Mailing List Archive

hi,

> Has anyone tried to get vpnc to work with a Nortel Contivity on RH9, FC1, or
> FC2? Nortels use a similar configuration (group ID, group pwd, username,
> userpwd).
>
> There is very poor support for Linux from Nortel. Their Linux client is
> provided by a 3rd party company that doesn't yet support RH9, much less FC1
> or FC2. I have tried to connect one and got invalid_exchange_type.

From what I have heard, nortel uses ISAKMP a bit different,
but I have no idea what they expect ... a full trace of a successful
connection would be helpfull ... does the nortel client provide
enough debugging infos?

cu
maurice

I am not sure about the Nortel client, but I can definitely get a tcpdump of
the failing connection. Will that help? I will check with Nortel about
client debugging options.

I am also going to check with them about using a cisco client with the
Nortel. Maybe that will help determine if vpnc will work.

When using vpnc, I am getting "No proposal chosen in the message from the
client" error.


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Matt Wagenknecht CISSP | MCSE
Sr. Security Administrator via BlackBerry
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Never be afraid to try something new.
Remember, amateurs built the ark; professionals built the Titanic.

This email may contain confidential and privileged information for the sole
use of the intended recipient. Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact
the sender and delete all copies of this email message.

-----Original Message-----
From: vpnc-devel-bounces@unix-ag.uni-kl.de
<vpnc-devel-bounces@unix-ag.uni-kl.de>
To: vpnc-devel@unix-ag.uni-kl.de <vpnc-devel@unix-ag.uni-kl.de>
Sent: Fri Jun 04 13:02:59 2004
Subject: Re: [vpnc-devel] Vpnc with a Nortel Contivity

hi,

> Has anyone tried to get vpnc to work with a Nortel Contivity on RH9, FC1,
or
> FC2? Nortels use a similar configuration (group ID, group pwd, username,
> userpwd).
>
> There is very poor support for Linux from Nortel. Their Linux client is
> provided by a 3rd party company that doesn't yet support RH9, much less
FC1
> or FC2. I have tried to connect one and got invalid_exchange_type.

From what I have heard, nortel uses ISAKMP a bit different,
but I have no idea what they expect ... a full trace of a successful
connection would be helpfull ... does the nortel client provide
enough debugging infos?

cu
maurice
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
http://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

hi,

> I am not sure about the Nortel client, but I can definitely get a tcpdump of
> the failing connection. Will that help? I will check with Nortel about
> client debugging options.
>
> I am also going to check with them about using a cisco client with the
> Nortel. Maybe that will help determine if vpnc will work.
>
> When using vpnc, I am getting "No proposal chosen in the message from the
> client" error.

a tcpdump will not help much, because most of the isakmp communication
is encrypted...

I had already received a dump from the first few cleartext pakets
of a connection with Nortel client, but even these are substantially
different. Nortel does not follow draft-beaulieu-ike-xauth-02.txt
(they doen't use authentication type XAUTHInitPreShared (65001) nor
do they send a xauth vendor id) and I doubt they will do things
simelar to xauth later on..

so to be able to support Nortel devices I need to know what to
send when ... a specification of would be very helpful (-;
alternative a trace of what is going on could be used to guess
what is going on (complete with a name, id and value of each
attribute sent)

if you happend to have access to the server, maybe there are debugging
options to get these informations?

cu
maurice

Makes sense about tcpdump. Didn't think it through that far.

I'm an admin of the Nortel, so I do have access to it. :)

I will have to check to how verbose the debugging can get on the Nortel.
I'll be back in the office on Monday. I'll also check with Nortel about a
specification document.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Matt Wagenknecht CISSP | MCSE
Sr. Security Administrator via BlackBerry
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Never be afraid to try something new.
Remember, amateurs built the ark; professionals built the Titanic.

This email may contain confidential and privileged information for the sole
use of the intended recipient. Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact
the sender and delete all copies of this email message.

-----Original Message-----
From: vpnc-devel-bounces@unix-ag.uni-kl.de
<vpnc-devel-bounces@unix-ag.uni-kl.de>
To: vpnc-devel@unix-ag.uni-kl.de <vpnc-devel@unix-ag.uni-kl.de>
Sent: Fri Jun 04 13:24:46 2004
Subject: Re: [vpnc-devel] Vpnc with a Nortel Contivity

hi,

> I am not sure about the Nortel client, but I can definitely get a tcpdump
of
> the failing connection. Will that help? I will check with Nortel about
> client debugging options.
>
> I am also going to check with them about using a cisco client with the
> Nortel. Maybe that will help determine if vpnc will work.
>
> When using vpnc, I am getting "No proposal chosen in the message from the
> client" error.

a tcpdump will not help much, because most of the isakmp communication
is encrypted...

