Mailing List Archive: vpnc: devel

vpnc with nortel contivity - patch included

Index | Next | Previous | View Threaded

seife at suse

Jan 8, 2009, 8:24 AM

Post #1 of 5 (2477 views)
Permalink

vpnc with nortel contivity - patch included

Hi,

I used the nortel branch from SVN together with the patch from this mail:
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2008-November/002683.html

So far in my short tests, it is working fine (I am waiting for long-term
testresults from my colleagues).

However, we have a split-tunnel setup, which is not (yet) handled at all by
vpnc. It was pretty easy to see from the debug log that the attribute 0x4000
was announcing the different network/netmask pairs, so I hacked it into the
ISAKMP_MODECFG_ATTRIB_CISCO_SPLIT_INC-code which, from a first quick look,
seemed to implement something similar.

I am not claiming this code being the best or even the correct way to
implement this, it was just the fastest possible hack for the issue.

Patch is attached.
Handle with care, since I am clearly not knowing what I am doing here ;-)

Have a lot of fun,

Stefan
--
Stefan Seyfried
R&D Team Mobile Devices | "Any ideas, John?"
SUSE LINUX Products GmbH, Nürnberg | "Well, surrounding them's out."

This footer brought to you by insane German lawmakers:
SUSE Linux Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)

Attachments:

vpnc-nortel-attributes.diff (2.39 KB)

borneo.antonio at gmail

Jan 14, 2009, 8:22 PM

Post #2 of 5 (2320 views)
Permalink

Re: vpnc with nortel contivity - patch included [In reply to]

Hi Stefan,
thanks for testing my patch. Could you please report which
configuration are you using and testing for "Nortel Auth Mode"
parameter?

I still had no time to try your patch with my Nortel server (need to
enable split network, maybe during next week-end), but from a quick
check seems your code is correct.

Best Regards,
Antonio Borneo

2009/1/9 Stefan Seyfried <seife [at] suse>:
> Hi,
>
> I used the nortel branch from SVN together with the patch from this mail:
> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2008-November/002683.html
>
> So far in my short tests, it is working fine (I am waiting for long-term
> testresults from my colleagues).
>
> However, we have a split-tunnel setup, which is not (yet) handled at all by
> vpnc. It was pretty easy to see from the debug log that the attribute 0x4000
> was announcing the different network/netmask pairs, so I hacked it into the
> ISAKMP_MODECFG_ATTRIB_CISCO_SPLIT_INC-code which, from a first quick look,
> seemed to implement something similar.
>
> I am not claiming this code being the best or even the correct way to
> implement this, it was just the fastest possible hack for the issue.
>
> Patch is attached.
> Handle with care, since I am clearly not knowing what I am doing here ;-)
>
> Have a lot of fun,
>
> Stefan
> --
> Stefan Seyfried
> R&D Team Mobile Devices | "Any ideas, John?"
> SUSE LINUX Products GmbH, Nürnberg | "Well, surrounding them's out."
>
> This footer brought to you by insane German lawmakers:
> SUSE Linux Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
>
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel [at] unix-ag
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>
>

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

seife at suse

Jan 15, 2009, 5:06 AM

Post #3 of 5 (2327 views)
Permalink

Re: vpnc with nortel contivity - patch included [In reply to]

Antonio Borneo wrote:
> Hi Stefan,
> thanks for testing my patch. Could you please report which
> configuration are you using and testing for "Nortel Auth Mode"
> parameter?

My config is like this:

IPSec gateway my.gate.way
IPSec ID mygroupid
IPSec secret mygrouppasswd
Xauth username seife
Vendor nortel
IKE Authmode psk
Nortel Auth Mode gpassword

> I still had no time to try your patch with my Nortel server (need to
> enable split network, maybe during next week-end), but from a quick
> check seems your code is correct.

I was not sure if it is ok to abuse the cisco-acl data structures, but it was
pretty easy to hack in as it is, and I did not have to hack vpn-script, which
was an added bonus :-)

If needed, I can also provide debug logs / hexdumps. We have a setup with 6
tunneled networks here, but no default route into the tunnel.

Thanks,
--
Stefan Seyfried
R&D Team Mobile Devices | "Any ideas, John?"
SUSE LINUX Products GmbH, Nürnberg | "Well, surrounding them's out."

This footer brought to you by insane German lawmakers:
SUSE Linux Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

borneo.antonio at gmail

Jan 16, 2009, 6:06 AM

Post #4 of 5 (2321 views)
Permalink

Re: vpnc with nortel contivity - patch included [In reply to]

Hi Stefan,

> I was not sure if it is ok to abuse the cisco-acl data structures, but it was
> pretty easy to hack in as it is, and I did not have to hack vpn-script, which
> was an added bonus :-)
maybe I should left Joerg or Maurice commenting on this... anyway...
today's Nortel branch reuses plenty of code and data structures
originally there for Cisco;
also, one of the worst part of code is the lack of integration between
Nortel and Cisco "phase 2".
So, at least from my point of view, your way to reuse existing code is welcome.

> If needed, I can also provide debug logs / hexdumps. We have a setup with 6
> tunneled networks here, but no default route into the tunnel.
Thank you. I will let you know. I just want to check if Nortel server
has additional feature, around split network, that your patch still
does not contemplate.

Best Regards,
Antonio Borneo
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

borneo.antonio at gmail

Jan 23, 2009, 5:45 AM

Post #5 of 5 (2260 views)
Permalink

Re: vpnc with nortel contivity - patch included [In reply to]

Hi Stefan, all,

today I spent some time on the split tunnel for Nortel.
Stefan's patch covers only one of the three possible split modes, the
most useful one.
For the other two modes I have just added few lines to Stefan's patch,
to detect them and print a warning message. New patch is attached.

Below a wider explanation on what I've found; I wish could be useful
to someone that gets the warning message, and needs and wants to fix
vpnc. His working client-server configuration would be a solid test
environment. I would be glad to support him.

Joerg,
in the mean time, the attached modified Stefan's patch could be
committed to Nortel branch.

The mentinned additional info:
In the configuration screen of Nortel server there are 3 fields
related with split network:
[1] "Split Tunneling",
[2] "Split Tunnel Networks",
[3] "Inverse Split Tunnel Networks".
The field [1] can take one of the following value: "Disabled",
"Enabled", "Enabled - Inverse", "Enabled - Inverse (locally
connected)".
The other two fields have to be filled with a "network" name, that
corresponds to a list of (IP, MASK) pairs.

Usually split tunnel is considered a potential security hole, and few
sysadmin enable it. vpnc-nortel branch already supports the (trivial)
case "Split Tunneling: Disabled".
What Stefan's patch covers is the case "Split Tunneling: Enabled". I
confirm his patch fully covers this case.
The other two cases requires some modification in vpnc's scripts.

My understanding is that with "Split Tunneling: Enabled" the client
receives info about the "network" that is behind the tunnel (from
above field [2]), so configures the routing table to access such
network through the IPSEC tunnel, while all the rest of the IP space
is routed locally.
With "Split Tunneling: Enabled - Inverse" the situation is reversed;
the client receives info about "his (?!?) local network" (form above
field [3]) and routes such network locally, while the rest of the IP
space is routed through the IPSEC tunnel. Current vpnc's scripts
(heritage of Cisco branch) don't support this kind of arrangement.

I do not understand what "Split Tunneling: Enabled - Inverse (locally
connected)" does.
With Google I only found a document from Nortel.
http://www116.nortel.com/docs/bvdoc/contivity/release_notes/311773-P_00.pdf
It explains the new features of the client V6_01, but doesn't help at all!
I have also tested few versions of client, but didn't catched the
meaning of this mode.
Looks similar to "Split Tunneling: Disabled" with a special routing
entry to remotely access the server's configuration IP.

Dumping with vpnc the communication, I have found that both (and only)
"Split Tunneling: Enabled - Inverse" and "Split Tunneling: Enabled -
Inverse (locally connected)" use the field
ISAKMP_MODECFG_ATTRIB_NORTEL_SPLIT_INV to provide information about
the "network" (ISAKMP_MODECFG_ATTRIB_NORTEL_SPLIT_INC is not used
anymore), and the field ISAKMP_MODECFG_ATTRIB_NORTEL_SPLIT_INV_MODE to
provide value:
- 0x0002 for "Split Tunneling: Enabled - Inverse"
- 0x0003 for "Split Tunneling: Enabled - Inverse (locally connected)"

Best Regards,
Antonio Borneo

Attachments:

patch_split.txt (2.21 KB)

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads