Mailing List Archive: vpnc: devel

vpnc-nortel

Index | Next | Previous | View Threaded

m0livier at orange

Jul 4, 2007, 6:56 PM

Post #1 of 8 (1072 views)
Permalink

vpnc-nortel

Hi all,

I have try the vnpc-nortel branch to see if i can connect to my office,
but as other users i got this error

./vpnc: response was invalid [1]: INVALID_EXCHANGE_TYPE

i look the src code and the problem seem to be here:

if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_AGGRESSIVE)

the exchange_type i received is in fact ISAKMP_EXCHANGE_INFORMATIONAL

With the apani client which work here is what i get by tcpdumping my
network interface:

ME DEST

1. phase 1 I agg ---->
<---- 2.phase 1 R inf
3. phase 1 I agg ---->
<---- 4. phase 1 R inf
5. phase 1 I agg ---->
<---- 6. phase 1 R agg
[...]

So i think there is really a ISAKMP_EXCHANGE_INFORMATIONAL receive
first.

Hum. ok i dont know if this can help someone but ...

Regards,

_______________________________________________
vpnc-devel mailing list
vpnc-devel[at]unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

jmvpnc at loplof

Aug 2, 2007, 5:28 AM

Post #2 of 8 (956 views)
Permalink

Re: vpnc-nortel [In reply to]

On Thu, Jul 05, 2007 at 03:56:45AM +0200, Olivier Mougin wrote:
> ./vpnc: response was invalid [1]: INVALID_EXCHANGE_TYPE
>
> i look the src code and the problem seem to be here:
>
> if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_AGGRESSIVE)
>
> the exchange_type i received is in fact ISAKMP_EXCHANGE_INFORMATIONAL
>
>
> With the apani client which work here is what i get by tcpdumping my
> network interface:
>
> ME DEST
>
> 1. phase 1 I agg ---->
> <---- 2.phase 1 R inf
> 3. phase 1 I agg ---->
> <---- 4. phase 1 R inf
> 5. phase 1 I agg ---->
> <---- 6. phase 1 R agg
> [...]
>
> So i think there is really a ISAKMP_EXCHANGE_INFORMATIONAL receive
> first.

vpnc currently only supports aggressive mode (3 packet exchange), not
the alternative main mode (6 packet exchange). This makes sense, because
unless you use certificates for Phase I authentication, main mode won't
work. And certificates are not (yet) supported (see TODO). I hope this
explains this a bit. So it's most likely not working because the
concentrator uses a mode that is not supported by vpnc.

Basically what is needed is a) certificate support and b) main mode
support in vpnc.

Ciao
Joerg
--
Joerg Mayer <jmayer[at]loplof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
_______________________________________________
vpnc-devel mailing list
vpnc-devel[at]unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

legege at legege

Apr 4, 2008, 6:57 PM

Post #3 of 8 (622 views)
Permalink

Re: vpnc-nortel [In reply to]

On Thu Aug 2 14:28:13 CEST 2007, Joerg Mayer wrote:
> vpnc currently only supports aggressive mode (3 packet exchange), not
> the alternative main mode (6 packet exchange). This makes sense,
> because
> unless you use certificates for Phase I authentication, main mode
> won't
> work. And certificates are not (yet) supported (see TODO). I hope this
> explains this a bit. So it's most likely not working because the
> concentrator uses a mode that is not supported by vpnc.
>
> Basically what is needed is a) certificate support and b) main mode
> support in vpnc.
>
> Ciao
> Joerg

Do you know how much work it is to implement a and b?
Is this something used the way? Any other who want to collaborate on
this?

--
Georges-Etienne Legendre

legege at legege

Apr 4, 2008, 7:00 PM

Post #4 of 8 (616 views)
Permalink

Re: vpnc-nortel [In reply to]

On 4-Apr-08, at 9:57 PM, Georges-Etienne Legendre wrote:
> Do you know how much work it is to implement a and b?
> Is this something used the way? Any other who want to collaborate on
> this?

Oups, *used = under

Sorry.
--
Georges-Etienne Legendre
_______________________________________________
vpnc-devel mailing list
vpnc-devel[at]unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

jmvpnc at loplof

Jun 10, 2008, 6:24 PM

Post #5 of 8 (293 views)
Permalink

Re: vpnc-nortel [In reply to]

On Fri, Apr 04, 2008 at 10:00:37PM -0400, Georges-Etienne Legendre wrote:
> On 4-Apr-08, at 9:57 PM, Georges-Etienne Legendre wrote:
> > Do you know how much work it is to implement a and b?
> > Is this something used the way? Any other who want to collaborate on
> > this?
>
> Oups, *used = under

Well, we need some volunteer(s) to do the work. Once they are found it
depends on their experience.

