Hi, Trying to debug the nortel connect issue. Probably we can take this on the turnpike-dev list rather than in this list, since it seems like a VPN connectivity issue. 1. Did you also install the novell-nortelplugins-0.1.18-i586.rpm? They are required for the Nortel switch interop. I am assuming you did because you were able to create nortel gateway specific profiles. 2. Looking at your racoon.debug file (posted in turnpike-dev), the first phase1 packet itself is not going through. Looking further, the sockname and send from addresses are mismatching (see line#37, #38: 192.168.112.1 and 192.168.1.102). Probably you have switched interfaces when racoon is running. This looks like a problem with racoon not able to handle correctly when an interface switch happens when racoon is running. In that case, /etc/init.d/racoon restart should make your problem go away. I guess we should automatically restart racoon from ipsec-vpn when an interface is switched, but for now can you please try to restart racoon and see if you can proceed further? 3. Also, comparing the configurations, your working configuration using apani seems to use DH group 3 (MODP_1536), whereas the turnpike profile uses DH 2. Is your Nortel switch configured to allow DH group 2? Otherwise phase 1 will not go through. We currently dont support DH 3. It is quite simple to add it though, so we can send you a patch for the same if you need it. Please let us know. Thanks and Regards, Haripriya S. >>> Wendell MacKenzie <mackendw sympatico ca> 02/03/06 10:18 pm >>> Hi: I've setup the following components on SUSE 10.0: NetworkManager- 0.5.1cvs20060107- 2 NetworkManager- vpnc- 0.5.0cvs20051102- 3 NetworkManager- glib- 0.5.1cvs20060107- 2 NetworkManager- devel- 0.5.1cvs20060107- 2 NetworkManager- gnome- 0.5.1cvs20060107- 2 ipsec- tools- 0.6.3_turnpike- 1.i586.rpm novell- vpn- 20060113.tar (make + make install worked fine) turnpike- 0.1.0- 22.i586.rpm I then restarted networkmanager in /etc/init.d and relaunched the nm- applet. All good so far... Then I configured our Corporate Nortel Switch in the VPN Configuration menus in the nm- applet menus, saved it and tried to connect. Here is what shows in /var/log/messages: Feb 3 11:24:16 macduff NetworkManager: <information> Will activate VPN connection 'BEA Corporate Network', service 'org.freedesktop.NetworkManager.vpnc', user_name 'wendell', vpn_data 'IPSec gateway / 63.96.177.3 / IPSec ID / bea / Xauth username / wendell / Domain / bea.com'. Feb 3 11:24:16 macduff NetworkManager: <information> VPN Activation (BEA Corporate Network) Stage 1 (Connection Prepare) scheduled... Feb 3 11:24:16 macduff NetworkManager: <information> nm_vpn_service_stage1_daemon_exec(org.freedesktop.NetworkManager.vpnc): execed the VPN service, PID is 27535. Feb 3 11:24:16 macduff NetworkManager: <information> VPN Activation (BEA Corporate Network) Stage 2 (Connection Prepare Wait) scheduled... Feb 3 11:24:16 macduff NetworkManager: <information> VPN Activation (BEA Corporate Network) Stage 2 (Connection Prepare Wait) scheduled... Feb 3 11:24:17 macduff dhclient: No DHCPOFFERS received. Feb 3 11:24:17 macduff dhclient: No working leases in persistent database - sleeping. Feb 3 11:24:17 macduff NetworkManager: <information> VPN Activation (BEA Corporate Network) Stage 2 (Connection Prepare Wait) scheduled... Feb 3 11:24:17 macduff NetworkManager: <information> VPN Activation (BEA Corporate Network) Stage 2 (Connection Prepare Wait) scheduled... Feb 3 11:24:18 macduff NetworkManager: <information> VPN Activation (BEA Corporate Network) failed. Any thoughts on debugging this? I have Apani's netlock client working no problem...but they are SLOW at keeping pace with new kernels ... The nortel switch uses Group ID authentication with an RSA token which I've setup in my connection profile and in the menu at connect time. Any help is appreciated. Regards, Wendell _______________________________________________ NetworkManager- list mailing list NetworkManager- list gnome org http://mail.gnome.org/mailman/listinfo/networkmanager- list
Attachment:
racoon_1.debug
Description: Binary data
2006-02-03 12:09:01 (01,12e80003):Handling VPN Login Request
2006-02-03 12:09:01 (01,12e80010):Negotiation Status: Idle
2006-02-03 12:09:01 (01,12590016):Adding VPN record
2006-02-03 12:09:01 (01,12e80002):Received KM to GUI Notification Message
2006-02-03 12:09:01 (16,12e80008):<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2006-02-03 12:09:01 (16,12e80008):Initiating negotiation with switch at 63.96.177.3
2006-02-03 12:09:01 (01,12e80010):Negotiation Status: In Progress
2006-02-03 12:09:01 (01,12af0004):SA_REQ_OUTBOUND_ES_IS (from SP) received. Local Address: 192.168.1.102 Remote Address: 63.96.177.3
2006-02-03 12:09:01 (01,11220002):The MM identity type is KEY_ID and the value is: bea. Local Address: 192.168.1.102 Remote Address: 63.96.177.3 Local ESP SPI: 1AB9E12C
2006-02-03 12:09:01 (01,11220001):Success in building IPSEC DATA from state entry Local Address: 192.168.1.102 Remote Address: 63.96.177.3 Local ESP SPI: 1AB9E12C
2006-02-03 12:09:01 (01,013a0001):QOS:
Confidentiality: ALGOR_CONF_DES_CBC
Integrity: ALGOR_INTEG_MD5
AH: ALGOR_OFF
Mode: TRANSPORT_MODE
ESP Replay: OFF
AH Replay: OFF
Compression: COMPRESSION_OFF
PFS: OFF
SA_PER_HOST: OFF
Exchange Type: NEGOTIATION_MODE_AGGRESSIVE
ISAKMP Encryption Algorithm: ISAKMP_AES_CBC
ISAKMP Hash Algorithm: ISAKMP_HASH_SHA
Authentication Method: PRE_SHARED_KEY
Group Description: MODP_1536
Group Type: MODP_GROUP
Main Mode Identity Type: KEY_ID
Main Mode Identity Value: bea
Use No QM Identity: OFF
SA creation delay: 0 seconds
Firewall Type: Contivity Extranet Switch
Local Address: 192.168.1.102 Remote Address: 63.96.177.3 Local ESP SPI: 1AB9E12C
2006-02-03 12:09:01 (01,013a0002):Local proposal(s):
0) Proposal 1 - Protocols: 1, Secs: 0, Kb: 0, PFS: 0.
0) Protocol: ESP, Transforms: 1
0) Transform 1: DES
Lifetime: 0 Kb - 0 Secs
Group: RESERVED
Mode: Tunnel
Auth alg: MD5
Key length: 0 bits for 0 rounds