I had already received a dump from the first few cleartext pakets
of a connection with Nortel client, but even these are substantially
different. Nortel does not follow draft-beaulieu-ike-xauth-02.txt
(they doen't use authentication type XAUTHInitPreShared (65001) nor
do they send a xauth vendor id) and I doubt they will do things
simelar to xauth later on..

so to be able to support Nortel devices I need to know what to
send when ... a specification of would be very helpful (-;
alternative a trace of what is going on could be used to guess
what is going on (complete with a name, id and value of each
attribute sent)

if you happend to have access to the server, maybe there are debugging
options to get these informations?

cu
maurice
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
http://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

According to Nortel, they follow the RFCs strictly. They do not have any
documentation (so they say) on each step taken to create the tunnel.

What encryption types are supported by vpnc for each phase of tunnel
negotiation?

Here are the options available on the Nortels:

Encryption:
ESP - Triple DES with MD5
ESP - 56-bit DES with MD5
ESP - 40-bit DES with MD5
AH - Authentication Only (HMAC-MD5)

IKE Encryption and DH group:
56-bit DES with Group 1 (768-bit prime)
Triple DES with Group 2 (1024-bit prime)
Triple DES with Group 7 (ECC 163-bit field)

The Nortels also support compression and PFS, but both are currently turned
off.. The error message I am getting is:

06/09/2004 09:42:06 0 ISAKMP [02] Deleting ISAKMP SA with x.x.x.x
06/09/2004 09:42:06 0 ISAKMP [13] No proposal chosen in message from x.x.x.x

According to Nortel, this could be caused by a couple issues.

1. The requested authentication method (for example, RSA Digital Signature)
is not enabled.

2. One side of the connection is configured to support dynamic routing while
the other side is configured for static routing, where branch office is xxx.

3. Both sides are configured to support static routing. However, the local
and remote network definitions of the two sides do not match, where branch
office is xxx.

4. The Perfect Forward Secrecy (PFS) setting of the two sides do not match.
Branch office xxx does not have PFS enabled, while PFS is required by the
local settings.

5. The proposal made by the local gateway has been rejected by a Contivity
VPN Client. This usually indicates that the client is using an international
version (56-bit) while the gateway has stronger encryption enabled.

6. The proposal made by the local gateway has been rejected by a remote
branch office gateway, or by an IPsec implementation from another vendor.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Matt Wagenknecht CISSP | MCSE
Sr. Security Administrator
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Never be afraid to try something new.
Remember, amateurs built the ark; professionals built the Titanic.

This email may contain confidential and privileged information for the sole
use of the intended recipient. Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact
the sender and delete all copies of this email message.


-----Original Message-----
From: vpnc-devel-bounces@unix-ag.uni-kl.de
[mailto:vpnc-devel-bounces@unix-ag.uni-kl.de] On Behalf Of Matthew
Wagenknecht
Sent: Friday, June 04, 2004 1:49 PM
To: 'vpnc-devel@unix-ag.uni-kl.de'
Subject: Re: [vpnc-devel] Vpnc with a Nortel Contivity

Makes sense about tcpdump. Didn't think it through that far.

I'm an admin of the Nortel, so I do have access to it. :)

I will have to check to how verbose the debugging can get on the Nortel.
I'll be back in the office on Monday. I'll also check with Nortel about a
specification document.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Matt Wagenknecht CISSP | MCSE
Sr. Security Administrator via BlackBerry
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Never be afraid to try something new.
Remember, amateurs built the ark; professionals built the Titanic.

This email may contain confidential and privileged information for the sole
use of the intended recipient. Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact
the sender and delete all copies of this email message.

-----Original Message-----
From: vpnc-devel-bounces@unix-ag.uni-kl.de
<vpnc-devel-bounces@unix-ag.uni-kl.de>
To: vpnc-devel@unix-ag.uni-kl.de <vpnc-devel@unix-ag.uni-kl.de>
Sent: Fri Jun 04 13:24:46 2004
Subject: Re: [vpnc-devel] Vpnc with a Nortel Contivity

hi,

> I am not sure about the Nortel client, but I can definitely get a tcpdump
of
> the failing connection. Will that help? I will check with Nortel about
> client debugging options.
>
> I am also going to check with them about using a cisco client with the
> Nortel. Maybe that will help determine if vpnc will work.
>
> When using vpnc, I am getting "No proposal chosen in the message from the
> client" error.

a tcpdump will not help much, because most of the isakmp communication
is encrypted...

I had already received a dump from the first few cleartext pakets
of a connection with Nortel client, but even these are substantially
different. Nortel does not follow draft-beaulieu-ike-xauth-02.txt
(they doen't use authentication type XAUTHInitPreShared (65001) nor
do they send a xauth vendor id) and I doubt they will do things
simelar to xauth later on..

so to be able to support Nortel devices I need to know what to
send when ... a specification of would be very helpful (-;
alternative a trace of what is going on could be used to guess
what is going on (complete with a name, id and value of each
attribute sent)

if you happend to have access to the server, maybe there are debugging
options to get these informations?

cu
maurice
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
http://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
http://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

hi,

thanks for your efforts,

> According to Nortel, they follow the RFCs strictly. They do not have any
> documentation (so they say) on each step taken to create the tunnel.

