unknown attribute 16400 / 0x4010
got address x.x.x.x

S6 do_phase2
[2011-11-08 20:06:51]

do_phase2: S7.5 QM_packet2 check reject offer
[2011-11-08 20:06:51]

do_phase2: S7.6 QM_packet2 check and process proposal
[2011-11-08 20:06:51]
got ipsec lifetime attributes: 28800 seconds
got peer udp encapsulation port: 10001
IPSEC SA selected aes256-sha1

do_phase2: S7.1 QM_packet1
[2011-11-08 20:06:51]

do_phase2: S7.7 QM_packet3 sent - run script
[2011-11-08 20:06:51]

S7 setup_link (phase 2 + main_loop)
[2011-11-08 20:06:51]

S7.0 run interface setup script
[2011-11-08 20:06:51]

S7.8 setup ipsec tunnel
[2011-11-08 20:06:51]

S7.9 main loop (receive and transmit ipsec packets)
[2011-11-08 20:06:51]
remote -> local spi: 0xd732c8b9
local -> remote spi: 0x8eafeead
VPNC started in foreground...
lifetime status: 0 of 28800 seconds used, 0|0 of 0 kbytes used
lifetime status: 0 of 28800 seconds used, 0|0 of 0 kbytes used
lifetime status: 0 of 28800 seconds used, 0|0 of 0 kbytes used
....
lifetime status: 22 of 28800 seconds used, 6|8 of 0 kbytes used
lifetime status: 22 of 28800 seconds used, 6|8 of 0 kbytes used
lifetime status: 23 of 28800 seconds used, 6|8 of 0 kbytes used
lifetime status: 23 of 28800 seconds used, 6|8 of 0 kbytes used
lifetime status: 23 of 28800 seconds used, 6|8 of 0 kbytes used
lifetime status: 26 of 28800 seconds used, 6|8 of 0 kbytes used
lifetime status: 27 of 28800 seconds used, 6|8 of 0 kbytes used
lifetime status: 27 of 28800 seconds used, 6|8 of 0 kbytes used
got late ike packet: 68 bytes

S7.8 setup ipsec tunnel
[2011-11-08 20:07:18]
lifetime status: 27 of 28800 seconds used, 6|8 of 0 kbytes used
got late ike packet: 84 bytes
got isakmp-delete, terminating...
vpnc[5244]: connection terminated by peer

S7.10 send ipsec termination message
[2011-11-08 20:07:18]

S7.11 send isakmp termination message
[2011-11-08 20:07:18]

S8 close_tunnel
[2011-11-08 20:07:18]

S9 cleanup
[2011-11-08 20:07:19]

Re: vpnc-nortel disconnects after 30 seconds [ In reply to ]

stefan.seyfried at googlemail

Nov 11, 2011, 4:02 AM

Post #2 of 4 (1475 views)

Permalink

Hi Gerald,

On 09.11.2011 02:23, Gerald Nunn wrote:

> I'm trying to get vpnc-nortel working with the company's VPN. On Windows we
> use the Nortel Conivity client but I prefer working with Linux and want to
> get that going. I tried vpnc-nortel a few months ago and had no issue with
> it working, however I got a cease and desist e-mail from the administrators
> saying it was causing an issue but no details. A couple of months later
> they said a patch had been applied to fix the problem and I could now
> proceed. However now when I try the client it disconnects after
> approximately 30 seconds, during that 30 seconds the tunnel works fine but
> it always terminates. Here is the output of a session on debug 2, any ideas
> what I could be doing wrong?

I think it is simply a mode not yet supported by vpnc. See below.

> S6.2 phase2_config receive modecfg
> [2011-11-08 20:06:51]
> unknown attribute 6 / 0x6
> unknown attribute 16392 / 0x4008

Don't know what 0x4008 is, but...

> unknown attribute 16393 / 0x4009

./nortel/ike/nortel_inf.h:#define KEEPALIVE_TIME_INTERVAL 0x4009

> unknown attribute 16394 / 0x400A

> unknown attribute 16396 / 0x400C

no idea

> QOTD server: run:
> telnet x.x.x.x 17
> Alternate server: x.x.x.x
> unknown attribute 16399 / 0x400F