Ciao
Joerg
--
Joerg Mayer <jmayer[at]loplof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
_______________________________________________
vpnc-devel mailing list
vpnc-devel[at]unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

legege at legege

Jun 10, 2008, 6:29 PM

Post #6 of 8 (293 views)
Permalink

Re: vpnc-nortel [In reply to]

I'm a volunteer. I don't have a lot of knowledge in VPN stuff however.
I only need a mentor that can guide me with initial steps.

On 10-Jun-08, at 9:24 PM, Joerg Mayer wrote:

> On Fri, Apr 04, 2008 at 10:00:37PM -0400, Georges-Etienne Legendre
> wrote:
>> On 4-Apr-08, at 9:57 PM, Georges-Etienne Legendre wrote:
>>> Do you know how much work it is to implement a and b?
>>> Is this something used the way? Any other who want to collaborate on
>>> this?
>>
>> Oups, *used = under
>
> Well, we need some volunteer(s) to do the work. Once they are found it
> depends on their experience.
>
> Ciao
> Joerg
> --
> Joerg Mayer <jmayer[at]loplof.de
> >
> We are stuck with technology when what we really want is just stuff
> that
> works. Some say that should read Microsoft instead of technology.
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel[at]unix-ag.uni-kl.de
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/

--
Georges-Etienne Legendre

_______________________________________________
vpnc-devel mailing list
vpnc-devel[at]unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

farjumper at mail

Jun 11, 2008, 1:23 AM

Post #7 of 8 (292 views)
Permalink

Re: vpnc-nortel [In reply to]

I'm working on the main mode supporting now. It's still need a lot of work but it's moving forward. Also I'm trying to implement vendor autodetection (it's quite easy to do that in the main mode because we receive vendor id before other vendor specific packets).

-----Original Message-----
From: Georges-Etienne Legendre <legege[at]legege.com>
To: vpnc list to send bug reports and discussions with developers<vpnc-devel[at]unix-ag.uni-kl.de>
Date: Tue, 10 Jun 2008 21:29:06 -0400
Subject: Re: [vpnc-devel] vpnc-nortel

>
> I'm a volunteer. I don't have a lot of knowledge in VPN stuff however.
> I only need a mentor that can guide me with initial steps.
>
> On 10-Jun-08, at 9:24 PM, Joerg Mayer wrote:
>
> > On Fri, Apr 04, 2008 at 10:00:37PM -0400, Georges-Etienne Legendre
> > wrote:
> >> On 4-Apr-08, at 9:57 PM, Georges-Etienne Legendre wrote:
> >>> Do you know how much work it is to implement a and b?
> >>> Is this something used the way? Any other who want to collaborate on
> >>> this?
> >>
> >> Oups, *used = under
> >
> > Well, we need some volunteer(s) to do the work. Once they are found it
> > depends on their experience.
> >
> > Ciao
> > Joerg
> > --
> > Joerg Mayer <jmayer[at]loplof.de
> > >
> > We are stuck with technology when what we really want is just stuff
> > that
> > works. Some say that should read Microsoft instead of technology.
> > _______________________________________________
> > vpnc-devel mailing list
> > vpnc-devel[at]unix-ag.uni-kl.de
> > https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> > http://www.unix-ag.uni-kl.de/~massar/vpnc/
>
> --
> Georges-Etienne Legendre
>
>
>
>
>
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel[at]unix-ag.uni-kl.de
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>
_______________________________________________
vpnc-devel mailing list
vpnc-devel[at]unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

jmayer at loplof

Jun 12, 2008, 9:10 AM

Post #8 of 8 (275 views)
Permalink

Re: vpnc-nortel [In reply to]

On Wed, Jun 11, 2008 at 12:23:43PM +0400, Vladimir Buell wrote:
> I'm working on the main mode supporting now. It's still need a lot of work but it's moving forward. Also I'm trying to implement vendor autodetection (it's quite easy to do that in the main mode because we receive vendor id before other vendor specific packets).

> > On 4-Apr-08, at 9:57 PM, Georges-Etienne Legendre wrote:
> > I'm a volunteer. I don't have a lot of knowledge in VPN stuff however.
> > I only need a mentor that can guide me with initial steps.
> >

Two pieces of very good news :-)

So with Vladimir implementing main mode Georges-Etienne could implement
certificae authentication.
If that's OK I'll try to provide some pointers as to what needs to be
done for that.

Ciao
Joerg

--
Joerg Mayer <jmayer[at]loplof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
_______________________________________________
vpnc-devel mailing list
vpnc-devel[at]unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com