On Sun, Jul 1, 2012 at 4:49 AM, Glen Henderson <gahenders@gmail.com> wrote:
>
> I have seen this issue referenced before but I have not yet come across a resolution. I am using vpnc version 517 on Mac connecting to a Nortel VPN using token based authentication in nortel-udp NAT mode. I am able to connect and ping remote resources but after 30 seconds or so my session is disconnected. I saw mention a while back that there may be an unsupported NAT mode at work here. Is this a known issue or should I upload some debug logs to help diagnose this problem.
>
> Cheers
> Glen
> Gahenders@gmail.com
Hi Glen,
it seams I forgot to commit one patch about "Quote Of The Day" server
in Nortel branch.
I need to recover the old patch to rebase and commit it.
In the mean time, here are some info for you to check.
Using the official Nortel client and after the IPSec connection is
established, a pop-up window is opened containing a message prepared
by your network administrator.
A QOTD server is responsible to send the content of the pop-up window
to the client.
Current vpnc-nortel does not decode the QOTD server info, does not
contact the server, does not print the pop-up message.
The QOTD server is inside the vpn protected network, so can only be
accessed when IPSec connection is active.
Network administrator can instruct the concentrator to check the
version of the client.
If version is older than expected, the concentrator replaces the QOTD
message with an automatic error message reporting the lowest allowed
version of the client.
To print the error message, the concentrator have to complete the
set-up of IPSec network, let client connect to QOTD server (inside the
protected network), then drop the connection after 30 seconds timeout.
I think this is the reason of your issue.
Now, how to verify:
run vpnc-nortel with flag "--debug 3" and perform a complete
connection (that would be dropped in 30 seconds).
Search inside the output the dumped packet with header:
"S6.2 phase2_config receive modecfg"
Inside this packet look for following lines:
t.attributes.type: 400e (unknown)
t.attributes.u.lots.length: 0004
t.attributes.u.lots.data: 0a000115
This is the info you need to connect to the QOTD server.
The attribute type "400e" is QOTD server; following data reports IP
address of the server.
In my case it is 10.0.1.21, written in hex format.
Now you have all info you need.
Connect again to your server and be ready to use the 30 seconds of
working connection to type in a shell (of course, replace with the IP
address you get):
telnet 10.0.1.21 17
You will get the error message from the server.
Once you know what is the client version that is expected, just tune
the config file of your vpnc with proper field "Nortel Client ID" or
try with command line flag "--nortel-client-id".
You can print all the available codes with "vpnc --nortel-client-id list"
Let me know if this works
Best Regards
Antonio Borneo
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel http://www.unix-ag.uni-kl.de/~massar/vpnc/