./nortel/ike/nortel_inf.h:#define CFG_NAT_KEEPALIVE_INTERVAL 0x400F

> unknown attribute 16403 / 0x4013
> unknown attribute 16400 / 0x4010

again no idea

> got address x.x.x.x
>
> S6 do_phase2
> [2011-11-08 20:06:51]
>
> do_phase2: S7.5 QM_packet2 check reject offer
> [2011-11-08 20:06:51]
>
> do_phase2: S7.6 QM_packet2 check and process proposal
> [2011-11-08 20:06:51]
> got ipsec lifetime attributes: 28800 seconds
> got peer udp encapsulation port: 10001
> IPSEC SA selected aes256-sha1
>
> do_phase2: S7.1 QM_packet1
> [2011-11-08 20:06:51]
>
> do_phase2: S7.7 QM_packet3 sent - run script
> [2011-11-08 20:06:51]
>
> S7 setup_link (phase 2 + main_loop)
> [2011-11-08 20:06:51]
>
> S7.0 run interface setup script
> [2011-11-08 20:06:51]
>
> S7.8 setup ipsec tunnel
> [2011-11-08 20:06:51]
>
> S7.9 main loop (receive and transmit ipsec packets)
> [2011-11-08 20:06:51]
> remote -> local spi: 0xd732c8b9
> local -> remote spi: 0x8eafeead
> VPNC started in foreground...
> lifetime status: 0 of 28800 seconds used, 0|0 of 0 kbytes used
> lifetime status: 0 of 28800 seconds used, 0|0 of 0 kbytes used
> lifetime status: 0 of 28800 seconds used, 0|0 of 0 kbytes used
> ....
> lifetime status: 22 of 28800 seconds used, 6|8 of 0 kbytes used
> lifetime status: 22 of 28800 seconds used, 6|8 of 0 kbytes used
> lifetime status: 23 of 28800 seconds used, 6|8 of 0 kbytes used
> lifetime status: 23 of 28800 seconds used, 6|8 of 0 kbytes used
> lifetime status: 23 of 28800 seconds used, 6|8 of 0 kbytes used
> lifetime status: 26 of 28800 seconds used, 6|8 of 0 kbytes used
> lifetime status: 27 of 28800 seconds used, 6|8 of 0 kbytes used
> lifetime status: 27 of 28800 seconds used, 6|8 of 0 kbytes used
> got late ike packet: 68 bytes

>
> S7.8 setup ipsec tunnel
> [2011-11-08 20:07:18]
> lifetime status: 27 of 28800 seconds used, 6|8 of 0 kbytes used
> got late ike packet: 84 bytes
> got isakmp-delete, terminating...
> vpnc[5244]: connection terminated by peer

It looks like the remote end is terminating the connection.
Maybe it is expecting a keepalive packet every 20 seconds or such?

--
Stefan Seyfried

"Dispatch war rocket Ajax to bring back his body!"
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

Re: vpnc-nortel disconnects after 30 seconds [ In reply to ]

gnunn at gexperts

Nov 11, 2011, 5:20 AM

Post #3 of 4 (1455 views)

Permalink

Thanks for reply Stefan, you could be right. Interestingly since I posted
this I found that if I commented out the "NAT Traversal Mode nortel-udp"
line in my config it appears to work fine now.

Cheers,

Gerald

On Fri, Nov 11, 2011 at 7:02 AM, Stefan Seyfried <
stefan.seyfried@googlemail.com> wrote:

