Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: vpnc: devel

ISAKMP_EXCHANGE_INFORMATIONAL Contivity

  

 
vpnc devel RSS feed   Index | Next | Previous | View Threaded


despen at verizon

May 12, 2008, 2:49 PM

Post #1 of 6 (280 views)
Permalink
ISAKMP_EXCHANGE_INFORMATIONAL Contivity
Hi,

I'd like to get vnpc working for Contivity users that
see the message:

./vpnc: response was invalid [1]: INVALID_EXCHANGE_TYPE

(like me)

There was an email on this list dated July 05, 2007
from Olivier Mougin who reported:

With the apani client which work here is what i get by tcpdumping my
network interface:

ME DEST

1. phase 1 I agg ---->
<---- 2.phase 1 R inf
3. phase 1 I agg ---->
<---- 4. phase 1 R inf
5. phase 1 I agg ---->
<---- 6. phase 1 R agg
[...]

So i think there is really a ISAKMP_EXCHANGE_INFORMATIONAL receive
first.


The answer he got implied that the switch he was connecting
to is not using aggressive mode and he would need "certificate
support" and "main mode" support.

I'm not sure that answer was right.

It looks to me like the client sent 3 requests for
aggressive mode. The first 2 were answered with
ISAKMP_EXCHANGE_INFORMATIONAL and then the 3rd request
for aggressive mode was accepted.

Does that sound right?

Should phase 1 negotiation just be changed so that when
it sees an INFORMATIONAL response it just keeps going back
and sending the "phase 1 I agg" message?
_______________________________________________
vpnc-devel mailing list
vpnc-devel[at]unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


robert.newson at gmail

May 12, 2008, 3:40 PM

Post #2 of 6 (268 views)
Permalink
Re: ISAKMP_EXCHANGE_INFORMATIONAL Contivity [In reply to]
I have the same problem and will gladly test out any tweak in this
area. I tried the nortel-branch after Matt Chapman's fix with no
success, sadly.

Also, I noticed a discussion earlier where the nortel branch was
merged in and a --vendor Nortel option added. I can't find this in any
branch of subversion, has it been committed or does it just exists as
a patch file somewhere?

B.

On Mon, May 12, 2008 at 10:49 PM, Dan Espen <despen[at]verizon.net> wrote:
>
> Hi,
>
> I'd like to get vnpc working for Contivity users that
> see the message:
>
> ./vpnc: response was invalid [1]: INVALID_EXCHANGE_TYPE
>
> (like me)
>
> There was an email on this list dated July 05, 2007
> from Olivier Mougin who reported:
>
> With the apani client which work here is what i get by tcpdumping my
> network interface:
>
> ME DEST
>
> 1. phase 1 I agg ---->
> <---- 2.phase 1 R inf
> 3. phase 1 I agg ---->
> <---- 4. phase 1 R inf
> 5. phase 1 I agg ---->
> <---- 6. phase 1 R agg
> [...]
>
> So i think there is really a ISAKMP_EXCHANGE_INFORMATIONAL receive
> first.
>
>
> The answer he got implied that the switch he was connecting
> to is not using aggressive mode and he would need "certificate
> support" and "main mode" support.
>
> I'm not sure that answer was right.
>
> It looks to me like the client sent 3 requests for
> aggressive mode. The first 2 were answered with
> ISAKMP_EXCHANGE_INFORMATIONAL and then the 3rd request
> for aggressive mode was accepted.
>
> Does that sound right?
>
> Should phase 1 negotiation just be changed so that when
> it sees an INFORMATIONAL response it just keeps going back
> and sending the "phase 1 I agg" message?
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel[at]unix-ag.uni-kl.de
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>
_______________________________________________
vpnc-devel mailing list
vpnc-devel[at]unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


despen at verizon

May 12, 2008, 6:12 PM

Post #3 of 6 (272 views)
Permalink
Re: ISAKMP_EXCHANGE_INFORMATIONAL Contivity [In reply to]
Dan Espen <despen[at]verizon.net> writes:

> Hi,
>
> I'd like to get vnpc working for Contivity users that
> see the message:
>
> ./vpnc: response was invalid [1]: INVALID_EXCHANGE_TYPE
>
> (like me)
>
> There was an email on this list dated July 05, 2007
> from Olivier Mougin who reported:
>
> With the apani client which work here is what i get by tcpdumping my
> network interface:
>
> ME DEST
>
> 1. phase 1 I agg ---->
> <---- 2.phase 1 R inf
> 3. phase 1 I agg ---->
> <---- 4. phase 1 R inf
> 5. phase 1 I agg ---->
> <---- 6. phase 1 R agg
> [...]
>
> So i think there is really a ISAKMP_EXCHANGE_INFORMATIONAL receive
> first.
>
>
> The answer he got implied that the switch he was connecting
> to is not using aggressive mode and he would need "certificate
> support" and "main mode" support.
>
> I'm not sure that answer was right.
>
> It looks to me like the client sent 3 requests for
> aggressive mode. The first 2 were answered with
> ISAKMP_EXCHANGE_INFORMATIONAL and then the 3rd request
> for aggressive mode was accepted.
>
> Does that sound right?
>
> Should phase 1 negotiation just be changed so that when
> it sees an INFORMATIONAL response it just keeps going back
> and sending the "phase 1 I agg" message?

To follow up my own post, I tried detecting the INFORMATIONAL
response and branching back to sending the request.
That just put it in an unending loop of sending the request
and getting the INFORMATIONAL response.

There must be more to this.

I did a TCPDUMP on the connect using Apani.
I can't say I understand all the output:

length 398) ME > VPN: isakmp 1.0 msgid cookie ->: phase 1 I agg: [|sa]
length 76) VPN > ME: [udp sum ok] isakmp 1.0 msgid cookie ->: phase 1 R inf:
c proto=isakmp type=NO-PROPOSAL-CHOSEN orig=( [|sa])
length 330) ME > VPN: isakmp 1.0 msgid cookie ->: phase 1 I agg: [|sa]
length 330) VPN > ME: isakmp 1.0 msgid cookie ->: phase 1 R agg: [|sa]
length 88) ME > VPN: isakmp 1.0 msgid cookie ->: phase 1 I agg[E]: [encrypted hash]

Hints would be welcome.

Thanks.
_______________________________________________
vpnc-devel mailing list
vpnc-devel[at]unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


legege at legege

May 12, 2008, 6:49 PM

Post #4 of 6 (274 views)
Permalink
Re: ISAKMP_EXCHANGE_INFORMATIONAL Contivity [In reply to]
I would like to help on this too. I don't have Apani installed, but I
can tcpdump on the Windows with the official Contivity client.

Let me know how I can help.
--
Georges-Etienne Legendre





_______________________________________________
vpnc-devel mailing list
vpnc-devel[at]unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


gofman.mike at gmail

May 12, 2008, 9:22 PM

Post #5 of 6 (275 views)
Permalink
Re: ISAKMP_EXCHANGE_INFORMATIONAL Contivity [In reply to]
Would capturing traffic between Contivity Software and my Nortel switch with
something like Wireshark be of any use?

I can also help out with code, but I the last thing I got from SVN has
errors.

On Mon, May 12, 2008 at 5:49 PM, Dan Espen <despen[at]verizon.net> wrote:

>
> Hi,
>
> I'd like to get vnpc working for Contivity users that
> see the message:
>
> ./vpnc: response was invalid [1]: INVALID_EXCHANGE_TYPE
>
> (like me)
>
> There was an email on this list dated July 05, 2007
> from Olivier Mougin who reported:
>
> With the apani client which work here is what i get by tcpdumping my
> network interface:
>
> ME DEST
>
> 1. phase 1 I agg ---->
> <---- 2.phase 1 R inf
> 3. phase 1 I agg ---->
> <---- 4. phase 1 R inf
> 5. phase 1 I agg ---->
> <---- 6. phase 1 R agg
> [...]
>
> So i think there is really a ISAKMP_EXCHANGE_INFORMATIONAL receive
> first.
>
>
> The answer he got implied that the switch he was connecting
> to is not using aggressive mode and he would need "certificate
> support" and "main mode" support.
>
> I'm not sure that answer was right.
>
> It looks to me like the client sent 3 requests for
> aggressive mode. The first 2 were answered with
> ISAKMP_EXCHANGE_INFORMATIONAL and then the 3rd request
> for aggressive mode was accepted.
>
> Does that sound right?
>
> Should phase 1 negotiation just be changed so that when
> it sees an INFORMATIONAL response it just keeps going back
> and sending the "phase 1 I agg" message?
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel[at]unix-ag.uni-kl.de
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/<http://www.unix-ag.uni-kl.de/%7Emassar/vpnc/>
>


despen at verizon

May 13, 2008, 4:52 AM

Post #6 of 6 (265 views)
Permalink
Re: ISAKMP_EXCHANGE_INFORMATIONAL Contivity [In reply to]
"Michael Gofman" <gofman.mike[at]gmail.com> writes:

> Would capturing traffic between Contivity Software and my Nortel switch
> with something like Wireshark be of any use?

I think so.
My next plan was to do more tcpdump tracing byt if Wireshark
does a better trace...
_______________________________________________
vpnc-devel mailing list
vpnc-devel[at]unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

vpnc devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.