Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: vpnc: devel

vpnc-nortel with group password authentication

  

 
vpnc devel RSS feed   Index | Next | Previous | View Threaded


zorgluf at gmail

Sep 8, 2008, 7:34 AM

Post #1 of 23 (5715 views)
Permalink
vpnc-nortel with group password authentication
Hi,
First of all, great thanks for everybody working on the vpnc project,
especially on the nortel branch.
I am new to this list and a newbie on IPSEC or linux programming, but I have
found some information that might be interesting for this list :
* In my company, we are using "group password authentication" based on
RADIUS and OTP (actividentity minitoken). The actual releases I get on this
list (nortel svn branch, or zingo version
"vpnc-nortel_merge_with_284.tar.gz") didn't work for me.
I have made the following modifications from the zingo version to make it
work :
* the "xauth_type_requested" is 1 in my case :

uint16_t xauth_type_requested = 1;

* I had to remove the ifdef :

#ifdef NORTELVPN
na = reply_attr->next = new_isakmp_attribute(ISAKMP_XAUTH_ATTRIB_PASSCODE,
/* reply_attr */ NULL);
#else
na = new_isakmp_attribute(ap->type, reply_attr);
reply_attr = na;
#endif

to keep

na = new_isakmp_attribute(ap->type, reply_attr);
reply_attr = na;

because it didn't apply to me (server is waiting
ISAKMP_XAUTH_ATTRIB_USER_PASSWORD).

And now I can successfully authenticate with the nortel contivity.
I hope it might be usefull for somebody.
Br,
François


borneo.antonio at gmail

Sep 8, 2008, 11:57 PM

Post #2 of 23 (5621 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
Hi Francois,

also in my case, I have to apply the first patch in attachment
(patch_xauth.txt), to vpnc-nortel branch, to make it working. My patch
is equivalent to your suggestion.
Anyway, I do not like this patch at all, since I believe would break
the code so someone else.
The part of code we are patching comes from Zingo. I have no idea if
it has longer history.
I was looking in the history of vpnc code to better understand and
proposing a better patch.

My server sends auth request in a modecfg payload CFG_REQUEST payload,
with zeroed field ISAKMP_XAUTH_02_ATTRIB_TYPE, and empty fields
ISAKMP_XAUTH_02_ATTRIB_USER_NAME and
ISAKMP_XAUTH_02_ATTRIB_USER_PASSWORD

The only reply that seems accepted, has "exactly" the same fields,
with proper username and password, and value "1" for "TYPE".
Any other combination or value returns "authentication failure"
(modecfg.type == 6, instead of 5).

Instead, the current reply form vpnc has:
- value "5" instead of "1" for ISAKMP_XAUTH_02_ATTRIB_TYPE
- the field ISAKMP_XAUTH_02_ATTRIB_USER_PASSWORD
replaced by ISAKMP_XAUTH_02_ATTRIB_PASSCODE
Either changes are not accepted by my server.

Can anyone verify WHY such behaviour has been put in vpnc?
Is it really required in some case?
Can we work together for a better code that covers both behaviour?


Also, should we code the Nortel proprietary replies of modecfg.type ==
5 or 6 with macros?
The second patch attached (patch_modecfg.txt) is a suggestion on this way.


By the way, there is some confusion in the fields name, since in
isakmp.h there is aliasing between the following attributes
# 0x0d == ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_SUBNET
== ISAKMP_XAUTH_02_ATTRIB_TYPE
# 0x0e == ISAKMP_MODECFG_ATTRIB_SUPPORTED_ATTRIBUTES
== ISAKMP_XAUTH_02_ATTRIB_USER_NAME
# 0x0f == ISAKMP_MODECFG_ATTRIB_INTERNAL_IP6_SUBNET
== ISAKMP_XAUTH_02_ATTRIB_USER_PASSWORD
This seems a problem created by Nortel, aginst rfc4306
Any idea for a cleanup?

Best Regards,
Antonio Borneo


2008/9/8 francois valley <zorgluf [at] gmail>:
> Hi,
> First of all, great thanks for everybody working on the vpnc project,
> especially on the nortel branch.
> I am new to this list and a newbie on IPSEC or linux programming, but I have
> found some information that might be interesting for this list :
> * In my company, we are using "group password authentication" based on
> RADIUS and OTP (actividentity minitoken). The actual releases I get on this
> list (nortel svn branch, or zingo version
> "vpnc-nortel_merge_with_284.tar.gz") didn't work for me.
> I have made the following modifications from the zingo version to make it
> work :
> * the "xauth_type_requested" is 1 in my case :
>
> uint16_t xauth_type_requested = 1;
>
> * I had to remove the ifdef :
>
> #ifdef NORTELVPN
> na = reply_attr->next = new_isakmp_attribute(ISAKMP_XAUTH_ATTRIB_PASSCODE,
> /* reply_attr */ NULL);
> #else
> na = new_isakmp_attribute(ap->type, reply_attr);
> reply_attr = na;
> #endif
>
> to keep
>
> na = new_isakmp_attribute(ap->type, reply_attr);
> reply_attr = na;
>
> because it didn't apply to me (server is waiting
> ISAKMP_XAUTH_ATTRIB_USER_PASSWORD).
>
> And now I can successfully authenticate with the nortel contivity.
> I hope it might be usefull for somebody.
> Br,
> François
>
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel [at] unix-ag
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>
>
Attachments: patch_xauth.txt (1.58 KB)
  patch_modecfg.txt (0.96 KB)


spamfilter at zingo

Sep 10, 2008, 11:23 AM

Post #3 of 23 (5614 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
Hi

> The part of code we are patching comes from Zingo. I have no idea if
> it has longer history.

My patch should not have introduced anything new if I did is was not my idea.

My patch only took the old nortel branch and "recreated" it on latest. While I
did this I also did try to identify code paths that had been cut&moved and tried
to make the nortelbranch workable out of the box on non nortel and arranged in
a way to make it as equal as possible as "trunk", for easy merging.

What I want to say is that I is in no way the masterbrain here I know almost nothing
about what the code does I just used my "C" knowlage to do it. All the fame should go
the other people in project.

But if you submit patches to the nortel branch please if possible see
if you can fix any of the left over issues on the branch
I feel kind of bad for not taking a swing at fixing some of it yet.
Most of the stuff are over my head by atleast the code formating stuff
I would have been able to do like 2,5,7 shame shame shame on me.
(I marked the mail unread so it has bugged me all summer)

Joerg Mayer list of todo's from 2008-06-13:

1) There is a set of new dup_ and free_ functions. I assume that they
are there to fix a memory leak or two, so they might collide with
Martin's work. --> Martin: Any comments?

2) Some // style comments, so far only the old style comments are used.

3) Renaming the attributes _RFC_ and _NORTEL_ is not quite correct.
_D06_ and _D02_ (or _DRAFT06_ and _DRAFT02_) would be the correct
names. Or maybe just replace NORTEL with _DRAFT02_ and leave the
other names alone.

4) In at least one place, the code uses 32767 instead of
IKE_ATTRIB_NORTEL_UNKNOWN new_isakmp_attribute_16(32767, 10, a).
While we are at it, maybe give the number 10 a symbolic name as
well.

5) Code style: Some of the new places do someting like this:
}
else {
whereas the remaining code uses
} else {

6) The code to create the proposals seems to have grown significantly -
I still have to understand why ---> Self: Try to understand
if (opt_vendor == VENDOR_NORTEL) {
auth = 0;

7) Comments remaining from development work should go
/* memcpy(l->u.id.data, key_id, strlen(key_id)); */
// Nortel specific version
/* removed for NortelVPN
...
*/

8) Is a separate make_our_sa_ipsec_nortel really necessary?

9) Same goes here:
// Nortel specific
static int check_transform(struct sa_block *s,struct isakmp_payload *transform)

10) I get the feeling that some of the code needs to be changed to be more
flexible to be able to handle both cases without so much new code.

11) The xauth functions probably should be suffixed _02 and _06.



--
Zingo "Stefan" Andersen (zingo.org and vectrace.com)

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


borneo.antonio at gmail

Sep 12, 2008, 2:34 AM

Post #4 of 23 (5613 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
Zingo,
I agree with you; sorry for my mistake; I got lost in svn history.

After digging back (better) in svn history I got the original commit
of this part of code at rev. 167.
Diff between rev 166 and 167 has the fragment reported below, that is
exactly the code me and Francois want to fix.
This commit is form Matt Chapman, the first support for Nortel in vpnc.
I have put Matt in copy.

Later on, this part of code was reviewed by Vladimir Buell (added in
copy, too) around the macro NORTELVPN_XAUTHTYPE_AS_REQUEST (rev 286
and 287), code dropped later on.

I believe this part of code needs a fix, and I'm available to work on
it, to support at the same time:
- Matt's original handshake, as today in vpnc
- Vladimir's enhancement, around NORTELVPN_XAUTHTYPE_AS_REQUEST
- issue found by Francois and me.

Would be valuable having a vpnc dump (with "--debug 3", to skip
sensible info) form Matt and Vladimir, or from someone else that can
login in a Nortel server with unmodified vpnc.
Just the part between messages "S5 do_phase2_xauth" and "S6
do_phase2_config" should be enough.
I can provide similar log by my side.

Best Regards,
Antonio Borneo

--
Fragment form diff rev. 167 vs. 166

@@ -1501,8 +1529,8 @@
memset(pass, 0, na->u.lots.length);
} else {
struct isakmp_attribute *na;
- na =
new_isakmp_attribute(ap->type, reply_attr);
- reply_attr = na;
+ na = reply_attr->next =
new_isakmp_attribute(ISAKMP_XAUTH_ATTRIB_PASSCODE, /* reply_attr */
NULL);
+ /* reply_attr = na; */
na->u.lots.length =
strlen(config[CONFIG_XAUTH_PASSWORD]);
na->u.lots.data =
xallocc(na->u.lots.length);
memcpy(na->u.lots.data,
config[CONFIG_XAUTH_PASSWORD],
@@ -1513,6 +1541,8 @@
;
}

+ reply_attr =
new_isakmp_attribute_16(ISAKMP_XAUTH_ATTRIB_TYPE, 5, reply_attr);
+
/* Send the response. */
rp = new_isakmp_payload(ISAKMP_PAYLOAD_MODECFG_ATTR);
rp->u.modecfg.type = ISAKMP_MODECFG_CFG_REPLY;
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


borneo.antonio at gmail

Sep 12, 2008, 2:34 AM

Post #5 of 23 (5613 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
Zingo,
I agree with you; sorry for my mistake; I got lost in svn history.

After digging back (better) in svn history I got the original commit
of this part of code at rev. 167.
Diff between rev 166 and 167 has the fragment reported below, that is
exactly the code me and Francois want to fix.
This commit is form Matt Chapman, the first support for Nortel in vpnc.
I have put Matt in copy.

Later on, this part of code was reviewed by Vladimir Buell (added in
copy, too) around the macro NORTELVPN_XAUTHTYPE_AS_REQUEST (rev 286
and 287), code dropped later on.

I believe this part of code needs a fix, and I'm available to work on
it, to support at the same time:
- Matt's original handshake, as today in vpnc
- Vladimir's enhancement, around NORTELVPN_XAUTHTYPE_AS_REQUEST
- issue found by Francois and me.

Would be valuable having a vpnc dump (with "--debug 3", to skip
sensible info) form Matt and Vladimir, or from someone else that can
login in a Nortel server with unmodified vpnc.
Just the part between messages "S5 do_phase2_xauth" and "S6
do_phase2_config" should be enough.
I can provide similar log by my side.

Best Regards,
Antonio Borneo

--
Fragment form diff rev. 167 vs. 166

@@ -1501,8 +1529,8 @@
memset(pass, 0, na->u.lots.length);
} else {
struct isakmp_attribute *na;
- na =
new_isakmp_attribute(ap->type, reply_attr);
- reply_attr = na;
+ na = reply_attr->next =
new_isakmp_attribute(ISAKMP_XAUTH_ATTRIB_PASSCODE, /* reply_attr */
NULL);
+ /* reply_attr = na; */
na->u.lots.length =
strlen(config[CONFIG_XAUTH_PASSWORD]);
na->u.lots.data =
xallocc(na->u.lots.length);
memcpy(na->u.lots.data,
config[CONFIG_XAUTH_PASSWORD],
@@ -1513,6 +1541,8 @@
;
}

+ reply_attr =
new_isakmp_attribute_16(ISAKMP_XAUTH_ATTRIB_TYPE, 5, reply_attr);
+
/* Send the response. */
rp = new_isakmp_payload(ISAKMP_PAYLOAD_MODECFG_ATTR);
rp->u.modecfg.type = ISAKMP_MODECFG_CFG_REPLY;
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


zorgluf at gmail

Sep 22, 2008, 1:15 AM

Post #6 of 23 (5552 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
Hi,
I have managed to make vpnc work with a static local nortel account
("username and passord authentication" in the official client).
Still starting from the zingo version, I needed to fix two points :
* the "u.id.length" should be fix to 20
* in "do_phase2_config" I had to skip the line "r_length =
sendrecv(s,r_packet, sizeof(r_packet), NULL, 0, 0);". The fact is that
there isn't any "XAUTH" phase in the negociation, so the parameters
such as IP, netmask, etc. is given much more quicker in the
negociation.
Unfortunately, these modification doesn't work for the previous modes
(group pwd or securid)...
Would it be an idea to create a new option in the commande line, like
"--nortel-auth-mode", with the values "username/group/securid" ?

Do you still need some logs ?

François


2008/9/12 Antonio Borneo <borneo.antonio [at] gmail>:
> Zingo,
> I agree with you; sorry for my mistake; I got lost in svn history.
>
> After digging back (better) in svn history I got the original commit
> of this part of code at rev. 167.
> Diff between rev 166 and 167 has the fragment reported below, that is
> exactly the code me and Francois want to fix.
> This commit is form Matt Chapman, the first support for Nortel in vpnc.
> I have put Matt in copy.
>
> Later on, this part of code was reviewed by Vladimir Buell (added in
> copy, too) around the macro NORTELVPN_XAUTHTYPE_AS_REQUEST (rev 286
> and 287), code dropped later on.
>
> I believe this part of code needs a fix, and I'm available to work on
> it, to support at the same time:
> - Matt's original handshake, as today in vpnc
> - Vladimir's enhancement, around NORTELVPN_XAUTHTYPE_AS_REQUEST
> - issue found by Francois and me.
>
> Would be valuable having a vpnc dump (with "--debug 3", to skip
> sensible info) form Matt and Vladimir, or from someone else that can
> login in a Nortel server with unmodified vpnc.
> Just the part between messages "S5 do_phase2_xauth" and "S6
> do_phase2_config" should be enough.
> I can provide similar log by my side.
>
> Best Regards,
> Antonio Borneo
>
> --
> Fragment form diff rev. 167 vs. 166
>
> @@ -1501,8 +1529,8 @@
> memset(pass, 0, na->u.lots.length);
> } else {
> struct isakmp_attribute *na;
> - na =
> new_isakmp_attribute(ap->type, reply_attr);
> - reply_attr = na;
> + na = reply_attr->next =
> new_isakmp_attribute(ISAKMP_XAUTH_ATTRIB_PASSCODE, /* reply_attr */
> NULL);
> + /* reply_attr = na; */
> na->u.lots.length =
> strlen(config[CONFIG_XAUTH_PASSWORD]);
> na->u.lots.data =
> xallocc(na->u.lots.length);
> memcpy(na->u.lots.data,
> config[CONFIG_XAUTH_PASSWORD],
> @@ -1513,6 +1541,8 @@
> ;
> }
>
> + reply_attr =
> new_isakmp_attribute_16(ISAKMP_XAUTH_ATTRIB_TYPE, 5, reply_attr);
> +
> /* Send the response. */
> rp = new_isakmp_payload(ISAKMP_PAYLOAD_MODECFG_ATTR);
> rp->u.modecfg.type = ISAKMP_MODECFG_CFG_REPLY;
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel [at] unix-ag
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


borneo.antonio at gmail

Oct 26, 2008, 8:44 AM

Post #7 of 23 (5325 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
Hi François,
sorry for replying only after so long time.

Your contribute for "User Name and Password Authentication" is
definitively valuable.
Yesterday I was checking different Group Security Authentication. I
also run few tests on username password auth but, without an account
on a real server, had no way to go on.
Could you please send:
- dump, with --debug 3
- patch against one vpnc version?
Before running the dump, would be valuable applying the patch in
attachment. It will still keep sensible data invisible, but will print
the value of ATTRIB_TYPE, that is an important data in the protocol
(...maybe not in your case).

I agree on your proposal for an option like "--nortel-auth-mode".
I believe it's the only way to select the authentication mode, since
the client have to behaves differently before any useful server reply.