> Hi Gerald,
>
> On 09.11.2011 02:23, Gerald Nunn wrote:
>
> > I'm trying to get vpnc-nortel working with the company's VPN. On Windows
> we
> > use the Nortel Conivity client but I prefer working with Linux and want
> to
> > get that going. I tried vpnc-nortel a few months ago and had no issue
> with
> > it working, however I got a cease and desist e-mail from the
> administrators
> > saying it was causing an issue but no details. A couple of months later
> > they said a patch had been applied to fix the problem and I could now
> > proceed. However now when I try the client it disconnects after
> > approximately 30 seconds, during that 30 seconds the tunnel works fine
> but
> > it always terminates. Here is the output of a session on debug 2, any
> ideas
> > what I could be doing wrong?
>
>
> I think it is simply a mode not yet supported by vpnc. See below.
>
>
> > S6.2 phase2_config receive modecfg
> > [2011-11-08 20:06:51]
> > unknown attribute 6 / 0x6
> > unknown attribute 16392 / 0x4008
>
>
> Don't know what 0x4008 is, but...
>
> > unknown attribute 16393 / 0x4009
>
>
> ./nortel/ike/nortel_inf.h:#define KEEPALIVE_TIME_INTERVAL 0x4009
>
> > unknown attribute 16394 / 0x400A
>
> > unknown attribute 16396 / 0x400C
>
>
> no idea
>
> > QOTD server: run:
> > telnet x.x.x.x 17
> > Alternate server: x.x.x.x
> > unknown attribute 16399 / 0x400F
>
>
> ./nortel/ike/nortel_inf.h:#define CFG_NAT_KEEPALIVE_INTERVAL 0x400F
>
> > unknown attribute 16403 / 0x4013
> > unknown attribute 16400 / 0x4010
>
>
> again no idea
>
> > got address x.x.x.x
> >
> > S6 do_phase2
> > [2011-11-08 20:06:51]
> >
> > do_phase2: S7.5 QM_packet2 check reject offer
> > [2011-11-08 20:06:51]
> >
> > do_phase2: S7.6 QM_packet2 check and process proposal
> > [2011-11-08 20:06:51]
> > got ipsec lifetime attributes: 28800 seconds
> > got peer udp encapsulation port: 10001
> > IPSEC SA selected aes256-sha1
> >
> > do_phase2: S7.1 QM_packet1
> > [2011-11-08 20:06:51]
> >
> > do_phase2: S7.7 QM_packet3 sent - run script
> > [2011-11-08 20:06:51]
> >
> > S7 setup_link (phase 2 + main_loop)
> > [2011-11-08 20:06:51]
> >
> > S7.0 run interface setup script
> > [2011-11-08 20:06:51]
> >
> > S7.8 setup ipsec tunnel
> > [2011-11-08 20:06:51]
> >
> > S7.9 main loop (receive and transmit ipsec packets)
> > [2011-11-08 20:06:51]
> > remote -> local spi: 0xd732c8b9
> > local -> remote spi: 0x8eafeead
> > VPNC started in foreground...
> > lifetime status: 0 of 28800 seconds used, 0|0 of 0 kbytes used
> > lifetime status: 0 of 28800 seconds used, 0|0 of 0 kbytes used
> > lifetime status: 0 of 28800 seconds used, 0|0 of 0 kbytes used
> > ....
> > lifetime status: 22 of 28800 seconds used, 6|8 of 0 kbytes used
> > lifetime status: 22 of 28800 seconds used, 6|8 of 0 kbytes used
> > lifetime status: 23 of 28800 seconds used, 6|8 of 0 kbytes used
> > lifetime status: 23 of 28800 seconds used, 6|8 of 0 kbytes used
> > lifetime status: 23 of 28800 seconds used, 6|8 of 0 kbytes used
> > lifetime status: 26 of 28800 seconds used, 6|8 of 0 kbytes used
> > lifetime status: 27 of 28800 seconds used, 6|8 of 0 kbytes used
> > lifetime status: 27 of 28800 seconds used, 6|8 of 0 kbytes used
> > got late ike packet: 68 bytes
>
> >
> > S7.8 setup ipsec tunnel
> > [2011-11-08 20:07:18]
> > lifetime status: 27 of 28800 seconds used, 6|8 of 0 kbytes used
> > got late ike packet: 84 bytes
> > got isakmp-delete, terminating...
> > vpnc[5244]: connection terminated by peer
>
>
> It looks like the remote end is terminating the connection.
> Maybe it is expecting a keepalive packet every 20 seconds or such?
>
> --
> Stefan Seyfried
>
> "Dispatch war rocket Ajax to bring back his body!"
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel@unix-ag.uni-kl.de
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>

Re: vpnc-nortel disconnects after 30 seconds [ In reply to ]

borneo.antonio at gmail

Nov 12, 2011, 9:19 AM

Post #4 of 4 (1457 views)

Permalink

Hi Gerald,

the unknown attributes you got are interesting, I don't remember I
ever got such numbers, but I always use a very old Nortel server.
If you agree, please send us a dump with "--debug 3" so we could analyse them.

Also very interesting the fact that vpnc works without NATT (so in ESP
encapsulation mode) while closes after 30 seconds in NATT mode.
I already met this "30 seconds" behaviour in other situations.
Nortel server includes a "Quote Of The Day" (QOTD) service. This info
is decoded and printed by vpnc, but not used. In your dump
> QOTD server: run:
> telnet x.x.x.x 17
Probably no need to hide the IP address, since it's normally an IP
inside the VPN network so not visible from internet. Anyway, this is
not relevant.
This QOTD service is responsible for the pop-up message that you
probably get with Windows client. Usually it's something like "this
service is provided from company XYZ. If you are not authorized close
the connection".
The Nortel server can be instructed to refuse connections in some
special case, e.g. if the client is too old or suspected to have some
security hole.
In this case the pop-up message should provide something like "client
older than version x.y.z is not allowed".
The QOTD service is at an IP inside the VPN, so the only way to make
it accessible is to open the VPN for a short period (30 seconds) so
client can connect to it, read the message and print the pop-up, then
VPN connection is closed by server.

I'm really interested to know why NATT is not allowed while ESP is ok.
Could you please try again with NATT enabled and, during the 30
seconds, run "telnet x.x.x.x 17" ?
You should get the text message that explains the reason.

Best Regards,
Antonio Borneo
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/