I do not know any RFC which supports individual user authentication.
xauth is an expired ietf-draft...

so my question is:
in which way are "Group ID", "Group Password", "Username" and "Password"
used by a Nortel client?

with cisco, "Group ID" is send as an ID Payload (type: ID_KEY)
"Group Password" is used as Pre-Shared-Key

and Username/Password are used as User/Pass with xauth..
to me, it looks like Nortel is not using xauth (which is
a security headach anway) because they are neither sending
an xauth Vendor-ID Payload nor they are using Xauth as
ike "authentication type" ...

so, how is the Username/Password information send to the Security Gatway?

> What encryption types are supported by vpnc for each phase of tunnel
> negotiation?
>
> Here are the options available on the Nortels:
>
> Encryption:
> ESP - Triple DES with MD5
> ESP - 56-bit DES with MD5
> ESP - 40-bit DES with MD5
> AH - Authentication Only (HMAC-MD5)

vpnc supports the first 2

> IKE Encryption and DH group:
> 56-bit DES with Group 1 (768-bit prime)
> Triple DES with Group 2 (1024-bit prime)
> Triple DES with Group 7 (ECC 163-bit field)

Triple DES is supported, 56-bit DES only if explizitly enabled.
Group 1, 2 and 5 are supported, Group 7 not.
vpnc has no restrictions on which Group can be used with which Encryption
(this can be considered a bug, because Group 1 just provides enough randomness
for 56-bit DES but not for Triple DES and so on)

> The Nortels also support compression and PFS, but both are currently turned
> off.. The error message I am getting is:
>
> 06/09/2004 09:42:06 0 ISAKMP [02] Deleting ISAKMP SA with x.x.x.x
> 06/09/2004 09:42:06 0 ISAKMP [13] No proposal chosen in message from x.x.x.x
>
> According to Nortel, this could be caused by a couple issues.
>
> 1. The requested authentication method (for example, RSA Digital Signature)
> is not enabled.

this is the case.
vpnc requests XAUTHInitPreShared(65001) as authentication method
instead of for example PreSharedKey(1)

cu
maurice

I have a successful capture of the initial tunnel packets from a Nortel
client. I am sending it to account directly..

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Matt Wagenknecht CISSP | MCSE
Sr. Security Administrator
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Never be afraid to try something new.
Remember, amateurs built the ark; professionals built the Titanic.

This email may contain confidential and privileged information for the sole
use of the intended recipient. Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact
the sender and delete all copies of this email message.


-----Original Message-----
From: vpnc-devel-bounces@unix-ag.uni-kl.de
[mailto:vpnc-devel-bounces@unix-ag.uni-kl.de] On Behalf Of Maurice Massar
Sent: Wednesday, June 09, 2004 10:24 AM
To: vpnc-devel@unix-ag.uni-kl.de
Subject: Re: [vpnc-devel] Vpnc with a Nortel Contivity

hi,

thanks for your efforts,

> According to Nortel, they follow the RFCs strictly. They do not have any
> documentation (so they say) on each step taken to create the tunnel.

I do not know any RFC which supports individual user authentication.
xauth is an expired ietf-draft...

so my question is:
in which way are "Group ID", "Group Password", "Username" and "Password"
used by a Nortel client?

with cisco, "Group ID" is send as an ID Payload (type: ID_KEY)
"Group Password" is used as Pre-Shared-Key

and Username/Password are used as User/Pass with xauth..
to me, it looks like Nortel is not using xauth (which is
a security headach anway) because they are neither sending
an xauth Vendor-ID Payload nor they are using Xauth as
ike "authentication type" ...

so, how is the Username/Password information send to the Security Gatway?

> What encryption types are supported by vpnc for each phase of tunnel
> negotiation?
>
> Here are the options available on the Nortels:
>
> Encryption:
> ESP - Triple DES with MD5
> ESP - 56-bit DES with MD5
> ESP - 40-bit DES with MD5
> AH - Authentication Only (HMAC-MD5)

vpnc supports the first 2

> IKE Encryption and DH group:
> 56-bit DES with Group 1 (768-bit prime)
> Triple DES with Group 2 (1024-bit prime)
> Triple DES with Group 7 (ECC 163-bit field)

Triple DES is supported, 56-bit DES only if explizitly enabled.
Group 1, 2 and 5 are supported, Group 7 not.
vpnc has no restrictions on which Group can be used with which Encryption
(this can be considered a bug, because Group 1 just provides enough
randomness
for 56-bit DES but not for Triple DES and so on)

> The Nortels also support compression and PFS, but both are currently
turned
> off.. The error message I am getting is:
>
> 06/09/2004 09:42:06 0 ISAKMP [02] Deleting ISAKMP SA with x.x.x.x
> 06/09/2004 09:42:06 0 ISAKMP [13] No proposal chosen in message from
x.x.x.x
>
> According to Nortel, this could be caused by a couple issues.
>
> 1. The requested authentication method (for example, RSA Digital
Signature)
> is not enabled.

this is the case.
vpnc requests XAUTHInitPreShared(65001) as authentication method
instead of for example PreSharedKey(1)

cu
maurice
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
http://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/