Thanks and Best Regards,
Antonio Borneo

On Mon, Sep 22, 2008 at 4:15 PM, zorgluf <zorgluf [at] gmail> wrote:
> Hi,
> I have managed to make vpnc work with a static local nortel account
> ("username and passord authentication" in the official client).
> Still starting from the zingo version, I needed to fix two points :
> * the "u.id.length" should be fix to 20
> * in "do_phase2_config" I had to skip the line "r_length =
> sendrecv(s,r_packet, sizeof(r_packet), NULL, 0, 0);". The fact is that
> there isn't any "XAUTH" phase in the negociation, so the parameters
> such as IP, netmask, etc. is given much more quicker in the
> negociation.
> Unfortunately, these modification doesn't work for the previous modes
> (group pwd or securid)...
> Would it be an idea to create a new option in the commande line, like
> "--nortel-auth-mode", with the values "username/group/securid" ?
>
> Do you still need some logs ?
>
> François
Attachments: patch_dump_type.txt (1.79 KB)


zorgluf at gmail

Oct 30, 2008, 2:12 AM

Post #8 of 23 (5315 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
Hi Antonio,
Here are the information you asked. The patch file is against rev 340.
It took me some time, my code was a big mess, so I re-started from scratch.
First time also I use "diff" tool, so feel free to complain if there
is a mistake...
Thank you for your work!
François

2008/10/26 Antonio Borneo <borneo.antonio [at] gmail>:
> Hi François,
> sorry for replying only after so long time.
>
> Your contribute for "User Name and Password Authentication" is
> definitively valuable.
> Yesterday I was checking different Group Security Authentication. I
> also run few tests on username password auth but, without an account
> on a real server, had no way to go on.
> Could you please send:
> - dump, with --debug 3
> - patch against one vpnc version?
> Before running the dump, would be valuable applying the patch in
> attachment. It will still keep sensible data invisible, but will print
> the value of ATTRIB_TYPE, that is an important data in the protocol
> (...maybe not in your case).
>
> I agree on your proposal for an option like "--nortel-auth-mode".
> I believe it's the only way to select the authentication mode, since
> the client have to behaves differently before any useful server reply.
>
> Thanks and Best Regards,
> Antonio Borneo
>
> On Mon, Sep 22, 2008 at 4:15 PM, zorgluf <zorgluf [at] gmail> wrote:
>> Hi,
>> I have managed to make vpnc work with a static local nortel account
>> ("username and passord authentication" in the official client).
>> Still starting from the zingo version, I needed to fix two points :
>> * the "u.id.length" should be fix to 20
>> * in "do_phase2_config" I had to skip the line "r_length =
>> sendrecv(s,r_packet, sizeof(r_packet), NULL, 0, 0);". The fact is that
>> there isn't any "XAUTH" phase in the negociation, so the parameters
>> such as IP, netmask, etc. is given much more quicker in the
>> negociation.
>> Unfortunately, these modification doesn't work for the previous modes
>> (group pwd or securid)...
>> Would it be an idea to create a new option in the commande line, like
>> "--nortel-auth-mode", with the values "username/group/securid" ?
>>
>> Do you still need some logs ?
>>
>> François
>
Attachments: dump_username_password.txt (38.5 KB)
  patch_username_password.txt (1.40 KB)


borneo.antonio at gmail

Nov 2, 2008, 7:19 PM

Post #9 of 23 (5281 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
Hi,
using info from François and other contributors to this list, I'm
going to add in vpnc-nortel the support for:
- "User Name and Password Authentication" (from François)
- "Group Password Authentication" (currently used by me and François)
- add to existing "Response Only Token" the option of separate "PIN" and "Token"

Anyone can confirm if the following options are currently working?
- "Digital Certificate Authentication"
- "Challenge Response Token"

I have no access to a "Response Only Token" server, so I need your
help to test the attached patch. It should allow better integration
with the new authentication modes.
It is a small modification to the existing code; should work without
any problem.

Everyone able to connect to a "Response Only Token" server with
vpnc-nortel as it is today in svn, could test the patch.
The patch is against vpnc-nortel version 352 but can be applied to
older code, doesn't really matter.

Thank you.
Best Regards
Antonio Borneo

On Thu, Oct 30, 2008 at 5:12 PM, zorgluf <zorgluf [at] gmail> wrote:
> Hi Antonio,
> Here are the information you asked. The patch file is against rev 340.
> It took me some time, my code was a big mess, so I re-started from scratch.
> First time also I use "diff" tool, so feel free to complain if there
> is a mistake...
> Thank you for your work!
> François
>
> 2008/10/26 Antonio Borneo <borneo.antonio [at] gmail>:
>> Hi François,
>> sorry for replying only after so long time.
>>
>> Your contribute for "User Name and Password Authentication" is
>> definitively valuable.
>> Yesterday I was checking different Group Security Authentication. I
>> also run few tests on username password auth but, without an account
>> on a real server, had no way to go on.
>> Could you please send:
>> - dump, with --debug 3
>> - patch against one vpnc version?
>> Before running the dump, would be valuable applying the patch in
>> attachment. It will still keep sensible data invisible, but will print
>> the value of ATTRIB_TYPE, that is an important data in the protocol
>> (...maybe not in your case).
>>
>> I agree on your proposal for an option like "--nortel-auth-mode".
>> I believe it's the only way to select the authentication mode, since
>> the client have to behaves differently before any useful server reply.
>>
>> Thanks and Best Regards,
>> Antonio Borneo
>>
>> On Mon, Sep 22, 2008 at 4:15 PM, zorgluf <zorgluf [at] gmail> wrote:
>>> Hi,
>>> I have managed to make vpnc work with a static local nortel account
>>> ("username and passord authentication" in the official client).
>>> Still starting from the zingo version, I needed to fix two points :
>>> * the "u.id.length" should be fix to 20
>>> * in "do_phase2_config" I had to skip the line "r_length =
>>> sendrecv(s,r_packet, sizeof(r_packet), NULL, 0, 0);". The fact is that
>>> there isn't any "XAUTH" phase in the negociation, so the parameters
>>> such as IP, netmask, etc. is given much more quicker in the
>>> negociation.
>>> Unfortunately, these modification doesn't work for the previous modes
>>> (group pwd or securid)...
>>> Would it be an idea to create a new option in the commande line, like
>>> "--nortel-auth-mode", with the values "username/group/securid" ?
>>>
>>> Do you still need some logs ?
>>>
>>> François
>>
>
Attachments: patch_test_ResponseOnlyToken.txt (0.80 KB)


borneo.antonio at gmail

Nov 2, 2008, 9:11 PM

Post #10 of 23 (5283 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
Hi Anthony,
thanks for your support in this test.
Your vpnc stops before reaching my patch, so your problem is somewhere else.
Have you already successfully login, before, with vpnc-nortel without any patch?

Seems to me, in order to get it working, you have to change your config with:
IKE Authmode psk
Don't forget you have to concatenate pin and token and enter them in
place of password (e.g., pin=1234 token=5678 is equivalent to
password=12345678)

Best Regards,
Antonio Borneo

On Mon, Nov 3, 2008 at 12:29 PM, Scapolan, Anthony J
<Anthony.Scapolan [at] team> wrote:
> Hi
>
> I am not sure if I have the token type you need to test.
>
> I have a RSA token which uses a pin+token.
> We use Nortel contivity with a group username and group password.
>
> I checked out the latest version and applied your patch.
>
> This is the config file I am using
>
> IPSec gateway (ip)
> IPSec ID (group)
> IPSec secret (password)
> vendor nortel
> IKE Authmode hybrid
>
> I am starting vpnc with ./vpnc vpnc.conf:
> When I try I still get ./vpnc: response was invalid [1]: (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)
>
> I might have the wrong options set or the system might not be what your after. If it's the config let me know and I can test again. If it is the wrong type of VPN sorry to have bothered you.
>
> Anthony
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


Anthony.Scapolan at team

Nov 4, 2008, 1:20 PM

Post #11 of 23 (5285 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
Hi Antonio

I have unfortunately never had vpnc-Nortel work it always gives the error "./vpnc: response was invalid [1]: (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)"

I do not understand this error fully and I was just hoping your patch would allow this to start working.
Changing to PSK didn't help unfortunately.

Good luck with someone to test your patch.

Anthony

-----Original Message-----
From: Antonio Borneo [mailto:borneo.antonio [at] gmail]
Sent: Monday, 3 November 2008 4:12 PM
To: Scapolan, Anthony J; vpnc-devel [at] unix-ag
Subject: Re: [vpnc-devel] vpnc-nortel with group password authentication

Hi Anthony,
thanks for your support in this test.
Your vpnc stops before reaching my patch, so your problem is somewhere else.
Have you already successfully login, before, with vpnc-nortel without any patch?

Seems to me, in order to get it working, you have to change your config with:
IKE Authmode psk
Don't forget you have to concatenate pin and token and enter them in place of password (e.g., pin=1234 token=5678 is equivalent to
password=12345678)

Best Regards,
Antonio Borneo

On Mon, Nov 3, 2008 at 12:29 PM, Scapolan, Anthony J <Anthony.Scapolan [at] team> wrote:
> Hi
>
> I am not sure if I have the token type you need to test.
>
> I have a RSA token which uses a pin+token.
> We use Nortel contivity with a group username and group password.
>
> I checked out the latest version and applied your patch.
>
> This is the config file I am using
>
> IPSec gateway (ip)
> IPSec ID (group)
> IPSec secret (password)
> vendor nortel
> IKE Authmode hybrid
>
> I am starting vpnc with ./vpnc vpnc.conf:
> When I try I still get ./vpnc: response was invalid [1]:
> (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)
>
> I might have the wrong options set or the system might not be what your after. If it's the config let me know and I can test again. If it is the wrong type of VPN sorry to have bothered you.
>
> Anthony

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


jmvpnc at loplof

Nov 5, 2008, 11:40 AM

Post #12 of 23 (5262 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
Hello Anthony,

On Wed, Nov 05, 2008 at 08:20:09AM +1100, Scapolan, Anthony J wrote:
> I have unfortunately never had vpnc-Nortel work it always gives the error "./vpnc: response was invalid [1]: (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)"
>
> I do not understand this error fully and I was just hoping your patch would allow this to start working.
> Changing to PSK didn't help unfortunately.

Can you please use a sniffer tool like Wireshark and capture a (successful) connection
attempt with the Nortel client (or any other working client).
Send the binary capture file. It might help us to find out what is
different between the settings.

ciao
Joerg
--
Joerg Mayer <jmayer [at] loplof>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


borneo.antonio at gmail

Nov 8, 2008, 8:25 AM

Post #13 of 23 (5257 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
Hi,
in attachment a preliminary patch that supports
a) "User Name and Password Authentication" (from François' patch)
b) "Group Password Authentication"
c) "Response Only Token" (default)
d) "Response Only Token" with split PIN and Token fields

I invite you to test it.
I have only tested b), since it is the only account I have.
Case c) is the mode usually supported by vpnc-nortel. I have applyed
the patch I attached before, on which I have received no feedback.
This is the default mode, for backward compatibility with your old
config file.

To select one of the different modes, use the command line option
--nortel-auth-mode <username/cert/token/PIN-token/token-SW/gpassword>
These are the same modes available in Nortel client 6.01 for Windows.
The options "cert" and "token-SW" are not implemented.
Older Nortel clients implement also "Challenge Response Token". I have
received no feedback if someone is using it. Should be included?

I'm not really satisfied about the option set. There is overlapping
with option --auth-mode and, in case of "Challenge Response Token",
also with --xauth-inter.
I did not changed anything, around them, to avoid any code corruption
with Cisco branch.
Any suggestion for better integration with Cisco code is welcome.

Best Regards,
Antonio Borneo

On Mon, Nov 3, 2008 at 11:19 AM, Antonio Borneo
<borneo.antonio [at] gmail> wrote:
> Hi,
> using info from François and other contributors to this list, I'm
> going to add in vpnc-nortel the support for:
> - "User Name and Password Authentication" (from François)
> - "Group Password Authentication" (currently used by me and François)
> - add to existing "Response Only Token" the option of separate "PIN" and "Token"
>
> Anyone can confirm if the following options are currently working?
> - "Digital Certificate Authentication"
> - "Challenge Response Token"
>
> I have no access to a "Response Only Token" server, so I need your
> help to test the attached patch. It should allow better integration
> with the new authentication modes.
> It is a small modification to the existing code; should work without
> any problem.
>
> Everyone able to connect to a "Response Only Token" server with
> vpnc-nortel as it is today in svn, could test the patch.
> The patch is against vpnc-nortel version 352 but can be applied to
> older code, doesn't really matter.
>
> Thank you.
> Best Regards
> Antonio Borneo
Attachments: patch_nortel_auth.txt (11.7 KB)


gofman.mike at gmail

Nov 8, 2008, 11:13 AM

Post #14 of 23 (5251 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
Woo hoo.
For the first time I'm getting meaningful error messages:
After applying the patch and executing vpnc with the following parameters:
sudo ./vpnc --gateway mygateway --nortel-auth-mode username --username
testuser --domain mydomain --vendor nortel --pfs dh5 --local-port 1001
--debug 3

First off if I entered the wrong password I get a
./vpnc: hash comparison failed: (ISAKMP_N_AUTHENTICATION_FAILED)(24)
check group password!
Which means that it actually got far enough to check my password.

But wuth the right password I get the following (starting at phase2):

S6 do_phase2
[2008-11-08 14:11:36]


receiving: <========================
[2008-11-08 14:11:36]
BEGIN_PARSE
Recieved Packet Len: 284
i_cookie: b745ec80 7ac4fa09
r_cookie: 29ff92b7 e2ee6c53
payload: 08 (ISAKMP_PAYLOAD_HASH)
isakmp_version: 10
exchange_type: 20 (ISAKMP_EXCHANGE_IKE_QUICK)
flags: 01
message_id: b3edea28
len: 0000011c

PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
next_type: 01 (ISAKMP_PAYLOAD_SA)
length: 0018
ke.data:
566765c5 5a21fee4 14d6f4c7 379d0e78 65f524c0
DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)

PARSING PAYLOAD type: 01 (ISAKMP_PAYLOAD_SA)
next_type: 0a (ISAKMP_PAYLOAD_NONCE)
length: 00b2
sa.doi: 00000001 (ISAKMP_DOI_IPSEC)
sa.situation: 00000001 (ISAKMP_IPSEC_SIT_IDENTITY_ONLY)

PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
next_type: 02 (ISAKMP_PAYLOAD_P)
length: 0044
p.number: 01
p.prot_id: 02 (ISAKMP_IPSEC_PROTO_IPSEC_AH)
p.spi_size: 04
length: 02
p.spi: 9b03847f

PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
next_type: 03 (ISAKMP_PAYLOAD_T)
length: 001c
t.number: 01
t.id: 03 (ISAKMP_IPSEC_AH_SHA)
t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
t.attributes.u.attr_16: 0002 (IPSEC_AUTH_HMAC_SHA)
t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
t.attributes.u.lots.length: 0004
t.attributes.u.lots.data: 00007080
DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)

PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
next_type: 00 (ISAKMP_PAYLOAD_NONE)
length: 001c
t.number: 02
t.id: 02 (ISAKMP_IPSEC_AH_MD5)
t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
t.attributes.u.attr_16: 0001 (IPSEC_AUTH_HMAC_MD5)
t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
t.attributes.u.lots.length: 0004
t.attributes.u.lots.data: 00007080
DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)

PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
DONE PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)

PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
next_type: 02 (ISAKMP_PAYLOAD_P)
length: 001e
p.number: 01
p.prot_id: 04 (ISAKMP_IPSEC_PROTO_IPCOMP)
p.spi_size: 02
length: 01
p.spi: ed36

PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
next_type: 00 (ISAKMP_PAYLOAD_NONE)
length: 0014
t.number: 01
t.id: 03 (ISAKMP_IPSEC_IPCOMP_LZS)
t.attributes.type: 0001
t.attributes.u.attr_16: 0001
t.attributes.type: 0002
t.attributes.u.lots.length: 0004
t.attributes.u.lots.data: 00007080
DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)

PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
DONE PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)

PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
next_type: 00 (ISAKMP_PAYLOAD_NONE)
length: 0044
p.number: 02
p.prot_id: 02 (ISAKMP_IPSEC_PROTO_IPSEC_AH)
p.spi_size: 04
length: 02
p.spi: 9b03847f

PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
next_type: 03 (ISAKMP_PAYLOAD_T)
length: 001c
t.number: 01
t.id: 03 (ISAKMP_IPSEC_AH_SHA)
t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
t.attributes.u.attr_16: 0002 (IPSEC_AUTH_HMAC_SHA)
t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
t.attributes.u.lots.length: 0004
t.attributes.u.lots.data: 00007080
DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)

PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
next_type: 00 (ISAKMP_PAYLOAD_NONE)
length: 001c
t.number: 02
t.id: 02 (ISAKMP_IPSEC_AH_MD5)
t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
t.attributes.u.attr_16: 0001 (IPSEC_AUTH_HMAC_MD5)
t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
t.attributes.u.lots.length: 0004
t.attributes.u.lots.data: 00007080
DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)

PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
DONE PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)

PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
DONE PARSING PAYLOAD type: 01 (ISAKMP_PAYLOAD_SA)

PARSING PAYLOAD type: 0a (ISAKMP_PAYLOAD_NONCE)
next_type: 05 (ISAKMP_PAYLOAD_ID)
length: 0018
ke.data:
5873111b 8f941d58 2de37c7a 04ccdfde 8d2da65c
DONE PARSING PAYLOAD type: 0a (ISAKMP_PAYLOAD_NONCE)

PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
next_type: 05 (ISAKMP_PAYLOAD_ID)
length: 0010
id.type: 07 (ISAKMP_IPSEC_ID_IPV4_ADDR_RANGE)
id.protocol: 00
id.port: 0000
id.data: 00000000 ffffffff
DONE PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)

PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
next_type: 00 (ISAKMP_PAYLOAD_NONE)
length: 000c
id.type: 01 (ISAKMP_IPSEC_ID_IPV4_ADDR)
id.protocol: 00
id.port: 0000
id.data: 0a680655
DONE PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)

PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
extra data: 0000
PARSE_OK
hashlen: 20
u.hash.length: 20
expected_hash:
566765c5 5a21fee4 14d6f4c7 379d0e78 65f524c0
h->u.hash.data:
566765c5 5a21fee4 14d6f4c7 379d0e78 65f524c0

do_phase2: S7.5 QM_packet2 check reject offer
[2008-11-08 14:11:36]

do_phase2: S7.6 QM_packet2 check and process proposal
[2008-11-08 14:11:36]


---!!!!!!!!! entering phase2_fatal !!!!!!!!!---


size = 36, blksz = 8, padding = 4

sending: ========================>
BEGIN_PARSE
Recieved Packet Len: 68
i_cookie: b745ec80 7ac4fa09
r_cookie: 29ff92b7 e2ee6c53
payload: 08 (ISAKMP_PAYLOAD_HASH)
isakmp_version: 10
exchange_type: 05 (ISAKMP_EXCHANGE_INFORMATIONAL)
flags: 01
message_id: 3f450401
len: 00000044

PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
next_type: 0b (ISAKMP_PAYLOAD_N)
length: 0018
ke.data:
aa699248 7ba933bd 1ce37ddd 949f9cd2 760493cd
DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)

