Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. vpnc>
  3. devel
vpnc-nortel disconnects after 30 secs
Mariano.Wahlmann at gmail
Mar 9, 2012, 7:59 AM
Post #1 of 3 (1969 views)
Permalink
Hi,

I've noticed that after commit 511, vpnc complains about the NAT Traversal
mode and makes you choose either none or nortel-udp. the first one doesn't
work as I can connect but can't ping or do anything, the second one
connects and works but after exactly 30 seconds it terminates. Here's the
debug log...

S7.8 setup ipsec tunnel
[2012-03-09 12:46:25]
lifetime status: 31 of 28800 seconds used, 2|11 of 0 kbytes used
received something on ike fd..
got late ike packet: 84 bytes
BEGIN_PARSE
Received Packet Len: 84
i_cookie: f713574e a932c657
r_cookie: 458138f2 d1e27696
payload: 08 (ISAKMP_PAYLOAD_HASH)
isakmp_version: 10
exchange_type: 05 (ISAKMP_EXCHANGE_INFORMATIONAL)
flags: 01
message_id: 3d72d8e9
len: 00000054

PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
next_type: 0c (ISAKMP_PAYLOAD_D)
length: 0018
ke.data:
002a8425 b48f4e6f 979159b9 6e506283 3eee5aa5
DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)

PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
next_type: 00 (ISAKMP_PAYLOAD_NONE)
length: 001c
d.doi: 00000001 (ISAKMP_DOI_IPSEC)
d.protocol: 01 (ISAKMP_IPSEC_PROTO_ISAKMP)
d.spi_length: 10
d.num_spi: 0001
d.spi: f713574e a932c657 458138f2 d1e27696
DONE PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)

PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
extra data: 00000000
PARSE_OK
hashlen: 20
u.hash.length: 20
expected_hash:
002a8425 b48f4e6f 979159b9 6e506283 3eee5aa5
h->u.hash.data:
002a8425 b48f4e6f 979159b9 6e506283 3eee5aa5
got isakmp-delete, terminating...
connection terminated by peer

S7.10 send ipsec termination message
[2012-03-09 12:46:26]
size = 44, blksz = 8, padding = 4

sending: ========================>
BEGIN_PARSE
Received Packet Len: 76
i_cookie: f713574e a932c657
r_cookie: 458138f2 d1e27696
payload: 08 (ISAKMP_PAYLOAD_HASH)
isakmp_version: 10
exchange_type: 05 (ISAKMP_EXCHANGE_INFORMATIONAL)
flags: 01
message_id: 39000000
len: 0000004c

PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
next_type: 0c (ISAKMP_PAYLOAD_D)
length: 0018
ke.data:
0dfbc473 6b2937b4 d081ab1a d8606865 7a01d1d3
DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)

PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
next_type: 00 (ISAKMP_PAYLOAD_NONE)
length: 0014
d.doi: 00000001 (ISAKMP_DOI_IPSEC)
d.protocol: 03 (ISAKMP_IPSEC_PROTO_IPSEC_ESP)
d.spi_length: 04
d.num_spi: 0002
d.spi: 2297969c
d.spi: c83b950f
DONE PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)

PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
extra data: 00000000
PARSE_OK

S7.11 send isakmp termination message
[2012-03-09 12:46:26]
size = 52, blksz = 8, padding = 4

sending: ========================>
BEGIN_PARSE
Received Packet Len: 84
i_cookie: f713574e a932c657
r_cookie: 458138f2 d1e27696
payload: 08 (ISAKMP_PAYLOAD_HASH)
isakmp_version: 10
exchange_type: 05 (ISAKMP_EXCHANGE_INFORMATIONAL)
flags: 01
message_id: ed000000
len: 00000054

PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
next_type: 0c (ISAKMP_PAYLOAD_D)
length: 0018
ke.data:
3a81879e 95931ea5 96b8fe90 a21330dd 15757bb9
DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)

PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
next_type: 00 (ISAKMP_PAYLOAD_NONE)
length: 001c
d.doi: 00000001 (ISAKMP_DOI_IPSEC)
d.protocol: 01 (ISAKMP_IPSEC_PROTO_ISAKMP)
d.spi_length: 10
d.num_spi: 0001
d.spi: f713574e a932c657 458138f2 d1e27696
DONE PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)

PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
extra data: 00000000
PARSE_OK

S8 close_tunnel
[2012-03-09 12:46:26]

Version r510 works just fine....

Thanks,
Mariano
Re: vpnc-nortel disconnects after 30 secs [ In reply to ]
gnunn at gexperts
Mar 9, 2012, 7:34 PM
Post #2 of 3 (1897 views)
Permalink
I had the exact same problem with the Nortel VPN at my client, I happened
to comment out the NAT Traversal Mode one day and it started working, not
sure what the default for this is.

Gerald

On Fri, Mar 9, 2012 at 10:59 AM, Mariano Wahlmann <
Mariano.Wahlmann@gmail.com> wrote:

> Hi,
>
> I've noticed that after commit 511, vpnc complains about the NAT Traversal
> mode and makes you choose either none or nortel-udp. the first one doesn't
> work as I can connect but can't ping or do anything, the second one
> connects and works but after exactly 30 seconds it terminates. Here's the
> debug log...
>
> S7.8 setup ipsec tunnel
> [2012-03-09 12:46:25]
> lifetime status: 31 of 28800 seconds used, 2|11 of 0 kbytes used
> received something on ike fd..
> got late ike packet: 84 bytes
> BEGIN_PARSE
> Received Packet Len: 84
> i_cookie: f713574e a932c657
> r_cookie: 458138f2 d1e27696
> payload: 08 (ISAKMP_PAYLOAD_HASH)
> isakmp_version: 10
> exchange_type: 05 (ISAKMP_EXCHANGE_INFORMATIONAL)
> flags: 01
> message_id: 3d72d8e9
> len: 00000054
>
> PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
> next_type: 0c (ISAKMP_PAYLOAD_D)
> length: 0018
> ke.data:
> 002a8425 b48f4e6f 979159b9 6e506283 3eee5aa5
> DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>
> PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
> next_type: 00 (ISAKMP_PAYLOAD_NONE)
> length: 001c
> d.doi: 00000001 (ISAKMP_DOI_IPSEC)
> d.protocol: 01 (ISAKMP_IPSEC_PROTO_ISAKMP)
> d.spi_length: 10
> d.num_spi: 0001
> d.spi: f713574e a932c657 458138f2 d1e27696
> DONE PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
>
> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
> extra data: 00000000
> PARSE_OK
> hashlen: 20
> u.hash.length: 20
> expected_hash:
> 002a8425 b48f4e6f 979159b9 6e506283 3eee5aa5
> h->u.hash.data:
> 002a8425 b48f4e6f 979159b9 6e506283 3eee5aa5
> got isakmp-delete, terminating...
> connection terminated by peer
>
> S7.10 send ipsec termination message
> [2012-03-09 12:46:26]
> size = 44, blksz = 8, padding = 4
>
> sending: ========================>
> BEGIN_PARSE
> Received Packet Len: 76
> i_cookie: f713574e a932c657
> r_cookie: 458138f2 d1e27696
> payload: 08 (ISAKMP_PAYLOAD_HASH)
> isakmp_version: 10
> exchange_type: 05 (ISAKMP_EXCHANGE_INFORMATIONAL)
> flags: 01
> message_id: 39000000
> len: 0000004c
>
> PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
> next_type: 0c (ISAKMP_PAYLOAD_D)
> length: 0018
> ke.data:
> 0dfbc473 6b2937b4 d081ab1a d8606865 7a01d1d3
> DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>
> PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
> next_type: 00 (ISAKMP_PAYLOAD_NONE)
> length: 0014
> d.doi: 00000001 (ISAKMP_DOI_IPSEC)
> d.protocol: 03 (ISAKMP_IPSEC_PROTO_IPSEC_ESP)
> d.spi_length: 04
> d.num_spi: 0002
> d.spi: 2297969c
> d.spi: c83b950f
> DONE PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
>
> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
> extra data: 00000000
> PARSE_OK
>
> S7.11 send isakmp termination message
> [2012-03-09 12:46:26]
> size = 52, blksz = 8, padding = 4
>
> sending: ========================>
> BEGIN_PARSE
> Received Packet Len: 84
> i_cookie: f713574e a932c657
> r_cookie: 458138f2 d1e27696
> payload: 08 (ISAKMP_PAYLOAD_HASH)
> isakmp_version: 10
> exchange_type: 05 (ISAKMP_EXCHANGE_INFORMATIONAL)
> flags: 01
> message_id: ed000000
> len: 00000054
>
> PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
> next_type: 0c (ISAKMP_PAYLOAD_D)
> length: 0018
> ke.data:
> 3a81879e 95931ea5 96b8fe90 a21330dd 15757bb9
> DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>
> PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
> next_type: 00 (ISAKMP_PAYLOAD_NONE)
> length: 001c
> d.doi: 00000001 (ISAKMP_DOI_IPSEC)
> d.protocol: 01 (ISAKMP_IPSEC_PROTO_ISAKMP)
> d.spi_length: 10
> d.num_spi: 0001
> d.spi: f713574e a932c657 458138f2 d1e27696
> DONE PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
>
> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
> extra data: 00000000
> PARSE_OK
>
> S8 close_tunnel
> [2012-03-09 12:46:26]
>
> Version r510 works just fine....
>
> Thanks,
> Mariano
>
>
>
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel@unix-ag.uni-kl.de
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>
>
Re: vpnc-nortel disconnects after 30 secs [ In reply to ]
borneo.antonio at gmail
Mar 9, 2012, 7:47 PM
Post #3 of 3 (1939 views)
Permalink
On Fri, Mar 9, 2012 at 11:59 PM, Mariano Wahlmann
<Mariano.Wahlmann@gmail.com> wrote:
> Hi,
>
> I've noticed that after commit 511, vpnc complains about the NAT Traversal
> mode and makes you choose either none or nortel-udp. the first one doesn't
> work as I can connect but can't ping or do anything, the second one connects
> and works but after exactly 30 seconds it terminates. Here's the debug
> log...
>
> <snip>

Hi Mariano,
thank you for the info.

I have added the strict check on NAT Traversal mode in commit r514.
The other commits after r511 should not impact functionality.
I would kindly ask you to test r513 and latest r514 to confirm that
the issue is located in r514.

I would also ask you to send the log ("--debug 2") with a version
older than r514. Either your working one or r513.
In this test left empty the field "--natt-mode" or, better, put the
default value "--natt-mode natt".
I'm interested at log till connection is established.

I'm suspecting that Nortel concentrator accepts another NATT mode I
never observed before. This mode was active in your configuration and
I "removes" it with my last commit.

Best Regards,
Antonio Borneo
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal