Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: vpnc: devel

Re: [help] nortel vpn

  

 
vpnc devel RSS feed   Index | Next | Previous | View Threaded


borneo.antonio at gmail

May 19, 2009, 8:59 AM

Post #1 of 5 (1521 views)
Permalink
Re: [help] nortel vpn
Hi bgv112233,

I'm putting in copy the list, since my reply could be interesting to
someone else too.

First, I suggest to never send out a wireshark dump. It includes too
many sensitive data.
For example, the server IP address that you hide in the text of the
email is fully readable in the wireshark dump.
I suggest you to use the command line option "--debug 3" and send the
text output. It does not include any sensitive info.

The error message indicate that the server does not accept the "first"
packet form vpnc.
Possible issues:
- the value for "IPSec ID" is not correct. Please double check.
- the default value for "--dh dh2" is not correct. Please try also
"--dh dh1" or "--dh dh5", or the equivalent string in the config file

The official Nortel client is able to find the proper value for
"--dh", but this feature is still not implemented in vpnc.

Best Regards
Antonio Borneo



2009/5/19 bgv112233 <bgv112233 [at] 163>:
> Hi Antonio,
> Would you please give a hand?
> I downloaded the latest version 394 of vpnc-nortel/ using
> svn co http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel/
>
> and I added the patch from
> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html
> , here is my vpnc.conf:
> IPSec gateway xxx.xxx.xxx.xxx
> IPSec ID XXXX
> IPSec secret xxxxx
> IKE Authmode gpassword
> Xauth username abcd
> Vendor nortel
>
> then,
> $ make
> $ sudo ./vpnc
> Enter password for abcd [at] xxx:
> ./vpnc: response was invalid [1]: (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)
>
> The attachement is wireshark package. Would you please give some help?
> Thanks a lot in advance.
> $ uname -a
> Linux danaus-desktop 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:58:03
> UTC 2009 x86_64 GNU/Linux
>
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


borneo.antonio at gmail

May 20, 2009, 7:13 AM

Post #2 of 5 (1426 views)
Permalink
Re: [help] nortel vpn [In reply to]
Whoa,
compliments to your sysadmin.
He enabled "Single DES", that is considered not really secure (vpnc
requires an additional flag to be sure you really want to turn it on).
Also, he enabled "split tunnel" that is another potential "security
issue", as reported by Nortel too.
I do not know if he is too smart or too brave.
Anyway, split tunnel is for sure very comfortable for the user. Enjoy it!

For your info, this part of the dump shows that your configuration
uses split tunnel.
> t.attributes.type: 4000 (unknown)
> t.attributes.u.lots.length: 00e0
> t.attributes.u.lots.data:
> 0a000000 ff000000 0a011400 ffffff00 0a020000 ffffff00 0a020200 ffffff00
> ...
The attribute type 4000 introduces split tunnel data.

Split tunnel in not supported by current code in SVN, and this is why
you do not get routing tables properly set.
You have to apply the patch attached to:
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002958.html

Your current configuration should work well, no other changes required.

Best Regards,
Antonio Borneo

2009/5/20 bgv112233 <bgv112233 [at] 163>:
> Hi Antonio,
> I tried the two parameters,
> IKE DH Group dh1
> Enable Single DES
> and got
> VPNC started in background (pid: 18125)...
> thanks a lot for your warmhearted help.
>
> But there are still issues, I can't ping any hosts, the interface tun0
> receives nothing, it seems that I need to config ip route table, but I'm a
> fresh man to Ubuntu and I don't find a clear way to solve this yet. Would
> you please have a look at the debug log? I access internet using
> gateway(192.168.1.1).
>
> Regards,
> danaus
>
>
> 在2009-05-19,"Antonio Borneo" <borneo.antonio [at] gmail> 写道:
>>Hi bgv112233,
>>
>>I'm putting in copy the list, since my reply could be interesting to
>>someone else too.
>>
>>First, I suggest to never send out a wireshark dump. It includes too
>>many sensitive data.
>>For example, the server IP address that you hide in the text of the
>>email is fully readable in the wireshark dump.
>>I suggest you to use the command line option "--debug 3" and send the
>>text output. It does not include any sensitive info.
>>
>>The error message indicate that the server does not accept the "first"
>>packet form vpnc.
>>Possible issues:
>>- the value for "IPSec ID" is not correct. Please double check.
>>- the default value for "--dh dh2" is not correct. Please try also
>>"--dh dh1" or "--dh dh5", or the equivalent string in the config file
>>
>>The official Nortel client is able to find the proper value for
>>"--dh", but this feature is still not implemented in vpnc.
>>
>>Best Regards
>>Antonio Borneo
>>
>>
>>
>>2009/5/19 bgv112233 <bgv112233 [at] 163>:
>>> Hi Antonio,
>>> Would you please give a hand?
>>> I downloaded the latest version 394 of vpnc-nortel/ using
>>> svn co http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel/
>>>
>>> and I added the patch from
>>>
>>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html
>>> , here is my vpnc.conf:
>>> IPSec gateway xxx.xxx.xxx.xxx
>>> IPSec ID XXXX
>>> IPSec secret xxxxx
>>> IKE Authmode gpassword
>>> Xauth username abcd
>>> Vendor nortel
>>>
>>> then,
>>> $ make
>>> $ sudo ./vpnc
>>> Enter password for abcd [at] xxx:
>>> ./vpnc: response was invalid [1]: (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)
>>>
>>> The attachement is wireshark package. Would you please give some help?
>>> Thanks a lot in advance.
>>> $ uname -a
>>> Linux danaus-desktop 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:58:03
>>> UTC 2009 x86_64 GNU/Linux
>>>
>
>
> ________________________________
> 穿越地震带 纪念汶川地震一周年

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


borneo.antonio at gmail

May 20, 2009, 8:30 AM

Post #3 of 5 (1431 views)
Permalink
Re: [help] nortel vpn [In reply to]
Hi Danaus,
not all the IPs in 137.xxx.xxx.xxx are accessible in your VPN, but
only form 137.117.0.0 to 137.117.63.255.
The configuration of your split tunnel has some redundancies (I start
having more clear idea about your sysadmin), but relevant data in your
dump is
> acl 5: addr: 137.117.0.0/ 255.255.192.0 (18), protocol: 0, sport: 0, dport: 0

For what concerns www.google.com, I do not know!
Can you resolve the IP of www.google.com?
What about other websites? Is only www.google.com that is not
accessible, or also others?

Best Regards,
Antonio Borneo

2009/5/20 bgv112233 <bgv112233 [at] 163>:
> Hi Antonio,
> The following patch made a progress. Thanks a lot.
> Maybe I need another patch. I can't ping www.google.com, and ping some IP
> from the VPN(137.xxx.xxx.xxx) failed too.
> attached the new log after patching split tunnel.
>
>
>
> $B:_(B2009-05-20$B!$(B"Antonio Borneo" <borneo.antonio [at] gmail> $B<LF;!'(B
>>Whoa,
>>compliments to your sysadmin.
>>He enabled "Single DES", that is considered not really secure (vpnc
>>requires an additional flag to be sure you really want to turn it on).
>>Also, he enabled "split tunnel" that is another potential "security
>>issue", as reported by Nortel too.
>>I do not know if he is too smart or too brave.
>>Anyway, split tunnel is for sure very comfortable for the user. Enjoy it!
>>
>>For your info, this part of the dump shows that your configuration
>>uses split tunnel.
>>> t.attributes.type: 4000 (unknown)
>>> t.attributes.u.lots.length: 00e0
>>> t.attributes.u.lots.data:
>>> 0a000000 ff000000 0a011400 ffffff00 0a020000 ffffff00 0a020200
>>> ffffff00
>>> ...
>>The attribute type 4000 introduces split tunnel data.
>>
>>Split tunnel in not supported by current code in SVN, and this is why
>>you do not get routing tables properly set.
>>You have to apply the patch attached to:
>>http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002958.html
>>
>>Your current configuration should work well, no other changes required.
>>
>>Best Regards,
>>Antonio Borneo
>>
>>2009/5/20 bgv112233 <bgv112233 [at] 163>:
>>> Hi Antonio,
>>> I tried the two parameters,
>>> IKE DH Group dh1
>>> Enable Single DES
>>> and got
>>> VPNC started in background (pid: 18125)...
>>> thanks a lot for your warmhearted help.
>>>
>>> But there are still issues, I can't ping any hosts, the interface tun0
>>> receives nothing, it seems that I need to config ip route table, but I'm
>>> a
>>> fresh man to Ubuntu and I don't find a clear way to solve this yet. Would
>>> you please have a look at the debug log? I access internet using
>>> gateway(192.168.1.1).
>>>
>>> Regards,
>>> danaus
>>>
>>>
>>> $B:_(B2009-05-19$B!$(B"Antonio Borneo" <borneo.antonio [at] gmail> $B<LF;!'(B
>>>>Hi bgv112233,
>>>>
>>>>I'm putting in copy the list, since my reply could be interesting to
>>>>someone else too.
>>>>
>>>>First, I suggest to never send out a wireshark dump. It includes too
>>>>many sensitive data.
>>>>For example, the server IP address that you hide in the text of the
>>>>email is fully readable in the wireshark dump.
>>>>I suggest you to use the command line option "--debug 3" and send the
>>>>text output. It does not include any sensitive info.
>>>>
>>>>The error message indicate that the server does not accept the "first"
>>>>packet form vpnc.
>>>>Possible issues:
>>>>- the value for "IPSec ID" is not correct. Please double check.
>>>>- the default value for "--dh dh2" is not correct. Please try also
>>>>"--dh dh1" or "--dh dh5", or the equivalent string in the config file
>>>>
>>>>The official Nortel client is able to find the proper value for
>>>>"--dh", but this feature is still not implemented in vpnc.
>>>>
>>>>Best Regards
>>>>Antonio Borneo
>>>>
>>>>
>>>>
>>>>2009/5/19 bgv112233 <bgv112233 [at] 163>:
>>>>> Hi Antonio,
>>>>> Would you please give a hand?
>>>>> I downloaded the latest version 394 of vpnc-nortel/ using
>>>>> svn co http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel/
>>>>>
>>>>> and I added the patch from
>>>>>
>>>>>
>>>>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html
>>>>> , here is my vpnc.conf:
>>>>> IPSec gateway xxx.xxx.xxx.xxx
>>>>> IPSec ID XXXX
>>>>> IPSec secret xxxxx
>>>>> IKE Authmode gpassword
>>>>> Xauth username abcd
>>>>> Vendor nortel
>>>>>
>>>>> then,
>>>>> $ make
>>>>> $ sudo ./vpnc
>>>>> Enter password for abcd [at] xxx:
>>>>> ./vpnc: response was invalid [1]: (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)
>>>>>
>>>>> The attachement is wireshark package. Would you please give some help?
>>>>> Thanks a lot in advance.
>>>>> $ uname -a
>>>>> Linux danaus-desktop 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17
>>>>> 01:58:03
>>>>> UTC 2009 x86_64 GNU/Linux
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


borneo.antonio at gmail

May 20, 2009, 8:35 AM

Post #4 of 5 (1433 views)
Permalink
Re: [help] nortel vpn [In reply to]
Please provide the output of the command
route -n
Eventually, hide the IP address of the VPN server from command output.
Please also provide content of file /etc/resolv.conf

Best Regards,
Antonio Borneo

2009/5/20 bgv112233 <bgv112233 [at] 163>:
> I made a mistake in the following mail. I can't ping any hosts from VPN, and
> tun0 interface received nothing.
>
>
>
> $B:_(B2009-05-20$B!$(Bbgv112233 <bgv112233 [at] 163> $B<LF;!'(B
>
> Hi Antonio,
> The following patch made a progress. Thanks a lot.
> Maybe I need another patch. I can't ping www.google.com, and ping some IP
> from the VPN(137.xxx.xxx.xxx) failed too.
> attached the new log after patching split tunnel.
>
>
>
> $B:_(B2009-05-20$B!$(B"Antonio Borneo" <borneo.antonio [at] gmail> $B<LF;!'(B
>>Whoa,
>>compliments to your sysadmin.
>>He enabled "Single DES", that is considered not really secure (vpnc
>>requires an additional flag to be sure you really want to turn it on).
>>Also, he enabled "split tunnel" that is another potential "security
>>issue", as reported by Nortel too.
>>I do not know if he is too smart or too brave.
>>Anyway, split tunnel is for sure very comfortable for the user. Enjoy it!
>>
>>For your info, this part of the dump shows that your configuration
>>uses split tunnel.
>>> t.attributes.type: 4000 (unknown)
>>> t.attributes.u.lots.length: 00e0
>>> t.attributes.u.lots.data:
>>> 0a000000 ff000000 0a011400 ffffff00 0a020000 ffffff00 0a020200
>>> ffffff00
>>> ...
>>The attribute type 4000 introduces split tunnel data.
>>
>>Split tunnel in not supported by current code in SVN, and this is why
>>you do not get routing tables properly set.
>>You have to apply the patch attached to:
>>http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002958.html
>>
>>Your current configuration should work well, no other changes required.
>>
>>Best Regards,
>>Antonio Borneo
>>
>>2009/5/20 bgv112233 <bgv112233 [at] 163>:
>>> Hi Antonio,
>>> I tried the two parameters,
>>> IKE DH Group dh1
>>> Enable Single DES
>>> and got
>>> VPNC started in background (pid: 18125)...
>>> thanks a lot for your warmhearted help.
>>>
>>> But there are still issues, I can't ping any hosts, the interface tun0
>>> receives nothing, it seems that I need to config ip route table, but I'm
>>> a
>>> fresh man to Ubuntu and I don't find a clear way to solve this yet. Would
>>> you please have a look at the debug log? I access internet using
>>> gateway(192.168.1.1).
>>>
>>> Regards,
>>> danaus
>>>
>>>
>>> $B:_(B2009-05-19$B!$(B"Antonio Borneo" <borneo.antonio [at] gmail> $B<LF;!'(B
>>>>Hi bgv112233,
>>>>
>>>>I'm putting in copy the list, since my reply could be interesting to
>>>>someone else too.
>>>>
>>>>First, I suggest to never send out a wireshark dump. It includes too
>>>>many sensitive data.
>>>>For example, the server IP address that you hide in the text of the
>>>>email is fully readable in the wireshark dump.
>>>>I suggest you to use the command line option "--debug 3" and send the
>>>>text output. It does not include any sensitive info.
>>>>
>>>>The error message indicate that the server does not accept the "first"
>>>>packet form vpnc.
>>>>Possible issues:
>>>>- the value for "IPSec ID" is not correct. Please double check.
>>>>- the default value for "--dh dh2" is not correct. Please try also
>>>>"--dh dh1" or "--dh dh5", or the equivalent string in the config file
>>>>
>>>>The official Nortel client is able to find the proper value for
>>>>"--dh", but this feature is still not implemented in vpnc.
>>>>
>>>>Best Regards
>>>>Antonio Borneo
>>>>
>>>>
>>>>
>>>>2009/5/19 bgv112233 <bgv112233 [at] 163>:
>>>>> Hi Antonio,
>>>>> Would you please give a hand?
>>>>> I downloaded the latest version 394 of vpnc-nortel/ using
>>>>> svn co http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel/
>>>>>
>>>>> and I added the patch from
>>>>>
>>>>>
>>>>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html
>>>>> , here is my vpnc.conf:
>>>>> IPSec gateway xxx.xxx.xxx.xxx
>>>>> IPSec ID XXXX
>>>>> IPSec secret xxxxx
>>>>> IKE Authmode gpassword
>>>>> Xauth username abcd
>>>>> Vendor nortel
>>>>>
>>>>> then,
>>>>> $ make
>>>>> $ sudo ./vpnc
>>>>> Enter password for abcd [at] xxx:
>>>>> ./vpnc: response was invalid [1]: (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)
>>>>>
>>>>> The attachement is wireshark package. Would you please give some help?
>>>>> Thanks a lot in advance.
>>>>> $ uname -a
>>>>> Linux danaus-desktop 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17
>>>>> 01:58:03
>>>>> UTC 2009 x86_64 GNU/Linux
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


borneo.antonio at gmail

May 20, 2009, 10:19 AM

Post #5 of 5 (1437 views)
Permalink
Re: [help] nortel vpn [In reply to]
?!? everything seems ok.
do you have a firewall with some strange configuration?
try to run
/etc/init.d/iptables stop

Why do you assert no packet goes through tun0?
Did you tested it with wireshark or tcpdump?

Best Regards,
Antonio Borneo

2009/5/20 bgv112233 <bgv112233 [at] 163>:
> xxx.xxx.xxx.7 0.0.0.0 255.255.255.255 UH 0 0 0
> tun0
> xxx.xxx.xxx.141 0.0.0.0 255.255.255.255 UH 0 0 0
> tun0
> xxx.xxx.xxx.70 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
> xxx.xxx.0.128 0.0.0.0 255.255.255.192 U 0 0 0 tun0
> xxx.xx.33.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
> xx.xx.13.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
> xx.xx.164.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
> 10.2.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
> 198.18.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
> 192.168.1.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
> xx.xx.9.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
> 10.2.2.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
> xx.xx.8.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
> xx.xx.7.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
> 10.1.20.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
> 192.168.30.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
> 192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
> xx.xx.6.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
> xx.xx.42.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
> xx.xx.5.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
> xx.xx.4.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
> xx.xx.3.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
> xx.xx.2.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
> 192.168.40.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
> xx.xx.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
> xx.xx.32.0 0.0.0.0 255.255.240.0 U 0 0 0 tun0
> xx.xx.0.0 0.0.0.0 255.255.192.0 U 0 0 0 tun0
> xx.xx.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
> 172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0
> 192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0
> 192.169.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0
> 10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 tun0
> 47.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 tun0
> 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
>
> nameserver 192.168.1.1 // this line was added manually
> nameserver xxx.xxx.xxx.7
> nameserver xxx.xxx.xxx.141
>
>
>
>
> $B:_(B2009-05-20$B!$(B"Antonio Borneo" <borneo.antonio [at] gmail> $B<LF;!'(B
>>Please provide the output of the command
>>route -n
>>Eventually, hide the IP address of the VPN server from command output.
>>Please also provide content of file /etc/resolv.conf
>>
>>Best Regards,
>>Antonio Borneo
>>
>>2009/5/20 bgv112233 <bgv112233 [at] 163>:
>>> I made a mistake in the following mail. I can't ping any hosts from VPN,
>>> and
>>> tun0 interface received nothing.
>>>
>>>
>>>
>>> $B:_(B2009-05-20$B!$(Bbgv112233 <bgv112233 [at] 163> $B<LF;!'(B
>>>
>>> Hi Antonio,
>>> The following patch made a progress. Thanks a lot.
>>> Maybe I need another patch. I can't ping www.google.com, and ping some IP
>>> from the VPN(137.xxx.xxx.xxx) failed too.
>>> attached the new log after patching split tunnel.
>>>
>>>
>>>
>>> $B:_(B2009-05-20$B!$(B"Antonio Borneo" <borneo.antonio [at] gmail> $B<LF;!'(B
>>>>Whoa,
>>>>compliments to your sysadmin.
>>>>He enabled "Single DES", that is considered not really secure (vpnc
>>>>requires an additional flag to be sure you really want to turn it on).
>>>>Also, he enabled "split tunnel" that is another potential "security
>>>>issue", as reported by Nortel too.
>>>>I do not know if he is too smart or too brave.
>>>>Anyway, split tunnel is for sure very comfortable for the user. Enjoy it!
>>>>
>>>>For your info, this part of the dump shows that your configuration
>>>>uses split tunnel.
>>>>> t.attributes.type: 4000 (unknown)
>>>>> t.attributes.u.lots.length: 00e0
>>>>> t.attributes.u.lots.data:
>>>>> 0a000000 ff000000 0a011400 ffffff00 0a020000 ffffff00 0a020200
>>>>> ffffff00
>>>>> ...
>>>>The attribute type 4000 introduces split tunnel data.
>>>>
>>>>Split tunnel in not supported by current code in SVN, and this is why
>>>>you do not get routing tables properly set.
>>>>You have to apply the patch attached to:
>>>>http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002958.html
>>>>
>>>>Your current configuration should work well, no other changes required.
>>>>
>>>>Best Regards,
>>>>Antonio Borneo
>>>>
>>>>2009/5/20 bgv112233 <bgv112233 [at] 163>:
>>>>> Hi Antonio,
>>>>> I tried the two parameters,
>>>>> IKE DH Group dh1
>>>>> Enable Single DES
>>>>> and got
>>>>> VPNC started in background (pid: 18125)...
>>>>> thanks a lot for your warmhearted help.
>>>>>
>>>>> But there are still issues, I can't ping any hosts, the interface tun0
>>>>> receives nothing, it seems that I need to config ip route table, but
>>>>> I'm
>>>>> a
>>>>> fresh man to Ubuntu and I don't find a clear way to solve this yet.
>>>>> Would
>>>>> you please have a look at the debug log? I access internet using
>>>>> gateway(192.168.1.1).
>>>>>
>>>>> Regards,
>>>>> danaus
>>>>>
>>>>>
>>>>> $B:_(B2009-05-19$B!$(B"Antonio Borneo" <borneo.antonio [at] gmail> $B<LF;!'(B
>>>>>>Hi bgv112233,
>>>>>>
>>>>>>I'm putting in copy the list, since my reply could be interesting to
>>>>>>someone else too.
>>>>>>
>>>>>>First, I suggest to never send out a wireshark dump. It includes too
>>>>>>many sensitive data.
>>>>>>For example, the server IP address that you hide in the text of the
>>>>>>email is fully readable in the wireshark dump.
>>>>>>I suggest you to use the command line option "--debug 3" and send the
>>>>>>text output. It does not include any sensitive info.
>>>>>>
>>>>>>The error message indicate that the server does not accept the "first"
>>>>>>packet form vpnc.
>>>>>>Possible issues:
>>>>>>- the value for "IPSec ID" is not correct. Please double check.
>>>>>>- the default value for "--dh dh2" is not correct. Please try also
>>>>>>"--dh dh1" or "--dh dh5", or the equivalent string in the config file
>>>>>>
>>>>>>The official Nortel client is able to find the proper value for
>>>>>>"--dh", but this feature is still not implemented in vpnc.
>>>>>>
>>>>>>Best Regards
>>>>>>Antonio Borneo
>>>>>>
>>>>>>
>>>>>>
>>>>>>2009/5/19 bgv112233 <bgv112233 [at] 163>:
>>>>>>> Hi Antonio,
>>>>>>> Would you please give a hand?
>>>>>>> I downloaded the latest version 394 of vpnc-nortel/ using
>>>>>>> svn co http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel/
>>>>>>>
>>>>>>> and I added the patch from
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html
>>>>>>> , here is my vpnc.conf:
>>>>>>> IPSec gateway xxx.xxx.xxx.xxx
>>>>>>> IPSec ID XXXX
>>>>>>> IPSec secret xxxxx
>>>>>>> IKE Authmode gpassword
>>>>>>> Xauth username abcd
>>>>>>> Vendor nortel
>>>>>>>
>>>>>>> then,
>>>>>>> $ make
>>>>>>> $ sudo ./vpnc
>>>>>>> Enter password for abcd [at] xxx:
>>>>>>> ./vpnc: response was invalid [1]:
>>>>>>> (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)
>>>>>>>
>>>>>>> The attachement is wireshark package. Would you please give some
>>>>>>> help?
>>>>>>> Thanks a lot in advance.
>>>>>>> $ uname -a
>>>>>>> Linux danaus-desktop 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17
>>>>>>> 01:58:03
>>>>>>> UTC 2009 x86_64 GNU/Linux
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

vpnc devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.