PARSING PAYLOAD type: 0b (ISAKMP_PAYLOAD_N)
next_type: 00 (ISAKMP_PAYLOAD_NONE)
length: 000c
n.doi: 00000001 (ISAKMP_DOI_IPSEC)
n.protocol: 01 (ISAKMP_IPSEC_PROTO_ISAKMP)
n.spi_length: 00
n.type: 000f (ISAKMP_N_BAD_PROPOSAL_SYNTAX)
n.spi:
n.data:
DONE PARSING PAYLOAD type: 0b (ISAKMP_PAYLOAD_N)

PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
extra data: 00000000
PARSE_OK
size = 52, blksz = 8, padding = 4

sending: ========================>
BEGIN_PARSE
Recieved Packet Len: 84
i_cookie: b745ec80 7ac4fa09
r_cookie: 29ff92b7 e2ee6c53
payload: 08 (ISAKMP_PAYLOAD_HASH)
isakmp_version: 10
exchange_type: 05 (ISAKMP_EXCHANGE_INFORMATIONAL)
flags: 01
message_id: fde60155
len: 00000054

PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
next_type: 0c (ISAKMP_PAYLOAD_D)
length: 0018
ke.data:
d166c8c5 752a3207 19efcf7c 222d0ae8 d8891ac1
DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)

PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
next_type: 00 (ISAKMP_PAYLOAD_NONE)
length: 001c
d.doi: 00000001 (ISAKMP_DOI_IPSEC)
d.protocol: 01 (ISAKMP_IPSEC_PROTO_ISAKMP)
d.spi_length: 10
d.num_spi: 0001
d.spi: b745ec80 7ac4fa09 29ff92b7 e2ee6c53
DONE PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)

PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
extra data: 00000000
PARSE_OK
./vpnc: quick mode response rejected [2]:
(ISAKMP_N_BAD_PROPOSAL_SYNTAX)(15)

Antonio Borneo wrote:
> Hi,
> in attachment a preliminary patch that supports
> a) "User Name and Password Authentication" (from François' patch)
> b) "Group Password Authentication"
> c) "Response Only Token" (default)
> d) "Response Only Token" with split PIN and Token fields
>
> I invite you to test it.
> I have only tested b), since it is the only account I have.
> Case c) is the mode usually supported by vpnc-nortel. I have applyed
> the patch I attached before, on which I have received no feedback.
> This is the default mode, for backward compatibility with your old
> config file.
>
> To select one of the different modes, use the command line option
> --nortel-auth-mode <username/cert/token/PIN-token/token-SW/gpassword>
> These are the same modes available in Nortel client 6.01 for Windows.
> The options "cert" and "token-SW" are not implemented.
> Older Nortel clients implement also "Challenge Response Token". I have
> received no feedback if someone is using it. Should be included?
>
> I'm not really satisfied about the option set. There is overlapping
> with option --auth-mode and, in case of "Challenge Response Token",
> also with --xauth-inter.
> I did not changed anything, around them, to avoid any code corruption
> with Cisco branch.
> Any suggestion for better integration with Cisco code is welcome.
>
> Best Regards,
> Antonio Borneo
>
> On Mon, Nov 3, 2008 at 11:19 AM, Antonio Borneo
> <borneo.antonio [at] gmail> wrote:
>
>> Hi,
>> using info from François and other contributors to this list, I'm
>> going to add in vpnc-nortel the support for:
>> - "User Name and Password Authentication" (from François)
>> - "Group Password Authentication" (currently used by me and François)
>> - add to existing "Response Only Token" the option of separate "PIN" and "Token"
>>
>> Anyone can confirm if the following options are currently working?
>> - "Digital Certificate Authentication"
>> - "Challenge Response Token"
>>
>> I have no access to a "Response Only Token" server, so I need your
>> help to test the attached patch. It should allow better integration
>> with the new authentication modes.
>> It is a small modification to the existing code; should work without
>> any problem.
>>
>> Everyone able to connect to a "Response Only Token" server with
>> vpnc-nortel as it is today in svn, could test the patch.
>> The patch is against vpnc-nortel version 352 but can be applied to
>> older code, doesn't really matter.
>>
>> Thank you.
>> Best Regards
>> Antonio Borneo
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> vpnc-devel mailing list
>> vpnc-devel [at] unix-ag
>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
>> http://www.unix-ag.uni-kl.de/~massar/vpnc/

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


borneo.antonio at gmail

Nov 8, 2008, 7:32 PM

Post #15 of 23 (5263 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
Ciao Mike,
pay attention on this detail:
when you select username authentication, the couple
"username"-"password" have to be filled in the fields "IPSec
ID"-"IPSec secret". Practically, the handshake uses username/password
in place of group-ID and group-secret.
Try:
sudo ./vpnc --vendor nortel --nortel-auth-mode username
--pfs dh5 --local-port 1001 --debug 3
--gateway mygateway --id testuser
and you will be prompted for the password.

Best Regards,
Antonio Borneo

On Sun, Nov 9, 2008 at 3:13 AM, Mike Gofman <gofman.mike [at] gmail> wrote:
> Woo hoo.
> For the first time I'm getting meaningful error messages:
> After applying the patch and executing vpnc with the following parameters:
> sudo ./vpnc --gateway mygateway --nortel-auth-mode username --username
> testuser --domain mydomain --vendor nortel --pfs dh5 --local-port 1001
> --debug 3
>
> First off if I entered the wrong password I get a
> ./vpnc: hash comparison failed: (ISAKMP_N_AUTHENTICATION_FAILED)(24)
> check group password!
> Which means that it actually got far enough to check my password.
>
> But wuth the right password I get the following (starting at phase2):
>
> S6 do_phase2
> [2008-11-08 14:11:36]
>
>
> receiving: <========================
> [2008-11-08 14:11:36]
> BEGIN_PARSE
> Recieved Packet Len: 284
> i_cookie: b745ec80 7ac4fa09
> r_cookie: 29ff92b7 e2ee6c53
> payload: 08 (ISAKMP_PAYLOAD_HASH)
> isakmp_version: 10
> exchange_type: 20 (ISAKMP_EXCHANGE_IKE_QUICK)
> flags: 01
> message_id: b3edea28
> len: 0000011c
>
> PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
> next_type: 01 (ISAKMP_PAYLOAD_SA)
> length: 0018
> ke.data:
> 566765c5 5a21fee4 14d6f4c7 379d0e78 65f524c0
> DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>
> PARSING PAYLOAD type: 01 (ISAKMP_PAYLOAD_SA)
> next_type: 0a (ISAKMP_PAYLOAD_NONCE)
> length: 00b2
> sa.doi: 00000001 (ISAKMP_DOI_IPSEC)
> sa.situation: 00000001 (ISAKMP_IPSEC_SIT_IDENTITY_ONLY)
>
> PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
> next_type: 02 (ISAKMP_PAYLOAD_P)
> length: 0044
> p.number: 01
> p.prot_id: 02 (ISAKMP_IPSEC_PROTO_IPSEC_AH)
> p.spi_size: 04
> length: 02
> p.spi: 9b03847f
>
> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
> next_type: 03 (ISAKMP_PAYLOAD_T)
> length: 001c
> t.number: 01
> t.id: 03 (ISAKMP_IPSEC_AH_SHA)
> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
> t.attributes.u.attr_16: 0002 (IPSEC_AUTH_HMAC_SHA)
> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
> t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
> t.attributes.u.lots.length: 0004
> t.attributes.u.lots.data: 00007080
> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>
> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
> next_type: 00 (ISAKMP_PAYLOAD_NONE)
> length: 001c
> t.number: 02
> t.id: 02 (ISAKMP_IPSEC_AH_MD5)
> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
> t.attributes.u.attr_16: 0001 (IPSEC_AUTH_HMAC_MD5)
> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
> t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
> t.attributes.u.lots.length: 0004
> t.attributes.u.lots.data: 00007080
> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>
> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
> DONE PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
>
> PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
> next_type: 02 (ISAKMP_PAYLOAD_P)
> length: 001e
> p.number: 01
> p.prot_id: 04 (ISAKMP_IPSEC_PROTO_IPCOMP)
> p.spi_size: 02
> length: 01
> p.spi: ed36
>
> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
> next_type: 00 (ISAKMP_PAYLOAD_NONE)
> length: 0014
> t.number: 01
> t.id: 03 (ISAKMP_IPSEC_IPCOMP_LZS)
> t.attributes.type: 0001
> t.attributes.u.attr_16: 0001
> t.attributes.type: 0002
> t.attributes.u.lots.length: 0004
> t.attributes.u.lots.data: 00007080
> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>
> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
> DONE PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
>
> PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
> next_type: 00 (ISAKMP_PAYLOAD_NONE)
> length: 0044
> p.number: 02
> p.prot_id: 02 (ISAKMP_IPSEC_PROTO_IPSEC_AH)
> p.spi_size: 04
> length: 02
> p.spi: 9b03847f
>
> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
> next_type: 03 (ISAKMP_PAYLOAD_T)
> length: 001c
> t.number: 01
> t.id: 03 (ISAKMP_IPSEC_AH_SHA)
> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
> t.attributes.u.attr_16: 0002 (IPSEC_AUTH_HMAC_SHA)
> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
> t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
> t.attributes.u.lots.length: 0004
> t.attributes.u.lots.data: 00007080
> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>
> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
> next_type: 00 (ISAKMP_PAYLOAD_NONE)
> length: 001c
> t.number: 02
> t.id: 02 (ISAKMP_IPSEC_AH_MD5)
> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
> t.attributes.u.attr_16: 0001 (IPSEC_AUTH_HMAC_MD5)
> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
> t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
> t.attributes.u.lots.length: 0004
> t.attributes.u.lots.data: 00007080
> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>
> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
> DONE PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
>
> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
> DONE PARSING PAYLOAD type: 01 (ISAKMP_PAYLOAD_SA)
>
> PARSING PAYLOAD type: 0a (ISAKMP_PAYLOAD_NONCE)
> next_type: 05 (ISAKMP_PAYLOAD_ID)
> length: 0018
> ke.data:
> 5873111b 8f941d58 2de37c7a 04ccdfde 8d2da65c
> DONE PARSING PAYLOAD type: 0a (ISAKMP_PAYLOAD_NONCE)
>
> PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
> next_type: 05 (ISAKMP_PAYLOAD_ID)
> length: 0010
> id.type: 07 (ISAKMP_IPSEC_ID_IPV4_ADDR_RANGE)
> id.protocol: 00
> id.port: 0000
> id.data: 00000000 ffffffff
> DONE PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
>
> PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
> next_type: 00 (ISAKMP_PAYLOAD_NONE)
> length: 000c
> id.type: 01 (ISAKMP_IPSEC_ID_IPV4_ADDR)
> id.protocol: 00
> id.port: 0000
> id.data: 0a680655
> DONE PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
>
> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
> extra data: 0000
> PARSE_OK
> hashlen: 20
> u.hash.length: 20
> expected_hash:
> 566765c5 5a21fee4 14d6f4c7 379d0e78 65f524c0
> h->u.hash.data:
> 566765c5 5a21fee4 14d6f4c7 379d0e78 65f524c0
>
> do_phase2: S7.5 QM_packet2 check reject offer
> [2008-11-08 14:11:36]
>
> do_phase2: S7.6 QM_packet2 check and process proposal
> [2008-11-08 14:11:36]
>
>
> ---!!!!!!!!! entering phase2_fatal !!!!!!!!!---
>
>
> size = 36, blksz = 8, padding = 4
>
> sending: ========================>
> BEGIN_PARSE
> Recieved Packet Len: 68
> i_cookie: b745ec80 7ac4fa09
> r_cookie: 29ff92b7 e2ee6c53
> payload: 08 (ISAKMP_PAYLOAD_HASH)
> isakmp_version: 10
> exchange_type: 05 (ISAKMP_EXCHANGE_INFORMATIONAL)
> flags: 01
> message_id: 3f450401
> len: 00000044
>
> PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
> next_type: 0b (ISAKMP_PAYLOAD_N)
> length: 0018
> ke.data:
> aa699248 7ba933bd 1ce37ddd 949f9cd2 760493cd
> DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>
> PARSING PAYLOAD type: 0b (ISAKMP_PAYLOAD_N)
> next_type: 00 (ISAKMP_PAYLOAD_NONE)
> length: 000c
> n.doi: 00000001 (ISAKMP_DOI_IPSEC)
> n.protocol: 01 (ISAKMP_IPSEC_PROTO_ISAKMP)
> n.spi_length: 00
> n.type: 000f (ISAKMP_N_BAD_PROPOSAL_SYNTAX)
> n.spi:
> n.data:
> DONE PARSING PAYLOAD type: 0b (ISAKMP_PAYLOAD_N)
>
> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
> extra data: 00000000
> PARSE_OK
> size = 52, blksz = 8, padding = 4
>
> sending: ========================>
> BEGIN_PARSE
> Recieved Packet Len: 84
> i_cookie: b745ec80 7ac4fa09
> r_cookie: 29ff92b7 e2ee6c53
> payload: 08 (ISAKMP_PAYLOAD_HASH)
> isakmp_version: 10
> exchange_type: 05 (ISAKMP_EXCHANGE_INFORMATIONAL)
> flags: 01
> message_id: fde60155
> len: 00000054
>
> PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
> next_type: 0c (ISAKMP_PAYLOAD_D)
> length: 0018
> ke.data:
> d166c8c5 752a3207 19efcf7c 222d0ae8 d8891ac1
> DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>
> PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
> next_type: 00 (ISAKMP_PAYLOAD_NONE)
> length: 001c
> d.doi: 00000001 (ISAKMP_DOI_IPSEC)
> d.protocol: 01 (ISAKMP_IPSEC_PROTO_ISAKMP)
> d.spi_length: 10
> d.num_spi: 0001
> d.spi: b745ec80 7ac4fa09 29ff92b7 e2ee6c53
> DONE PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
>
> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
> extra data: 00000000
> PARSE_OK
> ./vpnc: quick mode response rejected [2]:
> (ISAKMP_N_BAD_PROPOSAL_SYNTAX)(15)
>
> Antonio Borneo wrote:
>> Hi,
>> in attachment a preliminary patch that supports
>> a) "User Name and Password Authentication" (from François' patch)
>> b) "Group Password Authentication"
>> c) "Response Only Token" (default)
>> d) "Response Only Token" with split PIN and Token fields
>>
>> I invite you to test it.
>> I have only tested b), since it is the only account I have.
>> Case c) is the mode usually supported by vpnc-nortel. I have applyed
>> the patch I attached before, on which I have received no feedback.
>> This is the default mode, for backward compatibility with your old
>> config file.
>>
>> To select one of the different modes, use the command line option
>> --nortel-auth-mode <username/cert/token/PIN-token/token-SW/gpassword>
>> These are the same modes available in Nortel client 6.01 for Windows.
>> The options "cert" and "token-SW" are not implemented.
>> Older Nortel clients implement also "Challenge Response Token". I have
>> received no feedback if someone is using it. Should be included?
>>
>> I'm not really satisfied about the option set. There is overlapping
>> with option --auth-mode and, in case of "Challenge Response Token",
>> also with --xauth-inter.
>> I did not changed anything, around them, to avoid any code corruption
>> with Cisco branch.
>> Any suggestion for better integration with Cisco code is welcome.
>>
>> Best Regards,
>> Antonio Borneo
>>
>> On Mon, Nov 3, 2008 at 11:19 AM, Antonio Borneo
>> <borneo.antonio [at] gmail> wrote:
>>
>>> Hi,
>>> using info from François and other contributors to this list, I'm
>>> going to add in vpnc-nortel the support for:
>>> - "User Name and Password Authentication" (from François)
>>> - "Group Password Authentication" (currently used by me and François)
>>> - add to existing "Response Only Token" the option of separate "PIN" and "Token"
>>>
>>> Anyone can confirm if the following options are currently working?
>>> - "Digital Certificate Authentication"
>>> - "Challenge Response Token"
>>>
>>> I have no access to a "Response Only Token" server, so I need your
>>> help to test the attached patch. It should allow better integration
>>> with the new authentication modes.
>>> It is a small modification to the existing code; should work without
>>> any problem.
>>>
>>> Everyone able to connect to a "Response Only Token" server with
>>> vpnc-nortel as it is today in svn, could test the patch.
>>> The patch is against vpnc-nortel version 352 but can be applied to
>>> older code, doesn't really matter.
>>>
>>> Thank you.
>>> Best Regards
>>> Antonio Borneo
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> vpnc-devel mailing list
>>> vpnc-devel [at] unix-ag
>>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
>>> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel [at] unix-ag
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


borneo.antonio at gmail

Nov 9, 2008, 7:04 AM

Post #16 of 23 (5247 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
Hi François,
thank you for the message.
I'm putting in copy the list.

Best Regards,
Antonio Borneo

On Sun, Nov 9, 2008 at 9:31 PM, zorgluf <zorgluf [at] gmail> wrote:
> Hi,
> It works OK for me in a) and b).
> François
>
> 2008/11/8 Antonio Borneo <borneo.antonio [at] gmail>:
>> Hi,
>> in attachment a preliminary patch that supports
>> a) "User Name and Password Authentication" (from François' patch)
>> b) "Group Password Authentication"
>> c) "Response Only Token" (default)
>> d) "Response Only Token" with split PIN and Token fields
>>
>> I invite you to test it.
>> I have only tested b), since it is the only account I have.
>> Case c) is the mode usually supported by vpnc-nortel. I have applyed
>> the patch I attached before, on which I have received no feedback.
>> This is the default mode, for backward compatibility with your old
>> config file.
>>
>> To select one of the different modes, use the command line option
>> --nortel-auth-mode <username/cert/token/PIN-token/token-SW/gpassword>
>> These are the same modes available in Nortel client 6.01 for Windows.
>> The options "cert" and "token-SW" are not implemented.
>> Older Nortel clients implement also "Challenge Response Token". I have
>> received no feedback if someone is using it. Should be included?
>>
>> I'm not really satisfied about the option set. There is overlapping
>> with option --auth-mode and, in case of "Challenge Response Token",
>> also with --xauth-inter.
>> I did not changed anything, around them, to avoid any code corruption
>> with Cisco branch.
>> Any suggestion for better integration with Cisco code is welcome.
>>
>> Best Regards,
>> Antonio Borneo
>>
>> On Mon, Nov 3, 2008 at 11:19 AM, Antonio Borneo
>> <borneo.antonio [at] gmail> wrote:
>>> Hi,
>>> using info from François and other contributors to this list, I'm
>>> going to add in vpnc-nortel the support for:
>>> - "User Name and Password Authentication" (from François)
>>> - "Group Password Authentication" (currently used by me and François)
>>> - add to existing "Response Only Token" the option of separate "PIN" and "Token"
>>>
>>> Anyone can confirm if the following options are currently working?
>>> - "Digital Certificate Authentication"
>>> - "Challenge Response Token"
>>>
>>> I have no access to a "Response Only Token" server, so I need your
>>> help to test the attached patch. It should allow better integration
>>> with the new authentication modes.
>>> It is a small modification to the existing code; should work without
>>> any problem.
>>>
>>> Everyone able to connect to a "Response Only Token" server with
>>> vpnc-nortel as it is today in svn, could test the patch.
>>> The patch is against vpnc-nortel version 352 but can be applied to
>>> older code, doesn't really matter.
>>>
>>> Thank you.
>>> Best Regards
>>> Antonio Borneo
>>
>

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


gofman.mike at gmail

Nov 10, 2008, 10:14 AM

Post #17 of 23 (5231 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
Sending the reply to the list.

I was under impression that IPSEC_AH was already working in vpnc.
If that is not so, is anyone working on it?
I found 3 very nice illustrated guides on the web that have a describe the
IPSEC_AH in detail.
Unlike ESP mode, AH is much simpler, as it only involves an authorization
Header
http://www.javvin.com/protocolAH.html
http://www.tcpipguide.com/free/t_IPSecAuthenticationHeaderAH.htm
http://www.unixwiz.net/techtips/iguide-ipsec.html

If anyone is aware of anyone working on this , please let us know.
Thank you.


On Nov 10, 2008 1:18am, Antonio Borneo <borneo.antonio [at] gmail> wrote:
> Hi Mike,
>
> I dig deeper in the attachment of your previous mail.
>
> The reason you get "quick mode response rejected" is because your
>
> server offers only the following IPSEC mode:
>
> - ISAKMP_IPSEC_PROTO_IPSEC_AH
>
> - ISAKMP_IPSEC_PROTO_IPCOMP
>
> while current version of vpnc only supports
>
> ISAKMP_IPSEC_PROTO_IPSEC_ESP, so vpnc ends up with
>
> ISAKMP_N_BAD_PROPOSAL_SYNTAX
>
>
>
> I'm not an expert on IPSEC, but I expect some coding is required.
>
> I do not think it's possible to push the server to switch to ESP mode.
>
>
>
> Best Regards,
>
> Antonio Borneo
>
>
>
> On Mon, Nov 10, 2008 at 1:54 AM, Mike Gofman wrote:
>
> > Hello Antonio.
>
> > I tried the tags you proposed and basically got the same response.
>
> > ./vpnc: quick mode response rejected [2]:
>
> >
>
> >
>
> > Does that mean that my VPN connection requires a firewall, or ithere
>
> > something I need to do with myy routing tables(got that from CISCO VPNC
>
> > forum)
>
> >
>
> >
>
> > Antonio Borneo wrote:
>
> >>
>
> >> Ciao Mike,
>
> >> pay attention on this detail:
>
> >> when you select username authentication, the couple
>
> >> "username"-"password" have to be filled in the fields "IPSec
>
> >> ID"-"IPSec secret". Practically, the handshake uses username/password
>
> >> in place of group-ID and group-secret.
>
> >> Try:
>
> >> sudo ./vpnc --vendor nortel --nortel-auth-mode username
>
> >> --pfs dh5 --local-port 1001 --debug 3
>
> >> --gateway mygateway --id testuser
>
> >> and you will be prompted for the password.
>
> >>
>
> >> Best Regards,
>
> >> Antonio Borneo
>
> >>
>
> >> On Sun, Nov 9, 2008 at 3:13 AM, Mike Gofman wrote:
>
> >>
>
> >>>
>
> >>> Woo hoo.
>
> >>> For the first time I'm getting meaningful error messages:
>
> >>> After applying the patch and executing vpnc with the following
>
> >>> parameters:
>
> >>> sudo ./vpnc --gateway mygateway --nortel-auth-mode username --username
>
> >>> testuser --domain mydomain --vendor nortel --pfs dh5 --local-port 1001
>
> >>> --debug 3
>
> >>>
>
> >>> First off if I entered the wrong password I get a
>
> >>> ./vpnc: hash comparison failed: (ISAKMP_N_AUTHENTICATION_FAILED)(24)
>
> >>> check group password!
>
> >>> Which means that it actually got far enough to check my password.
>
> >>>
>
> >>> But wuth the right password I get the following (starting at phase2):
>
> >>>
>
> >>> S6 do_phase2
>
> >>> [2008-11-08 14:11:36]
>
> >>>
>
> >>>
>
> >>> receiving:
> >>> [2008-11-08 14:11:36]
>
> >>> BEGIN_PARSE
>
> >>> Recieved Packet Len: 284
>
> >>> i_cookie: b745ec80 7ac4fa09
>
> >>> r_cookie: 29ff92b7 e2ee6c53
>
> >>> payload: 08 (ISAKMP_PAYLOAD_HASH)
>
> >>> isakmp_version: 10
>
> >>> exchange_type: 20 (ISAKMP_EXCHANGE_IKE_QUICK)
>
> >>> flags: 01
>
> >>> message_id: b3edea28
>
> >>> len: 0000011c
>
> >>>
>
> >>> PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>
> >>> next_type: 01 (ISAKMP_PAYLOAD_SA)
>
> >>> length: 0018
>
> >>> ke.data:
>
> >>> 566765c5 5a21fee4 14d6f4c7 379d0e78 65f524c0
>
> >>> DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>
> >>>
>
> >>> PARSING PAYLOAD type: 01 (ISAKMP_PAYLOAD_SA)
>
> >>> next_type: 0a (ISAKMP_PAYLOAD_NONCE)
>
> >>> length: 00b2
>
> >>> sa.doi: 00000001 (ISAKMP_DOI_IPSEC)
>
> >>> sa.situation: 00000001 (ISAKMP_IPSEC_SIT_IDENTITY_ONLY)
>
> >>>
>
> >>> PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
>
> >>> next_type: 02 (ISAKMP_PAYLOAD_P)
>
> >>> length: 0044
>
> >>> p.number: 01
>
> >>> p.prot_id: 02 (ISAKMP_IPSEC_PROTO_IPSEC_AH)
>
> >>> p.spi_size: 04
>
> >>> length: 02
>
> >>> p.spi: 9b03847f
>
> >>>
>
> >>> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>
> >>> next_type: 03 (ISAKMP_PAYLOAD_T)
>
> >>> length: 001c
>
> >>> t.number: 01
>
> >>> t.id: 03 (ISAKMP_IPSEC_AH_SHA)
>
> >>> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
>
> >>> t.attributes.u.attr_16: 0002 (IPSEC_AUTH_HMAC_SHA)
>
> >>> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
>
> >>> t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
>
> >>> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
>
> >>> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
>
> >>> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
>
> >>> t.attributes.u.lots.length: 0004
>
> >>> t.attributes.u.lots.data: 00007080
>
> >>> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>
> >>>
>
> >>> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>
> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
>
> >>> length: 001c
>
> >>> t.number: 02
>
> >>> t.id: 02 (ISAKMP_IPSEC_AH_MD5)
>
> >>> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
>
> >>> t.attributes.u.attr_16: 0001 (IPSEC_AUTH_HMAC_MD5)
>
> >>> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
>
> >>> t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
>
> >>> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
>
> >>> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
>
> >>> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
>
> >>> t.attributes.u.lots.length: 0004
>
> >>> t.attributes.u.lots.data: 00007080
>
> >>> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>
> >>>
>
> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
>
> >>> DONE PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
>
> >>>
>
> >>> PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
>
> >>> next_type: 02 (ISAKMP_PAYLOAD_P)
>
> >>> length: 001e
>
> >>> p.number: 01
>
> >>> p.prot_id: 04 (ISAKMP_IPSEC_PROTO_IPCOMP)
>
> >>> p.spi_size: 02
>
> >>> length: 01
>
> >>> p.spi: ed36
>
> >>>
>
> >>> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>
> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
>
> >>> length: 0014
>
> >>> t.number: 01
>
> >>> t.id: 03 (ISAKMP_IPSEC_IPCOMP_LZS)
>
> >>> t.attributes.type: 0001
>
> >>> t.attributes.u.attr_16: 0001
>
> >>> t.attributes.type: 0002
>
> >>> t.attributes.u.lots.length: 0004
>
> >>> t.attributes.u.lots.data: 00007080
>
> >>> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>
> >>>
>
> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
>
> >>> DONE PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
>
> >>>
>
> >>> PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
>
> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
>
> >>> length: 0044
>
> >>> p.number: 02
>
> >>> p.prot_id: 02 (ISAKMP_IPSEC_PROTO_IPSEC_AH)
>
> >>> p.spi_size: 04
>
> >>> length: 02
>
> >>> p.spi: 9b03847f
>
> >>>
>
> >>> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>
> >>> next_type: 03 (ISAKMP_PAYLOAD_T)
>
> >>> length: 001c
>
> >>> t.number: 01
>
> >>> t.id: 03 (ISAKMP_IPSEC_AH_SHA)
>
> >>> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
>
> >>> t.attributes.u.attr_16: 0002 (IPSEC_AUTH_HMAC_SHA)
>
> >>> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
>
> >>> t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
>
> >>> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
>
> >>> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
>
> >>> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
>
> >>> t.attributes.u.lots.length: 0004
>
> >>> t.attributes.u.lots.data: 00007080
>
> >>> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>
> >>>
>
> >>> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>
> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
>
> >>> length: 001c
>
> >>> t.number: 02
>
> >>> t.id: 02 (ISAKMP_IPSEC_AH_MD5)
>
> >>> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
>
> >>> t.attributes.u.attr_16: 0001 (IPSEC_AUTH_HMAC_MD5)
>
> >>> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
>
> >>> t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
>
> >>> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
>
> >>> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
>
> >>> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
>
> >>> t.attributes.u.lots.length: 0004
>
> >>> t.attributes.u.lots.data: 00007080
>
> >>> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>
> >>>
>
> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
>
> >>> DONE PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
>
> >>>
>
> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
>
> >>> DONE PARSING PAYLOAD type: 01 (ISAKMP_PAYLOAD_SA)
>
> >>>
>
> >>> PARSING PAYLOAD type: 0a (ISAKMP_PAYLOAD_NONCE)
>
> >>> next_type: 05 (ISAKMP_PAYLOAD_ID)
>
> >>> length: 0018
>
> >>> ke.data:
>
> >>> 5873111b 8f941d58 2de37c7a 04ccdfde 8d2da65c
>
> >>> DONE PARSING PAYLOAD type: 0a (ISAKMP_PAYLOAD_NONCE)
>
> >>>
>
> >>> PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
>
> >>> next_type: 05 (ISAKMP_PAYLOAD_ID)
>
> >>> length: 0010
>
> >>> id.type: 07 (ISAKMP_IPSEC_ID_IPV4_ADDR_RANGE)
>
> >>> id.protocol: 00
>
> >>> id.port: 0000
>
> >>> id.data: 00000000 ffffffff
>
> >>> DONE PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
>
> >>>
>
> >>> PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
>
> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
>
> >>> length: 000c
>
> >>> id.type: 01 (ISAKMP_IPSEC_ID_IPV4_ADDR)
>
> >>> id.protocol: 00
>
> >>> id.port: 0000
>
> >>> id.data: 0a680655
>
> >>> DONE PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
>
> >>>
>
> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
>
> >>> extra data: 0000
>
> >>> PARSE_OK
>
> >>> hashlen: 20
>
> >>> u.hash.length: 20
>
> >>> expected_hash:
>
> >>> 566765c5 5a21fee4 14d6f4c7 379d0e78 65f524c0
>
> >>> h->u.hash.data:
>
> >>> 566765c5 5a21fee4 14d6f4c7 379d0e78 65f524c0
>
> >>>
>
> >>> do_phase2: S7.5 QM_packet2 check reject offer
>
> >>> [2008-11-08 14:11:36]
>
> >>>
>
> >>> do_phase2: S7.6 QM_packet2 check and process proposal
>
> >>> [2008-11-08 14:11:36]
>
> >>>
>
> >>>
>
> >>> ---!!!!!!!!! entering phase2_fatal !!!!!!!!!---
>
> >>>
>
> >>>
>
> >>> size = 36, blksz = 8, padding = 4
>
> >>>
>
> >>> sending: ========================>
>
> >>> BEGIN_PARSE
>
> >>> Recieved Packet Len: 68
>
> >>> i_cookie: b745ec80 7ac4fa09
>
> >>> r_cookie: 29ff92b7 e2ee6c53
>
> >>> payload: 08 (ISAKMP_PAYLOAD_HASH)
>
> >>> isakmp_version: 10
>
> >>> exchange_type: 05 (ISAKMP_EXCHANGE_INFORMATIONAL)
>
> >>> flags: 01
>
> >>> message_id: 3f450401
>
> >>> len: 00000044
>
> >>>
>
> >>> PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>
> >>> next_type: 0b (ISAKMP_PAYLOAD_N)
>
> >>> length: 0018
>
> >>> ke.data:
>
> >>> aa699248 7ba933bd 1ce37ddd 949f9cd2 760493cd
>
> >>> DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>
> >>>
>
> >>> PARSING PAYLOAD type: 0b (ISAKMP_PAYLOAD_N)
>
> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
>
> >>> length: 000c
>
> >>> n.doi: 00000001 (ISAKMP_DOI_IPSEC)
>
> >>> n.protocol: 01 (ISAKMP_IPSEC_PROTO_ISAKMP)
>
> >>> n.spi_length: 00
>
> >>> n.type: 000f (ISAKMP_N_BAD_PROPOSAL_SYNTAX)
>
> >>> n.spi:
>
> >>> n.data:
>
> >>> DONE PARSING PAYLOAD type: 0b (ISAKMP_PAYLOAD_N)
>
> >>>
>
> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
>
> >>> extra data: 00000000
>
> >>> PARSE_OK
>
> >>> size = 52, blksz = 8, padding = 4
>
> >>>
>
> >>> sending: ========================>
>
> >>> BEGIN_PARSE
>
> >>> Recieved Packet Len: 84
>
> >>> i_cookie: b745ec80 7ac4fa09
>
> >>> r_cookie: 29ff92b7 e2ee6c53
>
> >>> payload: 08 (ISAKMP_PAYLOAD_HASH)
>
> >>> isakmp_version: 10
>
> >>> exchange_type: 05 (ISAKMP_EXCHANGE_INFORMATIONAL)
>
> >>> flags: 01
>
> >>> message_id: fde60155
>
> >>> len: 00000054
>
> >>>
>
> >>> PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>
> >>> next_type: 0c (ISAKMP_PAYLOAD_D)
>
> >>> length: 0018
>
> >>> ke.data:
>
> >>> d166c8c5 752a3207 19efcf7c 222d0ae8 d8891ac1
>
> >>> DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>
> >>>
>
> >>> PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
>
> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
>
> >>> length: 001c
>
> >>> d.doi: 00000001 (ISAKMP_DOI_IPSEC)
>
> >>> d.protocol: 01 (ISAKMP_IPSEC_PROTO_ISAKMP)
>
> >>> d.spi_length: 10
>
> >>> d.num_spi: 0001
>
> >>> d.spi: b745ec80 7ac4fa09 29ff92b7 e2ee6c53
>
> >>> DONE PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
>
> >>>
>
> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
>
> >>> extra data: 00000000
>
> >>> PARSE_OK
>
> >>> ./vpnc: quick mode response rejected [2]:
>
> >>> (ISAKMP_N_BAD_PROPOSAL_SYNTAX)(15)
>
> >>>
>
> >>> Antonio Borneo wrote:
>
> >>>
>
> >>>>
>
> >>>> Hi,
>
> >>>> in attachment a preliminary patch that supports
>
> >>>> a) "User Name and Password Authentication" (from François' patch)
>
> >>>> b) "Group Password Authentication"
>
> >>>> c) "Response Only Token" (default)
>
> >>>> d) "Response Only Token" with split PIN and Token fields
>
> >>>>
>
> >>>> I invite you to test it.
>
> >>>> I have only tested b), since it is the only account I have.
>
> >>>> Case c) is the mode usually supported by vpnc-nortel. I have applyed
>
> >>>> the patch I attached before, on which I have received no feedback.
>
> >>>> This is the default mode, for backward compatibility with your old
>
> >>>> config file.
>
> >>>>
>
> >>>> To select one of the different modes, use the command line option
>
> >>>> --nortel-auth-mode
>
> >>>> These are the same modes available in Nortel client 6.01 for Windows.
>
> >>>> The options "cert" and "token-SW" are not implemented.
>
> >>>> Older Nortel clients implement also "Challenge Response Token". I
have
>
> >>>> received no feedback if someone is using it. Should be included?
>
> >>>>
>
> >>>> I'm not really satisfied about the option set. There is overlapping
>
> >>>> with option --auth-mode and, in case of "Challenge Response Token",
>
> >>>> also with --xauth-inter.
>
> >>>> I did not changed anything, around them, to avoid any code corruption
>
> >>>> with Cisco branch.
>
> >>>> Any suggestion for better integration with Cisco code is welcome.
>
> >>>>
>
> >>>> Best Regards,
>
> >>>> Antonio Borneo
>
> >>>>
>
> >>>> On Mon, Nov 3, 2008 at 11:19 AM, Antonio Borneo
>
> >>>> wrote:
>
> >>>>
>
> >>>>
>
> >>>>>
>
> >>>>> Hi,
>
> >>>>> using info from François and other contributors to this list, I'm
>
> >>>>> going to add in vpnc-nortel the support for:
>
> >>>>> - "User Name and Password Authentication" (from François)
>
> >>>>> - "Group Password Authentication" (currently used by me and
François)
>
> >>>>> - add to existing "Response Only Token" the option of separate "PIN"
>
> >>>>> and "Token"
>
> >>>>>
>
> >>>>> Anyone can confirm if the following options are currently working?
>
> >>>>> - "Digital Certificate Authentication"
>
> >>>>> - "Challenge Response Token"
>
> >>>>>
>
> >>>>> I have no access to a "Response Only Token" server, so I need your
>
> >>>>> help to test the attached patch. It should allow better integration
>
> >>>>> with the new authentication modes.
>
> >>>>> It is a small modification to the existing code; should work without
>
> >>>>> any problem.
>
> >>>>>
>
> >>>>> Everyone able to connect to a "Response Only Token" server with
>
> >>>>> vpnc-nortel as it is today in svn, could test the patch.
>
> >>>>> The patch is against vpnc-nortel version 352 but can be applied to
>
> >>>>> older code, doesn't really matter.
>
> >>>>>
>
> >>>>> Thank you.
>
> >>>>> Best Regards
>
> >>>>> Antonio Borneo
>
> >>>>>
>
> >>>>>
>
> >>>>>
------------------------------------------------------------------------
>
> >>>>>
>
> >>>>> _______________________________________________
>
> >>>>> vpnc-devel mailing list
>
> >>>>> vpnc-devel [at] unix-ag
>
> >>>>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
>
> >>>>> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>
> >>>>>
>
> >>>
>
> >>> _______________________________________________
>
> >>> vpnc-devel mailing list
>
> >>> vpnc-devel [at] unix-ag
>
> >>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
>
> >>> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>
> >>>
>
> >>>
>
> >
>
> >
>


jmvpnc at loplof

Nov 11, 2008, 1:43 PM

Post #18 of 23 (5211 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
On Mon, Nov 10, 2008 at 10:14:04AM -0800, gofman.mike [at] gmail wrote:
> Sending the reply to the list.
>
> I was under impression that IPSEC_AH was already working in vpnc.
> If that is not so, is anyone working on it?
> I found 3 very nice illustrated guides on the web that have a describe the
> IPSEC_AH in detail.
> Unlike ESP mode, AH is much simpler, as it only involves an authorization
> Header
> http://www.javvin.com/protocolAH.html
> http://www.tcpipguide.com/free/t_IPSecAuthenticationHeaderAH.htm
> http://www.unixwiz.net/techtips/iguide-ipsec.html
>
> If anyone is aware of anyone working on this , please let us know.

No, we neither support this nor is anyone working on it to my knowledge.
AH has the big disadvantage to definitely not work once NAT (and of course
PAT) is used anywhere in the communication path. In case you feel like
giving it a try yourself I'd be willing to help (and of course integrate
it into the official sources) but I definitely have other projects inside
and outside vpnc that have higher priorities so I won't be doing the
work for you ;-)

Ciao
Joerg

--
Joerg Mayer <jmayer [at] loplof>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


gofman.mike at gmail

Nov 11, 2008, 1:54 PM

Post #19 of 23 (5212 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
Ough well.
Thanks for your response anyway.
I'm going to try to convince our VPN admin to make our concentrator support
ESP mode in addition to the AH.
However, as far as User Name/Pass authentication it seems to have passed the
authentication stage.
So as far as I'm concerned it seems to be working.



On Tue, Nov 11, 2008 at 4:43 PM, Joerg Mayer <jmvpnc [at] loplof> wrote:

> On Mon, Nov 10, 2008 at 10:14:04AM -0800, gofman.mike [at] gmail wrote:
> > Sending the reply to the list.
> >
> > I was under impression that IPSEC_AH was already working in vpnc.
> > If that is not so, is anyone working on it?
> > I found 3 very nice illustrated guides on the web that have a describe
> the
> > IPSEC_AH in detail.
> > Unlike ESP mode, AH is much simpler, as it only involves an authorization
> > Header
> > http://www.javvin.com/protocolAH.html
> > http://www.tcpipguide.com/free/t_IPSecAuthenticationHeaderAH.htm
> > http://www.unixwiz.net/techtips/iguide-ipsec.html
> >
> > If anyone is aware of anyone working on this , please let us know.
>
> No, we neither support this nor is anyone working on it to my knowledge.
> AH has the big disadvantage to definitely not work once NAT (and of course
> PAT) is used anywhere in the communication path. In case you feel like
> giving it a try yourself I'd be willing to help (and of course integrate
> it into the official sources) but I definitely have other projects inside
> and outside vpnc that have higher priorities so I won't be doing the
> work for you ;-)
>
> Ciao
> Joerg
>
> --
> Joerg Mayer <jmayer [at] loplof>
> We are stuck with technology when what we really want is just stuff that
> works. Some say that should read Microsoft instead of technology.
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel [at] unix-ag
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/<http://www.unix-ag.uni-kl.de/%7Emassar/vpnc/>
>


gofman.mike at gmail

Nov 19, 2008, 11:23 AM

Post #20 of 23 (5133 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
I checked with the VPN admin and apparently ESP mode is in fact enabled
Here is the list of things that are enabled on the Nortel VPN concentrator
side:

- ESP - 256-bit AES with SHA1 Integrity: Enabled
- ESP - 128-bit AES with SHA1 Integrity: Disabled
- ESP - Triple DES with SHA1 Integrity: Disabled
- ESP - Triple DES with MD5 Integrity: Disabled
- AH - Authentication Only (HMAC-SHA1): Enabled
- AH - Authentication Only (HMAC-MD5): Enabled

I'm guessing VPNC does not currently support 256 bit AES is that correct?
I think we should at the very least produce a meaningful error message.
Antonio (or anyone else who's willing to code any of this) , let me know if
you'd like me to provide any traces or wireshark captures.
Thank you.

On Mon, Nov 10, 2008 at 1:18 AM, Antonio Borneo <borneo.antonio [at] gmail>wrote:

> Hi Mike,
> I dig deeper in the attachment of your previous mail.
> The reason you get "quick mode response rejected" is because your
> server offers only the following IPSEC mode:
> - ISAKMP_IPSEC_PROTO_IPSEC_AH
> - ISAKMP_IPSEC_PROTO_IPCOMP
> while current version of vpnc only supports
> ISAKMP_IPSEC_PROTO_IPSEC_ESP, so vpnc ends up with
> ISAKMP_N_BAD_PROPOSAL_SYNTAX
>
> I'm not an expert on IPSEC, but I expect some coding is required.
> I do not think it's possible to push the server to switch to ESP mode.
>
> Best Regards,
> Antonio Borneo
>
> On Mon, Nov 10, 2008 at 1:54 AM, Mike Gofman <gofman.mike [at] gmail>
> wrote:
> > Hello Antonio.
> > I tried the tags you proposed and basically got the same response.
> > ./vpnc: quick mode response rejected [2]:
> >
> >
> > Does that mean that my VPN connection requires a firewall, or ithere
> > something I need to do with myy routing tables(got that from CISCO VPNC
> > forum)
> >
> >
> > Antonio Borneo wrote:
> >>
> >> Ciao Mike,
> >> pay attention on this detail:
> >> when you select username authentication, the couple
> >> "username"-"password" have to be filled in the fields "IPSec
> >> ID"-"IPSec secret". Practically, the handshake uses username/password
> >> in place of group-ID and group-secret.
> >> Try:
> >> sudo ./vpnc --vendor nortel --nortel-auth-mode username
> >> --pfs dh5 --local-port 1001 --debug 3
> >> --gateway mygateway --id testuser
> >> and you will be prompted for the password.
> >>
> >> Best Regards,
> >> Antonio Borneo
> >>
> >> On Sun, Nov 9, 2008 at 3:13 AM, Mike Gofman <gofman.mike [at] gmail>
> wrote:
> >>
> >>>
> >>> Woo hoo.
> >>> For the first time I'm getting meaningful error messages:
> >>> After applying the patch and executing vpnc with the following
> >>> parameters:
> >>> sudo ./vpnc --gateway mygateway --nortel-auth-mode username --username
> >>> testuser --domain mydomain --vendor nortel --pfs dh5 --local-port 1001
> >>> --debug 3
> >>>
> >>> First off if I entered the wrong password I get a
> >>> ./vpnc: hash comparison failed: (ISAKMP_N_AUTHENTICATION_FAILED)(24)
> >>> check group password!
> >>> Which means that it actually got far enough to check my password.
> >>>
> >>> But wuth the right password I get the following (starting at phase2):
> >>>
> >>> S6 do_phase2
> >>> [2008-11-08 14:11:36]
> >>>
> >>>
> >>> receiving: <========================
> >>> [2008-11-08 14:11:36]
> >>> BEGIN_PARSE
> >>> Recieved Packet Len: 284
> >>> i_cookie: b745ec80 7ac4fa09
> >>> r_cookie: 29ff92b7 e2ee6c53
> >>> payload: 08 (ISAKMP_PAYLOAD_HASH)
> >>> isakmp_version: 10
> >>> exchange_type: 20 (ISAKMP_EXCHANGE_IKE_QUICK)
> >>> flags: 01
> >>> message_id: b3edea28
> >>> len: 0000011c
> >>>
> >>> PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
> >>> next_type: 01 (ISAKMP_PAYLOAD_SA)
> >>> length: 0018
> >>> ke.data:
> >>> 566765c5 5a21fee4 14d6f4c7 379d0e78 65f524c0
> >>> DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
> >>>
> >>> PARSING PAYLOAD type: 01 (ISAKMP_PAYLOAD_SA)
> >>> next_type: 0a (ISAKMP_PAYLOAD_NONCE)
> >>> length: 00b2
> >>> sa.doi: 00000001 (ISAKMP_DOI_IPSEC)
> >>> sa.situation: 00000001 (ISAKMP_IPSEC_SIT_IDENTITY_ONLY)
> >>>
> >>> PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
> >>> next_type: 02 (ISAKMP_PAYLOAD_P)
> >>> length: 0044
> >>> p.number: 01
> >>> p.prot_id: 02 (ISAKMP_IPSEC_PROTO_IPSEC_AH)
> >>> p.spi_size: 04
> >>> length: 02
> >>> p.spi: 9b03847f
> >>>
> >>> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
> >>> next_type: 03 (ISAKMP_PAYLOAD_T)
> >>> length: 001c
> >>> t.number: 01
> >>> t.id: 03 (ISAKMP_IPSEC_AH_SHA)
> >>> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
> >>> t.attributes.u.attr_16: 0002 (IPSEC_AUTH_HMAC_SHA)
> >>> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
> >>> t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
> >>> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
> >>> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
> >>> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
> >>> t.attributes.u.lots.length: 0004
> >>> t.attributes.u.lots.data: 00007080
> >>> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
> >>>
> >>> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
> >>> length: 001c
> >>> t.number: 02
> >>> t.id: 02 (ISAKMP_IPSEC_AH_MD5)
> >>> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
> >>> t.attributes.u.attr_16: 0001 (IPSEC_AUTH_HMAC_MD5)
> >>> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
> >>> t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
> >>> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
> >>> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
> >>> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
> >>> t.attributes.u.lots.length: 0004
> >>> t.attributes.u.lots.data: 00007080
> >>> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
> >>>
> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
> >>> DONE PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
> >>>
> >>> PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
> >>> next_type: 02 (ISAKMP_PAYLOAD_P)
> >>> length: 001e
> >>> p.number: 01
> >>> p.prot_id: 04 (ISAKMP_IPSEC_PROTO_IPCOMP)
> >>> p.spi_size: 02
> >>> length: 01
> >>> p.spi: ed36
> >>>
> >>> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
> >>> length: 0014
> >>> t.number: 01
> >>> t.id: 03 (ISAKMP_IPSEC_IPCOMP_LZS)
> >>> t.attributes.type: 0001
> >>> t.attributes.u.attr_16: 0001
> >>> t.attributes.type: 0002
> >>> t.attributes.u.lots.length: 0004
> >>> t.attributes.u.lots.data: 00007080
> >>> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
> >>>
> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
> >>> DONE PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
> >>>
> >>> PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
> >>> length: 0044
> >>> p.number: 02
> >>> p.prot_id: 02 (ISAKMP_IPSEC_PROTO_IPSEC_AH)
> >>> p.spi_size: 04
> >>> length: 02
> >>> p.spi: 9b03847f
> >>>
> >>> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
> >>> next_type: 03 (ISAKMP_PAYLOAD_T)
> >>> length: 001c
> >>> t.number: 01
> >>> t.id: 03 (ISAKMP_IPSEC_AH_SHA)
> >>> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
> >>> t.attributes.u.attr_16: 0002 (IPSEC_AUTH_HMAC_SHA)
> >>> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
> >>> t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
> >>> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
> >>> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
> >>> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
> >>> t.attributes.u.lots.length: 0004
> >>> t.attributes.u.lots.data: 00007080
> >>> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
> >>>
> >>> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
> >>> length: 001c
> >>> t.number: 02
> >>> t.id: 02 (ISAKMP_IPSEC_AH_MD5)
> >>> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
> >>> t.attributes.u.attr_16: 0001 (IPSEC_AUTH_HMAC_MD5)
> >>> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
> >>> t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
> >>> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
> >>> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
> >>> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
> >>> t.attributes.u.lots.length: 0004
> >>> t.attributes.u.lots.data: 00007080
> >>> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
> >>>
> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
> >>> DONE PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
> >>>
> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
> >>> DONE PARSING PAYLOAD type: 01 (ISAKMP_PAYLOAD_SA)
> >>>
> >>> PARSING PAYLOAD type: 0a (ISAKMP_PAYLOAD_NONCE)
> >>> next_type: 05 (ISAKMP_PAYLOAD_ID)
> >>> length: 0018
> >>> ke.data:
> >>> 5873111b 8f941d58 2de37c7a 04ccdfde 8d2da65c
> >>> DONE PARSING PAYLOAD type: 0a (ISAKMP_PAYLOAD_NONCE)
> >>>
> >>> PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
> >>> next_type: 05 (ISAKMP_PAYLOAD_ID)
> >>> length: 0010
> >>> id.type: 07 (ISAKMP_IPSEC_ID_IPV4_ADDR_RANGE)
> >>> id.protocol: 00
> >>> id.port: 0000
> >>> id.data: 00000000 ffffffff
> >>> DONE PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
> >>>
> >>> PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
> >>> length: 000c
> >>> id.type: 01 (ISAKMP_IPSEC_ID_IPV4_ADDR)
> >>> id.protocol: 00
> >>> id.port: 0000
> >>> id.data: 0a680655
> >>> DONE PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
> >>>
> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
> >>> extra data: 0000
> >>> PARSE_OK
> >>> hashlen: 20
> >>> u.hash.length: 20
> >>> expected_hash:
> >>> 566765c5 5a21fee4 14d6f4c7 379d0e78 65f524c0
> >>> h->u.hash.data:
> >>> 566765c5 5a21fee4 14d6f4c7 379d0e78 65f524c0
> >>>
> >>> do_phase2: S7.5 QM_packet2 check reject offer
> >>> [2008-11-08 14:11:36]
> >>>
> >>> do_phase2: S7.6 QM_packet2 check and process proposal
> >>> [2008-11-08 14:11:36]
> >>>
> >>>
> >>> ---!!!!!!!!! entering phase2_fatal !!!!!!!!!---
> >>>
> >>>
> >>> size = 36, blksz = 8, padding = 4
> >>>
> >>> sending: ========================>
> >>> BEGIN_PARSE
> >>> Recieved Packet Len: 68
> >>> i_cookie: b745ec80 7ac4fa09
> >>> r_cookie: 29ff92b7 e2ee6c53
> >>> payload: 08 (ISAKMP_PAYLOAD_HASH)
> >>> isakmp_version: 10
> >>> exchange_type: 05 (ISAKMP_EXCHANGE_INFORMATIONAL)
> >>> flags: 01
> >>> message_id: 3f450401
> >>> len: 00000044
> >>>
> >>> PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
> >>> next_type: 0b (ISAKMP_PAYLOAD_N)
> >>> length: 0018
> >>> ke.data:
> >>> aa699248 7ba933bd 1ce37ddd 949f9cd2 760493cd
> >>> DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
> >>>
> >>> PARSING PAYLOAD type: 0b (ISAKMP_PAYLOAD_N)
> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
> >>> length: 000c
> >>> n.doi: 00000001 (ISAKMP_DOI_IPSEC)
> >>> n.protocol: 01 (ISAKMP_IPSEC_PROTO_ISAKMP)
> >>> n.spi_length: 00
> >>> n.type: 000f (ISAKMP_N_BAD_PROPOSAL_SYNTAX)
> >>> n.spi:
> >>> n.data:
> >>> DONE PARSING PAYLOAD type: 0b (ISAKMP_PAYLOAD_N)
> >>>
> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
> >>> extra data: 00000000
> >>> PARSE_OK
> >>> size = 52, blksz = 8, padding = 4
> >>>
> >>> sending: ========================>
> >>> BEGIN_PARSE
> >>> Recieved Packet Len: 84
> >>> i_cookie: b745ec80 7ac4fa09
> >>> r_cookie: 29ff92b7 e2ee6c53
> >>> payload: 08 (ISAKMP_PAYLOAD_HASH)
> >>> isakmp_version: 10
> >>> exchange_type: 05 (ISAKMP_EXCHANGE_INFORMATIONAL)
> >>> flags: 01
> >>> message_id: fde60155
> >>> len: 00000054
> >>>
> >>> PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
> >>> next_type: 0c (ISAKMP_PAYLOAD_D)
> >>> length: 0018
> >>> ke.data:
> >>> d166c8c5 752a3207 19efcf7c 222d0ae8 d8891ac1
> >>> DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
> >>>
> >>> PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
> >>> length: 001c
> >>> d.doi: 00000001 (ISAKMP_DOI_IPSEC)
> >>> d.protocol: 01 (ISAKMP_IPSEC_PROTO_ISAKMP)
> >>> d.spi_length: 10
> >>> d.num_spi: 0001
> >>> d.spi: b745ec80 7ac4fa09 29ff92b7 e2ee6c53
> >>> DONE PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
> >>>
> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
> >>> extra data: 00000000
> >>> PARSE_OK
> >>> ./vpnc: quick mode response rejected [2]:
> >>> (ISAKMP_N_BAD_PROPOSAL_SYNTAX)(15)
> >>>
> >>> Antonio Borneo wrote:
> >>>
> >>>>
> >>>> Hi,
> >>>> in attachment a preliminary patch that supports
> >>>> a) "User Name and Password Authentication" (from François' patch)
> >>>> b) "Group Password Authentication"
> >>>> c) "Response Only Token" (default)
> >>>> d) "Response Only Token" with split PIN and Token fields
> >>>>
> >>>> I invite you to test it.
> >>>> I have only tested b), since it is the only account I have.
> >>>> Case c) is the mode usually supported by vpnc-nortel. I have applyed
> >>>> the patch I attached before, on which I have received no feedback.
> >>>> This is the default mode, for backward compatibility with your old
> >>>> config file.
> >>>>
> >>>> To select one of the different modes, use the command line option
> >>>> --nortel-auth-mode
> <username/cert/token/PIN-token/token-SW/gpassword>
> >>>> These are the same modes available in Nortel client 6.01 for Windows.
> >>>> The options "cert" and "token-SW" are not implemented.
> >>>> Older Nortel clients implement also "Challenge Response Token". I have
> >>>> received no feedback if someone is using it. Should be included?
> >>>>
> >>>> I'm not really satisfied about the option set. There is overlapping
> >>>> with option --auth-mode and, in case of "Challenge Response Token",
> >>>> also with --xauth-inter.
> >>>> I did not changed anything, around them, to avoid any code corruption
> >>>> with Cisco branch.
> >>>> Any suggestion for better integration with Cisco code is welcome.
> >>>>
> >>>> Best Regards,
> >>>> Antonio Borneo
> >>>>
> >>>> On Mon, Nov 3, 2008 at 11:19 AM, Antonio Borneo
> >>>> <borneo.antonio [at] gmail> wrote:
> >>>>
> >>>>
> >>>>>
> >>>>> Hi,
> >>>>> using info from François and other contributors to this list, I'm
> >>>>> going to add in vpnc-nortel the support for:
> >>>>> - "User Name and Password Authentication" (from François)
> >>>>> - "Group Password Authentication" (currently used by me and François)
> >>>>> - add to existing "Response Only Token" the option of separate "PIN"
> >>>>> and "Token"
> >>>>>
> >>>>> Anyone can confirm if the following options are currently working?
> >>>>> - "Digital Certificate Authentication"
> >>>>> - "Challenge Response Token"
> >>>>>
> >>>>> I have no access to a "Response Only Token" server, so I need your
> >>>>> help to test the attached patch. It should allow better integration
> >>>>> with the new authentication modes.
> >>>>> It is a small modification to the existing code; should work without
> >>>>> any problem.
> >>>>>
> >>>>> Everyone able to connect to a "Response Only Token" server with
> >>>>> vpnc-nortel as it is today in svn, could test the patch.
> >>>>> The patch is against vpnc-nortel version 352 but can be applied to
> >>>>> older code, doesn't really matter.
> >>>>>
> >>>>> Thank you.
> >>>>> Best Regards
> >>>>> Antonio Borneo
> >>>>>
> >>>>>
> >>>>>
> ------------------------------------------------------------------------
> >>>>>
> >>>>> _______________________________________________
> >>>>> vpnc-devel mailing list
> >>>>> vpnc-devel [at] unix-ag
> >>>>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> >>>>> http://www.unix-ag.uni-kl.de/~massar/vpnc/<http://www.unix-ag.uni-kl.de/%7Emassar/vpnc/>
> >>>>>
> >>>
> >>> _______________________________________________
> >>> vpnc-devel mailing list
> >>> vpnc-devel [at] unix-ag
> >>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> >>> http://www.unix-ag.uni-kl.de/~massar/vpnc/<http://www.unix-ag.uni-kl.de/%7Emassar/vpnc/>
> >>>
> >>>
> >
> >
>


borneo.antonio at gmail

Dec 13, 2008, 1:24 AM

Post #21 of 23 (4934 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
Ciao Mike,
sorry for taking so long time to answer your mail.
I'm very busy with my job, and the kind of test required for your case
needs a "quite" day.

On my new "second-hand" Contivity server I set the same configuration
you report, and I got surprised.
It seems there is something tricky with ESP.
If the only ESP I enable has SHA1 integrity, then this goes directly
as IPCOMP, compressed mode, that vpnc does not support yet.
If I enable one of the ESP with MD5 integrity mode, then comes out a
bunch of modes supported by vpnc.
Looks like SHA1 is used for IPCOMP, and MD5 is used for uncompressed tunnel.
It is still not fully clear to me.

From your mail, I understand you are really luky, since your sysadmin
let you look inside the configuration of Nortel server.
You could please him to enable "ESP - Triple DES with MD5 Integrity".
This should make vpnc working.

Other possibility, less immediate:
- implementing AH, or
- implementing IPCOMP / LZS.
At my knowledge, nobody is working at them.

Ciao
Antonio Borneo

On Mon, Nov 24, 2008 at 11:31 PM, Michael Gofman <gofman.mike [at] gmail> wrote:
>
> As far as I understood AH stage is during Authentication only.
> And other people have used it successfully, is that not true?
>
> Is ESP 256-bit supported?
> Is there anything in the trace, that was with the original message, that
> could help determine that that is what the server was asking for, rather
> then AH ?
>
> Thank you.
>
>
> On Wed, Nov 19, 2008 at 2:23 PM, Michael Gofman <gofman.mike [at] gmail>
> wrote:
>>
>> I checked with the VPN admin and apparently ESP mode is in fact enabled
>> Here is the list of things that are enabled on the Nortel VPN concentrator
>> side:
>>
>> - ESP - 256-bit AES with SHA1 Integrity: Enabled
>> - ESP - 128-bit AES with SHA1 Integrity: Disabled
>> - ESP - Triple DES with SHA1 Integrity: Disabled
>> - ESP - Triple DES with MD5 Integrity: Disabled
>> - AH - Authentication Only (HMAC-SHA1): Enabled
>> - AH - Authentication Only (HMAC-MD5): Enabled
>>
>> I'm guessing VPNC does not currently support 256 bit AES is that correct?
>> I think we should at the very least produce a meaningful error message.
>> Antonio (or anyone else who's willing to code any of this) , let me know
>> if you'd like me to provide any traces or wireshark captures.
>> Thank you.
>>
>> On Mon, Nov 10, 2008 at 1:18 AM, Antonio Borneo <borneo.antonio [at] gmail>
>> wrote:
>>>
>>> Hi Mike,
>>> I dig deeper in the attachment of your previous mail.
>>> The reason you get "quick mode response rejected" is because your
>>> server offers only the following IPSEC mode:
>>> - ISAKMP_IPSEC_PROTO_IPSEC_AH
>>> - ISAKMP_IPSEC_PROTO_IPCOMP
>>> while current version of vpnc only supports
>>> ISAKMP_IPSEC_PROTO_IPSEC_ESP, so vpnc ends up with
>>> ISAKMP_N_BAD_PROPOSAL_SYNTAX
>>>
>>> I'm not an expert on IPSEC, but I expect some coding is required.
>>> I do not think it's possible to push the server to switch to ESP mode.
>>>
>>> Best Regards,
>>> Antonio Borneo
>>>
>>> On Mon, Nov 10, 2008 at 1:54 AM, Mike Gofman <gofman.mike [at] gmail>
>>> wrote:
>>> > Hello Antonio.
>>> > I tried the tags you proposed and basically got the same response.
>>> > ./vpnc: quick mode response rejected [2]:
>>> >
>>> >
>>> > Does that mean that my VPN connection requires a firewall, or ithere
>>> > something I need to do with myy routing tables(got that from CISCO VPNC
>>> > forum)
>>> >
>>> >
>>> > Antonio Borneo wrote:
>>> >>
>>> >> Ciao Mike,
>>> >> pay attention on this detail:
>>> >> when you select username authentication, the couple
>>> >> "username"-"password" have to be filled in the fields "IPSec
>>> >> ID"-"IPSec secret". Practically, the handshake uses username/password
>>> >> in place of group-ID and group-secret.
>>> >> Try:
>>> >> sudo ./vpnc --vendor nortel --nortel-auth-mode username
>>> >> --pfs dh5 --local-port 1001 --debug 3
>>> >> --gateway mygateway --id testuser
>>> >> and you will be prompted for the password.
>>> >>
>>> >> Best Regards,
>>> >> Antonio Borneo
>>> >>
>>> >> On Sun, Nov 9, 2008 at 3:13 AM, Mike Gofman <gofman.mike [at] gmail>
>>> >> wrote:
>>> >>
>>> >>>
>>> >>> Woo hoo.
>>> >>> For the first time I'm getting meaningful error messages:
>>> >>> After applying the patch and executing vpnc with the following
>>> >>> parameters:
>>> >>> sudo ./vpnc --gateway mygateway --nortel-auth-mode username
>>> >>> --username
>>> >>> testuser --domain mydomain --vendor nortel --pfs dh5 --local-port
>>> >>> 1001
>>> >>> --debug 3
>>> >>>
>>> >>> First off if I entered the wrong password I get a
>>> >>> ./vpnc: hash comparison failed: (ISAKMP_N_AUTHENTICATION_FAILED)(24)
>>> >>> check group password!
>>> >>> Which means that it actually got far enough to check my password.
>>> >>>
>>> >>> But wuth the right password I get the following (starting at
>>> >>> phase2):
>>> >>>
>>> >>> S6 do_phase2
>>> >>> [2008-11-08 14:11:36]
>>> >>>
>>> >>>
>>> >>> receiving: <========================
>>> >>> [2008-11-08 14:11:36]
>>> >>> BEGIN_PARSE
>>> >>> Recieved Packet Len: 284
>>> >>> i_cookie: b745ec80 7ac4fa09
>>> >>> r_cookie: 29ff92b7 e2ee6c53
>>> >>> payload: 08 (ISAKMP_PAYLOAD_HASH)
>>> >>> isakmp_version: 10
>>> >>> exchange_type: 20 (ISAKMP_EXCHANGE_IKE_QUICK)
>>> >>> flags: 01
>>> >>> message_id: b3edea28
>>> >>> len: 0000011c
>>> >>>
>>> >>> PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>>> >>> next_type: 01 (ISAKMP_PAYLOAD_SA)
>>> >>> length: 0018
>>> >>> ke.data:
>>> >>> 566765c5 5a21fee4 14d6f4c7 379d0e78 65f524c0
>>> >>> DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>>> >>>
>>> >>> PARSING PAYLOAD type: 01 (ISAKMP_PAYLOAD_SA)
>>> >>> next_type: 0a (ISAKMP_PAYLOAD_NONCE)
>>> >>> length: 00b2
>>> >>> sa.doi: 00000001 (ISAKMP_DOI_IPSEC)
>>> >>> sa.situation: 00000001 (ISAKMP_IPSEC_SIT_IDENTITY_ONLY)
>>> >>>
>>> >>> PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
>>> >>> next_type: 02 (ISAKMP_PAYLOAD_P)
>>> >>> length: 0044
>>> >>> p.number: 01
>>> >>> p.prot_id: 02 (ISAKMP_IPSEC_PROTO_IPSEC_AH)
>>> >>> p.spi_size: 04
>>> >>> length: 02
>>> >>> p.spi: 9b03847f
>>> >>>
>>> >>> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>>> >>> next_type: 03 (ISAKMP_PAYLOAD_T)
>>> >>> length: 001c
>>> >>> t.number: 01
>>> >>> t.id: 03 (ISAKMP_IPSEC_AH_SHA)
>>> >>> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
>>> >>> t.attributes.u.attr_16: 0002 (IPSEC_AUTH_HMAC_SHA)
>>> >>> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
>>> >>> t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
>>> >>> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
>>> >>> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
>>> >>> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
>>> >>> t.attributes.u.lots.length: 0004
>>> >>> t.attributes.u.lots.data: 00007080
>>> >>> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>>> >>>
>>> >>> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>>> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
>>> >>> length: 001c
>>> >>> t.number: 02
>>> >>> t.id: 02 (ISAKMP_IPSEC_AH_MD5)
>>> >>> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
>>> >>> t.attributes.u.attr_16: 0001 (IPSEC_AUTH_HMAC_MD5)
>>> >>> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
>>> >>> t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
>>> >>> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
>>> >>> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
>>> >>> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
>>> >>> t.attributes.u.lots.length: 0004
>>> >>> t.attributes.u.lots.data: 00007080
>>> >>> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>>> >>>
>>> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
>>> >>> DONE PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
>>> >>>
>>> >>> PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
>>> >>> next_type: 02 (ISAKMP_PAYLOAD_P)
>>> >>> length: 001e
>>> >>> p.number: 01
>>> >>> p.prot_id: 04 (ISAKMP_IPSEC_PROTO_IPCOMP)
>>> >>> p.spi_size: 02
>>> >>> length: 01
>>> >>> p.spi: ed36
>>> >>>
>>> >>> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>>> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
>>> >>> length: 0014
>>> >>> t.number: 01
>>> >>> t.id: 03 (ISAKMP_IPSEC_IPCOMP_LZS)
>>> >>> t.attributes.type: 0001
>>> >>> t.attributes.u.attr_16: 0001
>>> >>> t.attributes.type: 0002
>>> >>> t.attributes.u.lots.length: 0004
>>> >>> t.attributes.u.lots.data: 00007080
>>> >>> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>>> >>>
>>> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
>>> >>> DONE PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
>>> >>>
>>> >>> PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
>>> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
>>> >>> length: 0044
>>> >>> p.number: 02
>>> >>> p.prot_id: 02 (ISAKMP_IPSEC_PROTO_IPSEC_AH)
>>> >>> p.spi_size: 04
>>> >>> length: 02
>>> >>> p.spi: 9b03847f
>>> >>>
>>> >>> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>>> >>> next_type: 03 (ISAKMP_PAYLOAD_T)
>>> >>> length: 001c
>>> >>> t.number: 01
>>> >>> t.id: 03 (ISAKMP_IPSEC_AH_SHA)
>>> >>> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
>>> >>> t.attributes.u.attr_16: 0002 (IPSEC_AUTH_HMAC_SHA)
>>> >>> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
>>> >>> t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
>>> >>> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
>>> >>> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
>>> >>> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
>>> >>> t.attributes.u.lots.length: 0004
>>> >>> t.attributes.u.lots.data: 00007080
>>> >>> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>>> >>>
>>> >>> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>>> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
>>> >>> length: 001c
>>> >>> t.number: 02
>>> >>> t.id: 02 (ISAKMP_IPSEC_AH_MD5)
>>> >>> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
>>> >>> t.attributes.u.attr_16: 0001 (IPSEC_AUTH_HMAC_MD5)
>>> >>> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
>>> >>> t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
>>> >>> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
>>> >>> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
>>> >>> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
>>> >>> t.attributes.u.lots.length: 0004
>>> >>> t.attributes.u.lots.data: 00007080
>>> >>> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>>> >>>
>>> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
>>> >>> DONE PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
>>> >>>
>>> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
>>> >>> DONE PARSING PAYLOAD type: 01 (ISAKMP_PAYLOAD_SA)
>>> >>>
>>> >>> PARSING PAYLOAD type: 0a (ISAKMP_PAYLOAD_NONCE)
>>> >>> next_type: 05 (ISAKMP_PAYLOAD_ID)
>>> >>> length: 0018
>>> >>> ke.data:
>>> >>> 5873111b 8f941d58 2de37c7a 04ccdfde 8d2da65c
>>> >>> DONE PARSING PAYLOAD type: 0a (ISAKMP_PAYLOAD_NONCE)
>>> >>>
>>> >>> PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
>>> >>> next_type: 05 (ISAKMP_PAYLOAD_ID)
>>> >>> length: 0010
>>> >>> id.type: 07 (ISAKMP_IPSEC_ID_IPV4_ADDR_RANGE)
>>> >>> id.protocol: 00
>>> >>> id.port: 0000
>>> >>> id.data: 00000000 ffffffff
>>> >>> DONE PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
>>> >>>
>>> >>> PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
>>> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
>>> >>> length: 000c
>>> >>> id.type: 01 (ISAKMP_IPSEC_ID_IPV4_ADDR)
>>> >>> id.protocol: 00
>>> >>> id.port: 0000
>>> >>> id.data: 0a680655
>>> >>> DONE PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
>>> >>>
>>> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
>>> >>> extra data: 0000
>>> >>> PARSE_OK
>>> >>> hashlen: 20
>>> >>> u.hash.length: 20
>>> >>> expected_hash:
>>> >>> 566765c5 5a21fee4 14d6f4c7 379d0e78 65f524c0
>>> >>> h->u.hash.data:
>>> >>> 566765c5 5a21fee4 14d6f4c7 379d0e78 65f524c0
>>> >>>
>>> >>> do_phase2: S7.5 QM_packet2 check reject offer
>>> >>> [2008-11-08 14:11:36]
>>> >>>
>>> >>> do_phase2: S7.6 QM_packet2 check and process proposal
>>> >>> [2008-11-08 14:11:36]
>>> >>>
>>> >>>
>>> >>> ---!!!!!!!!! entering phase2_fatal !!!!!!!!!---
>>> >>>
>>> >>>
>>> >>> size = 36, blksz = 8, padding = 4
>>> >>>
>>> >>> sending: ========================>
>>> >>> BEGIN_PARSE
>>> >>> Recieved Packet Len: 68
>>> >>> i_cookie: b745ec80 7ac4fa09
>>> >>> r_cookie: 29ff92b7 e2ee6c53
>>> >>> payload: 08 (ISAKMP_PAYLOAD_HASH)
>>> >>> isakmp_version: 10
>>> >>> exchange_type: 05 (ISAKMP_EXCHANGE_INFORMATIONAL)
>>> >>> flags: 01
>>> >>> message_id: 3f450401
>>> >>> len: 00000044
>>> >>>
>>> >>> PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>>> >>> next_type: 0b (ISAKMP_PAYLOAD_N)
>>> >>> length: 0018
>>> >>> ke.data:
>>> >>> aa699248 7ba933bd 1ce37ddd 949f9cd2 760493cd
>>> >>> DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>>> >>>
>>> >>> PARSING PAYLOAD type: 0b (ISAKMP_PAYLOAD_N)
>>> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
>>> >>> length: 000c
>>> >>> n.doi: 00000001 (ISAKMP_DOI_IPSEC)
>>> >>> n.protocol: 01 (ISAKMP_IPSEC_PROTO_ISAKMP)
>>> >>> n.spi_length: 00
>>> >>> n.type: 000f (ISAKMP_N_BAD_PROPOSAL_SYNTAX)
>>> >>> n.spi:
>>> >>> n.data:
>>> >>> DONE PARSING PAYLOAD type: 0b (ISAKMP_PAYLOAD_N)
>>> >>>
>>> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
>>> >>> extra data: 00000000
>>> >>> PARSE_OK
>>> >>> size = 52, blksz = 8, padding = 4
>>> >>>
>>> >>> sending: ========================>
>>> >>> BEGIN_PARSE
>>> >>> Recieved Packet Len: 84
>>> >>> i_cookie: b745ec80 7ac4fa09
>>> >>> r_cookie: 29ff92b7 e2ee6c53
>>> >>> payload: 08 (ISAKMP_PAYLOAD_HASH)
>>> >>> isakmp_version: 10
>>> >>> exchange_type: 05 (ISAKMP_EXCHANGE_INFORMATIONAL)
>>> >>> flags: 01
>>> >>> message_id: fde60155
>>> >>> len: 00000054
>>> >>>
>>> >>> PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>>> >>> next_type: 0c (ISAKMP_PAYLOAD_D)
>>> >>> length: 0018
>>> >>> ke.data:
>>> >>> d166c8c5 752a3207 19efcf7c 222d0ae8 d8891ac1
>>> >>> DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>>> >>>
>>> >>> PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
>>> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
>>> >>> length: 001c
>>> >>> d.doi: 00000001 (ISAKMP_DOI_IPSEC)
>>> >>> d.protocol: 01 (ISAKMP_IPSEC_PROTO_ISAKMP)
>>> >>> d.spi_length: 10
>>> >>> d.num_spi: 0001
>>> >>> d.spi: b745ec80 7ac4fa09 29ff92b7 e2ee6c53
>>> >>> DONE PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
>>> >>>
>>> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
>>> >>> extra data: 00000000
>>> >>> PARSE_OK
>>> >>> ./vpnc: quick mode response rejected [2]:
>>> >>> (ISAKMP_N_BAD_PROPOSAL_SYNTAX)(15)
>>> >>>
>>> >>> Antonio Borneo wrote:
>>> >>>
>>> >>>>
>>> >>>> Hi,
>>> >>>> in attachment a preliminary patch that supports
>>> >>>> a) "User Name and Password Authentication" (from François' patch)
>>> >>>> b) "Group Password Authentication"
>>> >>>> c) "Response Only Token" (default)
>>> >>>> d) "Response Only Token" with split PIN and Token fields
>>> >>>>
>>> >>>> I invite you to test it.
>>> >>>> I have only tested b), since it is the only account I have.
>>> >>>> Case c) is the mode usually supported by vpnc-nortel. I have applyed
>>> >>>> the patch I attached before, on which I have received no feedback.
>>> >>>> This is the default mode, for backward compatibility with your old
>>> >>>> config file.
>>> >>>>
>>> >>>> To select one of the different modes, use the command line option
>>> >>>> --nortel-auth-mode
>>> >>>> <username/cert/token/PIN-token/token-SW/gpassword>
>>> >>>> These are the same modes available in Nortel client 6.01 for
>>> >>>> Windows.
>>> >>>> The options "cert" and "token-SW" are not implemented.
>>> >>>> Older Nortel clients implement also "Challenge Response Token". I
>>> >>>> have
>>> >>>> received no feedback if someone is using it. Should be included?
>>> >>>>
>>> >>>> I'm not really satisfied about the option set. There is overlapping
>>> >>>> with option --auth-mode and, in case of "Challenge Response Token",
>>> >>>> also with --xauth-inter.
>>> >>>> I did not changed anything, around them, to avoid any code
>>> >>>> corruption
>>> >>>> with Cisco branch.
>>> >>>> Any suggestion for better integration with Cisco code is welcome.
>>> >>>>
>>> >>>> Best Regards,
>>> >>>> Antonio Borneo
>>> >>>>
>>> >>>> On Mon, Nov 3, 2008 at 11:19 AM, Antonio Borneo
>>> >>>> <borneo.antonio [at] gmail> wrote:
>>> >>>>
>>> >>>>
>>> >>>>>
>>> >>>>> Hi,
>>> >>>>> using info from François and other contributors to this list, I'm
>>> >>>>> going to add in vpnc-nortel the support for:
>>> >>>>> - "User Name and Password Authentication" (from François)
>>> >>>>> - "Group Password Authentication" (currently used by me and
>>> >>>>> François)
>>> >>>>> - add to existing "Response Only Token" the option of separate
>>> >>>>> "PIN"
>>> >>>>> and "Token"
>>> >>>>>
>>> >>>>> Anyone can confirm if the following options are currently working?
>>> >>>>> - "Digital Certificate Authentication"
>>> >>>>> - "Challenge Response Token"
>>> >>>>>
>>> >>>>> I have no access to a "Response Only Token" server, so I need your
>>> >>>>> help to test the attached patch. It should allow better integration
>>> >>>>> with the new authentication modes.
>>> >>>>> It is a small modification to the existing code; should work
>>> >>>>> without
>>> >>>>> any problem.
>>> >>>>>
>>> >>>>> Everyone able to connect to a "Response Only Token" server with
>>> >>>>> vpnc-nortel as it is today in svn, could test the patch.
>>> >>>>> The patch is against vpnc-nortel version 352 but can be applied to
>>> >>>>> older code, doesn't really matter.
>>> >>>>>
>>> >>>>> Thank you.
>>> >>>>> Best Regards
>>> >>>>> Antonio Borneo
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> ------------------------------------------------------------------------
>>> >>>>>
>>> >>>>> _______________________________________________
>>> >>>>> vpnc-devel mailing list
>>> >>>>> vpnc-devel [at] unix-ag
>>> >>>>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
>>> >>>>> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>>> >>>>>
>>> >>>
>>> >>> _______________________________________________
>>> >>> vpnc-devel mailing list
>>> >>> vpnc-devel [at] unix-ag
>>> >>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
>>> >>> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>>> >>>
>>> >>>
>>> >
>>> >
>>
>
>

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


borneo.antonio at gmail

Dec 13, 2008, 6:55 AM

Post #22 of 23 (4944 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
Ciao Mike,
I made several mistakes in my previous mail.
During weekend I don't drink the minimum amount of coffee to be ... "smart".
Also, configuring Contivity server is not so intuitive; I didn't
notice there are 2 places to configure.

In "Services"->"IPSEC" your sysadmin can configure a set of encryption
modes supported by the server. In your case he select:
- ESP - 256-bit AES with SHA1 Integrity
- ESP - 128-bit AES with SHA1 Integrity
- ESP - Triple DES with SHA1 Integrity
- ESP - Triple DES with MD5 Integrity
- AH - Authentication Only (HMAC-SHA1)
- AH - Authentication Only (HMAC-MD5)
Other modes are available, but we do not care, are not important for you.

Then, in "Profiles"->"Groups"->"Edit"->"IPSEC", can enable (for each
group) some of the encryption mode within the set activated before.
In your case, your sysadmin enabled only
- ESP - 256-bit AES with SHA1 Integrity: Enabled
- AH - Authentication Only (HMAC-SHA1): Enabled
- AH - Authentication Only (HMAC-MD5): Enabled

I still don't know why AES is not working with vpnc. It should!
Anyway, to make current vpnc working, you have to ask your sysadmin to
enable, in this second menu, one or both of these 2 modes
- ESP - Triple DES with SHA1 Integrity
- ESP - Triple DES with MD5 Integrity
Hope he accept. Good luck!

It is still true that code for AH and IPCOMP is missing in vpnc. If
someone want have fun implementing them, is welcome.

For AES, I will investigate more.
Seems supported by vpnc, selected in your server, but then server does
not propose it.
From http://www116.nortel.com/docs/bvdoc/contivity/doc_pdf/311773M00.pdf
page 13, seems that Nortel client sopports AES from version 4.91. I
have tryed to emulate this new version in vpnc, but nothing changed.

Best Regards,
Antonio Borneo

On Sat, Dec 13, 2008 at 5:24 PM, Antonio Borneo
<borneo.antonio [at] gmail> wrote:
> Ciao Mike,
> sorry for taking so long time to answer your mail.
> I'm very busy with my job, and the kind of test required for your case
> needs a "quite" day.
>
> On my new "second-hand" Contivity server I set the same configuration
> you report, and I got surprised.
> It seems there is something tricky with ESP.
> If the only ESP I enable has SHA1 integrity, then this goes directly
> as IPCOMP, compressed mode, that vpnc does not support yet.
> If I enable one of the ESP with MD5 integrity mode, then comes out a
> bunch of modes supported by vpnc.
> Looks like SHA1 is used for IPCOMP, and MD5 is used for uncompressed tunnel.
> It is still not fully clear to me.
>
> From your mail, I understand you are really luky, since your sysadmin
> let you look inside the configuration of Nortel server.
> You could please him to enable "ESP - Triple DES with MD5 Integrity".
> This should make vpnc working.
>
> Other possibility, less immediate:
> - implementing AH, or
> - implementing IPCOMP / LZS.
> At my knowledge, nobody is working at them.
>
> Ciao
> Antonio Borneo
>
> On Mon, Nov 24, 2008 at 11:31 PM, Michael Gofman <gofman.mike [at] gmail> wrote:
>>
>> As far as I understood AH stage is during Authentication only.
>> And other people have used it successfully, is that not true?
>>
>> Is ESP 256-bit supported?
>> Is there anything in the trace, that was with the original message, that
>> could help determine that that is what the server was asking for, rather
>> then AH ?
>>
>> Thank you.
>>
>>
>> On Wed, Nov 19, 2008 at 2:23 PM, Michael Gofman <gofman.mike [at] gmail>
>> wrote:
>>>
>>> I checked with the VPN admin and apparently ESP mode is in fact enabled
>>> Here is the list of things that are enabled on the Nortel VPN concentrator
>>> side:
>>>
>>> - ESP - 256-bit AES with SHA1 Integrity: Enabled
>>> - ESP - 128-bit AES with SHA1 Integrity: Disabled
>>> - ESP - Triple DES with SHA1 Integrity: Disabled
>>> - ESP - Triple DES with MD5 Integrity: Disabled
>>> - AH - Authentication Only (HMAC-SHA1): Enabled
>>> - AH - Authentication Only (HMAC-MD5): Enabled
>>>
>>> I'm guessing VPNC does not currently support 256 bit AES is that correct?
>>> I think we should at the very least produce a meaningful error message.
>>> Antonio (or anyone else who's willing to code any of this) , let me know
>>> if you'd like me to provide any traces or wireshark captures.
>>> Thank you.
>>>
>>> On Mon, Nov 10, 2008 at 1:18 AM, Antonio Borneo <borneo.antonio [at] gmail>
>>> wrote:
>>>>
>>>> Hi Mike,
>>>> I dig deeper in the attachment of your previous mail.
>>>> The reason you get "quick mode response rejected" is because your
>>>> server offers only the following IPSEC mode:
>>>> - ISAKMP_IPSEC_PROTO_IPSEC_AH
>>>> - ISAKMP_IPSEC_PROTO_IPCOMP
>>>> while current version of vpnc only supports
>>>> ISAKMP_IPSEC_PROTO_IPSEC_ESP, so vpnc ends up with
>>>> ISAKMP_N_BAD_PROPOSAL_SYNTAX
>>>>
>>>> I'm not an expert on IPSEC, but I expect some coding is required.
>>>> I do not think it's possible to push the server to switch to ESP mode.
>>>>
>>>> Best Regards,
>>>> Antonio Borneo
>>>>
>>>> On Mon, Nov 10, 2008 at 1:54 AM, Mike Gofman <gofman.mike [at] gmail>
>>>> wrote:
>>>> > Hello Antonio.
>>>> > I tried the tags you proposed and basically got the same response.
>>>> > ./vpnc: quick mode response rejected [2]:
>>>> >
>>>> >
>>>> > Does that mean that my VPN connection requires a firewall, or ithere
>>>> > something I need to do with myy routing tables(got that from CISCO VPNC
>>>> > forum)
>>>> >
>>>> >
>>>> > Antonio Borneo wrote:
>>>> >>
>>>> >> Ciao Mike,
>>>> >> pay attention on this detail:
>>>> >> when you select username authentication, the couple
>>>> >> "username"-"password" have to be filled in the fields "IPSec
>>>> >> ID"-"IPSec secret". Practically, the handshake uses username/password
>>>> >> in place of group-ID and group-secret.
>>>> >> Try:
>>>> >> sudo ./vpnc --vendor nortel --nortel-auth-mode username
>>>> >> --pfs dh5 --local-port 1001 --debug 3
>>>> >> --gateway mygateway --id testuser
>>>> >> and you will be prompted for the password.
>>>> >>
>>>> >> Best Regards,
>>>> >> Antonio Borneo
>>>> >>
>>>> >> On Sun, Nov 9, 2008 at 3:13 AM, Mike Gofman <gofman.mike [at] gmail>
>>>> >> wrote:
>>>> >>
>>>> >>>
>>>> >>> Woo hoo.
>>>> >>> For the first time I'm getting meaningful error messages:
>>>> >>> After applying the patch and executing vpnc with the following
>>>> >>> parameters:
>>>> >>> sudo ./vpnc --gateway mygateway --nortel-auth-mode username
>>>> >>> --username
>>>> >>> testuser --domain mydomain --vendor nortel --pfs dh5 --local-port
>>>> >>> 1001
>>>> >>> --debug 3
>>>> >>>
>>>> >>> First off if I entered the wrong password I get a
>>>> >>> ./vpnc: hash comparison failed: (ISAKMP_N_AUTHENTICATION_FAILED)(24)
>>>> >>> check group password!
>>>> >>> Which means that it actually got far enough to check my password.
>>>> >>>
>>>> >>> But wuth the right password I get the following (starting at
>>>> >>> phase2):
>>>> >>>
>>>> >>> S6 do_phase2
>>>> >>> [2008-11-08 14:11:36]
>>>> >>>
>>>> >>>
>>>> >>> receiving: <========================
>>>> >>> [2008-11-08 14:11:36]
>>>> >>> BEGIN_PARSE
>>>> >>> Recieved Packet Len: 284
>>>> >>> i_cookie: b745ec80 7ac4fa09
>>>> >>> r_cookie: 29ff92b7 e2ee6c53
>>>> >>> payload: 08 (ISAKMP_PAYLOAD_HASH)
>>>> >>> isakmp_version: 10
>>>> >>> exchange_type: 20 (ISAKMP_EXCHANGE_IKE_QUICK)
>>>> >>> flags: 01
>>>> >>> message_id: b3edea28
>>>> >>> len: 0000011c
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>>>> >>> next_type: 01 (ISAKMP_PAYLOAD_SA)
>>>> >>> length: 0018
>>>> >>> ke.data:
>>>> >>> 566765c5 5a21fee4 14d6f4c7 379d0e78 65f524c0
>>>> >>> DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 01 (ISAKMP_PAYLOAD_SA)
>>>> >>> next_type: 0a (ISAKMP_PAYLOAD_NONCE)
>>>> >>> length: 00b2
>>>> >>> sa.doi: 00000001 (ISAKMP_DOI_IPSEC)
>>>> >>> sa.situation: 00000001 (ISAKMP_IPSEC_SIT_IDENTITY_ONLY)
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
>>>> >>> next_type: 02 (ISAKMP_PAYLOAD_P)
>>>> >>> length: 0044
>>>> >>> p.number: 01
>>>> >>> p.prot_id: 02 (ISAKMP_IPSEC_PROTO_IPSEC_AH)
>>>> >>> p.spi_size: 04
>>>> >>> length: 02
>>>> >>> p.spi: 9b03847f
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>>>> >>> next_type: 03 (ISAKMP_PAYLOAD_T)
>>>> >>> length: 001c
>>>> >>> t.number: 01
>>>> >>> t.id: 03 (ISAKMP_IPSEC_AH_SHA)
>>>> >>> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
>>>> >>> t.attributes.u.attr_16: 0002 (IPSEC_AUTH_HMAC_SHA)
>>>> >>> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
>>>> >>> t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
>>>> >>> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
>>>> >>> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
>>>> >>> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
>>>> >>> t.attributes.u.lots.length: 0004
>>>> >>> t.attributes.u.lots.data: 00007080
>>>> >>> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>>>> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
>>>> >>> length: 001c
>>>> >>> t.number: 02
>>>> >>> t.id: 02 (ISAKMP_IPSEC_AH_MD5)
>>>> >>> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
>>>> >>> t.attributes.u.attr_16: 0001 (IPSEC_AUTH_HMAC_MD5)
>>>> >>> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
>>>> >>> t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
>>>> >>> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
>>>> >>> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
>>>> >>> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
>>>> >>> t.attributes.u.lots.length: 0004
>>>> >>> t.attributes.u.lots.data: 00007080
>>>> >>> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
>>>> >>> DONE PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
>>>> >>> next_type: 02 (ISAKMP_PAYLOAD_P)
>>>> >>> length: 001e
>>>> >>> p.number: 01
>>>> >>> p.prot_id: 04 (ISAKMP_IPSEC_PROTO_IPCOMP)
>>>> >>> p.spi_size: 02
>>>> >>> length: 01
>>>> >>> p.spi: ed36
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>>>> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
>>>> >>> length: 0014
>>>> >>> t.number: 01
>>>> >>> t.id: 03 (ISAKMP_IPSEC_IPCOMP_LZS)
>>>> >>> t.attributes.type: 0001
>>>> >>> t.attributes.u.attr_16: 0001
>>>> >>> t.attributes.type: 0002
>>>> >>> t.attributes.u.lots.length: 0004
>>>> >>> t.attributes.u.lots.data: 00007080
>>>> >>> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
>>>> >>> DONE PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
>>>> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
>>>> >>> length: 0044
>>>> >>> p.number: 02
>>>> >>> p.prot_id: 02 (ISAKMP_IPSEC_PROTO_IPSEC_AH)
>>>> >>> p.spi_size: 04
>>>> >>> length: 02
>>>> >>> p.spi: 9b03847f
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>>>> >>> next_type: 03 (ISAKMP_PAYLOAD_T)
>>>> >>> length: 001c
>>>> >>> t.number: 01
>>>> >>> t.id: 03 (ISAKMP_IPSEC_AH_SHA)
>>>> >>> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
>>>> >>> t.attributes.u.attr_16: 0002 (IPSEC_AUTH_HMAC_SHA)
>>>> >>> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
>>>> >>> t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
>>>> >>> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
>>>> >>> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
>>>> >>> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
>>>> >>> t.attributes.u.lots.length: 0004
>>>> >>> t.attributes.u.lots.data: 00007080
>>>> >>> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>>>> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
>>>> >>> length: 001c
>>>> >>> t.number: 02
>>>> >>> t.id: 02 (ISAKMP_IPSEC_AH_MD5)
>>>> >>> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
>>>> >>> t.attributes.u.attr_16: 0001 (IPSEC_AUTH_HMAC_MD5)
>>>> >>> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
>>>> >>> t.attributes.u.attr_16: 0001 (IPSEC_ENCAP_TUNNEL)
>>>> >>> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
>>>> >>> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
>>>> >>> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
>>>> >>> t.attributes.u.lots.length: 0004
>>>> >>> t.attributes.u.lots.data: 00007080
>>>> >>> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
>>>> >>> DONE PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
>>>> >>> DONE PARSING PAYLOAD type: 01 (ISAKMP_PAYLOAD_SA)
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 0a (ISAKMP_PAYLOAD_NONCE)
>>>> >>> next_type: 05 (ISAKMP_PAYLOAD_ID)
>>>> >>> length: 0018
>>>> >>> ke.data:
>>>> >>> 5873111b 8f941d58 2de37c7a 04ccdfde 8d2da65c
>>>> >>> DONE PARSING PAYLOAD type: 0a (ISAKMP_PAYLOAD_NONCE)
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
>>>> >>> next_type: 05 (ISAKMP_PAYLOAD_ID)
>>>> >>> length: 0010
>>>> >>> id.type: 07 (ISAKMP_IPSEC_ID_IPV4_ADDR_RANGE)
>>>> >>> id.protocol: 00
>>>> >>> id.port: 0000
>>>> >>> id.data: 00000000 ffffffff
>>>> >>> DONE PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
>>>> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
>>>> >>> length: 000c
>>>> >>> id.type: 01 (ISAKMP_IPSEC_ID_IPV4_ADDR)
>>>> >>> id.protocol: 00
>>>> >>> id.port: 0000
>>>> >>> id.data: 0a680655
>>>> >>> DONE PARSING PAYLOAD type: 05 (ISAKMP_PAYLOAD_ID)
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
>>>> >>> extra data: 0000
>>>> >>> PARSE_OK
>>>> >>> hashlen: 20
>>>> >>> u.hash.length: 20
>>>> >>> expected_hash:
>>>> >>> 566765c5 5a21fee4 14d6f4c7 379d0e78 65f524c0
>>>> >>> h->u.hash.data:
>>>> >>> 566765c5 5a21fee4 14d6f4c7 379d0e78 65f524c0
>>>> >>>
>>>> >>> do_phase2: S7.5 QM_packet2 check reject offer
>>>> >>> [2008-11-08 14:11:36]
>>>> >>>
>>>> >>> do_phase2: S7.6 QM_packet2 check and process proposal
>>>> >>> [2008-11-08 14:11:36]
>>>> >>>
>>>> >>>
>>>> >>> ---!!!!!!!!! entering phase2_fatal !!!!!!!!!---
>>>> >>>
>>>> >>>
>>>> >>> size = 36, blksz = 8, padding = 4
>>>> >>>
>>>> >>> sending: ========================>
>>>> >>> BEGIN_PARSE
>>>> >>> Recieved Packet Len: 68
>>>> >>> i_cookie: b745ec80 7ac4fa09
>>>> >>> r_cookie: 29ff92b7 e2ee6c53
>>>> >>> payload: 08 (ISAKMP_PAYLOAD_HASH)
>>>> >>> isakmp_version: 10
>>>> >>> exchange_type: 05 (ISAKMP_EXCHANGE_INFORMATIONAL)
>>>> >>> flags: 01
>>>> >>> message_id: 3f450401
>>>> >>> len: 00000044
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>>>> >>> next_type: 0b (ISAKMP_PAYLOAD_N)
>>>> >>> length: 0018
>>>> >>> ke.data:
>>>> >>> aa699248 7ba933bd 1ce37ddd 949f9cd2 760493cd
>>>> >>> DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 0b (ISAKMP_PAYLOAD_N)
>>>> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
>>>> >>> length: 000c
>>>> >>> n.doi: 00000001 (ISAKMP_DOI_IPSEC)
>>>> >>> n.protocol: 01 (ISAKMP_IPSEC_PROTO_ISAKMP)
>>>> >>> n.spi_length: 00
>>>> >>> n.type: 000f (ISAKMP_N_BAD_PROPOSAL_SYNTAX)
>>>> >>> n.spi:
>>>> >>> n.data:
>>>> >>> DONE PARSING PAYLOAD type: 0b (ISAKMP_PAYLOAD_N)
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
>>>> >>> extra data: 00000000
>>>> >>> PARSE_OK
>>>> >>> size = 52, blksz = 8, padding = 4
>>>> >>>
>>>> >>> sending: ========================>
>>>> >>> BEGIN_PARSE
>>>> >>> Recieved Packet Len: 84
>>>> >>> i_cookie: b745ec80 7ac4fa09
>>>> >>> r_cookie: 29ff92b7 e2ee6c53
>>>> >>> payload: 08 (ISAKMP_PAYLOAD_HASH)
>>>> >>> isakmp_version: 10
>>>> >>> exchange_type: 05 (ISAKMP_EXCHANGE_INFORMATIONAL)
>>>> >>> flags: 01
>>>> >>> message_id: fde60155
>>>> >>> len: 00000054
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>>>> >>> next_type: 0c (ISAKMP_PAYLOAD_D)
>>>> >>> length: 0018
>>>> >>> ke.data:
>>>> >>> d166c8c5 752a3207 19efcf7c 222d0ae8 d8891ac1
>>>> >>> DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
>>>> >>> next_type: 00 (ISAKMP_PAYLOAD_NONE)
>>>> >>> length: 001c
>>>> >>> d.doi: 00000001 (ISAKMP_DOI_IPSEC)
>>>> >>> d.protocol: 01 (ISAKMP_IPSEC_PROTO_ISAKMP)
>>>> >>> d.spi_length: 10
>>>> >>> d.num_spi: 0001
>>>> >>> d.spi: b745ec80 7ac4fa09 29ff92b7 e2ee6c53
>>>> >>> DONE PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
>>>> >>>
>>>> >>> PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
>>>> >>> extra data: 00000000
>>>> >>> PARSE_OK
>>>> >>> ./vpnc: quick mode response rejected [2]:
>>>> >>> (ISAKMP_N_BAD_PROPOSAL_SYNTAX)(15)
>>>> >>>
>>>> >>> Antonio Borneo wrote:
>>>> >>>
>>>> >>>>
>>>> >>>> Hi,
>>>> >>>> in attachment a preliminary patch that supports
>>>> >>>> a) "User Name and Password Authentication" (from François' patch)
>>>> >>>> b) "Group Password Authentication"
>>>> >>>> c) "Response Only Token" (default)
>>>> >>>> d) "Response Only Token" with split PIN and Token fields
>>>> >>>>
>>>> >>>> I invite you to test it.
>>>> >>>> I have only tested b), since it is the only account I have.
>>>> >>>> Case c) is the mode usually supported by vpnc-nortel. I have applyed
>>>> >>>> the patch I attached before, on which I have received no feedback.
>>>> >>>> This is the default mode, for backward compatibility with your old
>>>> >>>> config file.
>>>> >>>>
>>>> >>>> To select one of the different modes, use the command line option
>>>> >>>> --nortel-auth-mode
>>>> >>>> <username/cert/token/PIN-token/token-SW/gpassword>
>>>> >>>> These are the same modes available in Nortel client 6.01 for
>>>> >>>> Windows.
>>>> >>>> The options "cert" and "token-SW" are not implemented.
>>>> >>>> Older Nortel clients implement also "Challenge Response Token". I
>>>> >>>> have
>>>> >>>> received no feedback if someone is using it. Should be included?
>>>> >>>>
>>>> >>>> I'm not really satisfied about the option set. There is overlapping
>>>> >>>> with option --auth-mode and, in case of "Challenge Response Token",
>>>> >>>> also with --xauth-inter.
>>>> >>>> I did not changed anything, around them, to avoid any code
>>>> >>>> corruption
>>>> >>>> with Cisco branch.
>>>> >>>> Any suggestion for better integration with Cisco code is welcome.
>>>> >>>>
>>>> >>>> Best Regards,
>>>> >>>> Antonio Borneo
>>>> >>>>
>>>> >>>> On Mon, Nov 3, 2008 at 11:19 AM, Antonio Borneo
>>>> >>>> <borneo.antonio [at] gmail> wrote:
>>>> >>>>
>>>> >>>>
>>>> >>>>>
>>>> >>>>> Hi,
>>>> >>>>> using info from François and other contributors to this list, I'm
>>>> >>>>> going to add in vpnc-nortel the support for:
>>>> >>>>> - "User Name and Password Authentication" (from François)
>>>> >>>>> - "Group Password Authentication" (currently used by me and
>>>> >>>>> François)
>>>> >>>>> - add to existing "Response Only Token" the option of separate
>>>> >>>>> "PIN"
>>>> >>>>> and "Token"
>>>> >>>>>
>>>> >>>>> Anyone can confirm if the following options are currently working?
>>>> >>>>> - "Digital Certificate Authentication"
>>>> >>>>> - "Challenge Response Token"
>>>> >>>>>
>>>> >>>>> I have no access to a "Response Only Token" server, so I need your
>>>> >>>>> help to test the attached patch. It should allow better integration
>>>> >>>>> with the new authentication modes.
>>>> >>>>> It is a small modification to the existing code; should work
>>>> >>>>> without
>>>> >>>>> any problem.
>>>> >>>>>
>>>> >>>>> Everyone able to connect to a "Response Only Token" server with
>>>> >>>>> vpnc-nortel as it is today in svn, could test the patch.
>>>> >>>>> The patch is against vpnc-nortel version 352 but can be applied to
>>>> >>>>> older code, doesn't really matter.
>>>> >>>>>
>>>> >>>>> Thank you.
>>>> >>>>> Best Regards
>>>> >>>>> Antonio Borneo
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>> ------------------------------------------------------------------------
>>>> >>>>>
>>>> >>>>> _______________________________________________
>>>> >>>>> vpnc-devel mailing list
>>>> >>>>> vpnc-devel [at] unix-ag
>>>> >>>>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
>>>> >>>>> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>>>> >>>>>
>>>> >>>
>>>> >>> _______________________________________________
>>>> >>> vpnc-devel mailing list
>>>> >>> vpnc-devel [at] unix-ag
>>>> >>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
>>>> >>> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>>>> >>>
>>>> >>>
>>>> >
>>>> >
>>>
>>
>>
>

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


borneo.antonio at gmail

Dec 14, 2008, 4:45 AM

Post #23 of 23 (4956 views)
Permalink
Re: vpnc-nortel with group password authentication [In reply to]
Update on ESP with AES.

- ESP - 128-bit AES with SHA1 Integrity
works with current vpnc-nortel. No modification is required

- ESP - 256-bit AES with SHA1 Integrity
the configuration menu of Nortel server reports a text beside this
option: "Only valid with User Groups".
I then expect 256bit AES does not work with "User Name and Password
Authentication". But I didn't found more info.
This could be the reason why I'm unable to make it working. My
server is now set for "User Name and Password Authentication".

Mike,
if I well remember, you are using "User Name and Password
Authentication" too. Is it true?
In this case, seems that the option selected by your sysadmin (256bit
AES) is ignored.
Try to convince him to select another one.

For what concerns me, I cannot go ahead with the tests. To enable
"group Authentication" in my Nortel server I have to use an external
Radius server. I don't plan to start playing with a Radius server
before mid January.

Best Regards,
Antonio Borneo

On Sat, Dec 13, 2008 at 10:55 PM, Antonio Borneo
<borneo.antonio [at] gmail> wrote:
> Ciao Mike,
> I made several mistakes in my previous mail.
> During weekend I don't drink the minimum amount of coffee to be ... "smart".
> Also, configuring Contivity server is not so intuitive; I didn't
> notice there are 2 places to configure.
>
> In "Services"->"IPSEC" your sysadmin can configure a set of encryption
> modes supported by the server. In your case he select:
> - ESP - 256-bit AES with SHA1 Integrity
> - ESP - 128-bit AES with SHA1 Integrity
> - ESP - Triple DES with SHA1 Integrity
> - ESP - Triple DES with MD5 Integrity
> - AH - Authentication Only (HMAC-SHA1)
> - AH - Authentication Only (HMAC-MD5)
> Other modes are available, but we do not care, are not important for you.
>
> Then, in "Profiles"->"Groups"->"Edit"->"IPSEC", can enable (for each
> group) some of the encryption mode within the set activated before.
> In your case, your sysadmin enabled only
> - ESP - 256-bit AES with SHA1 Integrity: Enabled
> - AH - Authentication Only (HMAC-SHA1): Enabled
> - AH - Authentication Only (HMAC-MD5): Enabled
>
> I still don't know why AES is not working with vpnc. It should!
> Anyway, to make current vpnc working, you have to ask your sysadmin to
> enable, in this second menu, one or both of these 2 modes
> - ESP - Triple DES with SHA1 Integrity
> - ESP - Triple DES with MD5 Integrity
> Hope he accept. Good luck!
>
> It is still true that code for AH and IPCOMP is missing in vpnc. If
> someone want have fun implementing them, is welcome.
>
> For AES, I will investigate more.
> Seems supported by vpnc, selected in your server, but then server does
> not propose it.
> From http://www116.nortel.com/docs/bvdoc/contivity/doc_pdf/311773M00.pdf
> page 13, seems that Nortel client sopports AES from version 4.91. I
> have tryed to emulate this new version in vpnc, but nothing changed.
>
> Best Regards,
> Antonio Borneo
>
> On Sat, Dec 13, 2008 at 5:24 PM, Antonio Borneo
> <borneo.antonio [at] gmail> wrote:
>> Ciao Mike,
>> sorry for taking so long time to answer your mail.
>> I'm very busy with my job, and the kind of test required for your case
>> needs a "quite" day.
>>
>> On my new "second-hand" Contivity server I set the same configuration
>> you report, and I got surprised.
>> It seems there is something tricky with ESP.
>> If the only ESP I enable has SHA1 integrity, then this goes directly
>> as IPCOMP, compressed mode, that vpnc does not support yet.
>> If I enable one of the ESP with MD5 integrity mode, then comes out a
>> bunch of modes supported by vpnc.
>> Looks like SHA1 is used for IPCOMP, and MD5 is used for uncompressed tunnel.
>> It is still not fully clear to me.
>>
>> From your mail, I understand you are really luky, since your sysadmin
>> let you look inside the configuration of Nortel server.
>> You could please him to enable "ESP - Triple DES with MD5 Integrity".
>> This should make vpnc working.
>>
>> Other possibility, less immediate:
>> - implementing AH, or
>> - implementing IPCOMP / LZS.
>> At my knowledge, nobody is working at them.
>>
>> Ciao
>> Antonio Borneo
>>
>> On Mon, Nov 24, 2008 at 11:31 PM, Michael Gofman <gofman.mike [at] gmail> wrote:
>>>
>>> As far as I understood AH stage is during Authentication only.
>>> And other people have used it successfully, is that not true?
>>>
>>> Is ESP 256-bit supported?
>>> Is there anything in the trace, that was with the original message, that
>>> could help determine that that is what the server was asking for, rather
>>> then AH ?
>>>
>>> Thank you.
>>>
>>>
>>> On Wed, Nov 19, 2008 at 2:23 PM, Michael Gofman <gofman.mike [at] gmail>
>>> wrote:
>>>>
>>>> I checked with the VPN admin and apparently ESP mode is in fact enabled
>>>> Here is the list of things that are enabled on the Nortel VPN concentrator
>>>> side:
>>>>
>>>> - ESP - 256-bit AES with SHA1 Integrity: Enabled
>>>> - ESP - 128-bit AES with SHA1 Integrity: Disabled
>>>> - ESP - Triple DES with SHA1 Integrity: Disabled
>>>> - ESP - Triple DES with MD5 Integrity: Disabled
>>>> - AH - Authentication Only (HMAC-SHA1): Enabled
>>>> - AH - Authentication Only (HMAC-MD5): Enabled
>>>>
>>>> I'm guessing VPNC does not currently support 256 bit AES is that correct?
>>>> I think we should at the very least produce a meaningful error message.
>>>> Antonio (or anyone else who's willing to code any of this) , let me know
>>>> if you'd like me to provide any traces or wireshark captures.
>>>> Thank you.
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

vpnc devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.