Re: VPNC on mac / nortel

Ciao Phil,
I'm putting in copy vpnc-devel list. This reply could help somebody else too.

You are right, before configuring split tunnel you need vpnc-nortel working.

I believe the main issue you have is that you are NOT using the right code.
The code specific for Nortel is still not merged in the main branch of vpnc.
So, don't use the official version 0.5.3, but download from SVN the
code in the Nortel branch
http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel/

Before compiling it, it's important you apply the patch in this mail
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html
that gives access to all the authentication modes supported by Nortel.

There are other patches not yet included in the Nortel branch, listed
in this mail
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-March/003010.html
but are not mandatory for your first steps. Skip them for the moment.

Compile the code.
In your mail I noticed you added openssl support. Nortel does not need it.

In the config file you didn't put the mandatory line
Vendor nortel
and you also need to provide information about the authentication mode
required by your Nortel server. This options is also in the
configuration of your official Nortel client.
I guess in your case should be "Response Only Token" or "Group
Password Authentication".

Re: VPNC on mac / nortel

<div>
<p>Antonio<br>I am running Ubuntu 9.04<br>Trying to compile the nortel branch.<br>After I checkout out the latest from svn and applied the patch from the e-mail you mentioned ,(<a href="http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html">http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html</a>)<br><br>I'm getting the following error: <br>make: libgcrypt-config: Command not found<br>gcc -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings&nbsp; -DVERSION=\"0.5.2-394M\"&nbsp;&nbsp; -c -o isakmp-pkt.o isakmp-pkt.c<br>
In file included from isakmp-pkt.c:31:<br>math_group.h:38:20: error: gcrypt.h: No such file or directory<br>In file included from isakmp-pkt.c:31:<br>math_group.h:62: error: expected specifier-qualifier-list before &lsquo;gcry_mpi_t&rsquo;<br>
In file included from vpnc.h:24,<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; from isakmp-pkt.c:32:<br>tunip.h:43: error: expected specifier-qualifier-list before &lsquo;gcry_cipher_hd_t&rsquo;<br>make: *** [isakmp-pkt.o] Error 1<br><br><br></p>
<div class="gmail_quote">
On Fri, May 1, 2009 at 1:11 PM, Antonio Borneo <span dir="ltr">&lt;<a href="mailto:borneo.antonio@...">borneo.antonio@...</a>&gt;</span> wrote:<br><blockquote class="gmail_quote">
Ciao Phil,<br>
I'm putting in copy vpnc-devel list. This reply could help somebody else too.<br><br>
You are right, before configuring split tunnel you need vpnc-nortel working.<br><br>
I believe the main issue you have is that you are NOT using the right code.<br>
The code specific for Nortel is still not merged in the main branch of vpnc.<br>
So, don't use the official version 0.5.3, but download from SVN the<br>
code in the Nortel branch<br><a href="http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel/" target="_blank">http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel/</a><br><br>
Before compiling it, it's important you apply the patch in this mail<br><a href="http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html" target="_blank">http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html</a><br>
that gives access to all the authentication modes supported by Nortel.<br><br>
There are other patches not yet included in the Nortel branch, listed<br>
in this mail<br><a href="http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-March/003010.html" target="_blank">http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-March/003010.html</a><br>
but are not mandatory for your first steps. Skip them for the moment.<br><br>
Compile the code.<br>
In your mail I noticed you added openssl support. Nortel does not need it.<br><br>
In the config file you didn't put the mandatory line<br>
Vendor nortel<br>
and you also need to provide information about the authentication mode<br>
required by your Nortel server. This options is also in the<br>
configuration of your official Nortel client.<br>
I guess in your case should be "Response Only Token" or "Group<br>
Password Authentication".<br>
The proper line in the config file will then be<br>
IKE Authmode token<br>
or<br>
IKE Authmode gpassword<br><br>
Let me know the result, and don't hesitate contacting me if any further problem.<br><br>
Best Regards,<br>
Antonio Borneo<br><br>
On Fri, May 1, 2009 at 10:08 AM, phil swenson &lt;<a href="mailto:phil.swenson@...">phil.swenson@...</a>&gt; wrote:<br>
&gt; Hi. &nbsp;Your name keeps popping up on google searches on "nortel VPNC".<br>
&gt; I hope you don't mind me asking for some help.<br>
&gt;<br>
&gt; I first came across this:<br>
&gt; <a href="http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-February/002990.html" target="_blank">http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-February/002990.html</a><br>
&gt;<br>
&gt; Split tunneling is my goal. &nbsp;But first I need to get VPNC working with<br>
&gt; Nortel. &nbsp;I haven't had much luck.<br>
&gt;<br>
&gt; Here is what I get on version:<br>
&gt; zeppelin:bin pswenson$ vpnc --version<br>
&gt; vpnc version 0.5.3<br>
&gt; Copyright (C) 2002-2006 Geoffrey Keating, Maurice Massar, others<br>
&gt; vpnc comes with NO WARRANTY, to the extent permitted by law.<br>
&gt; You may redistribute copies of vpnc under the terms of the GNU General<br>
&gt; Public License. &nbsp;For more information about these matters, see the files<br>
&gt; named COPYING.<br>
&gt; Built with openssl (certificate) support. Be aware of the<br>
&gt; license implications.<br>
&gt;<br>
&gt; Supported DH-Groups: nopfs dh1 dh2 dh5<br>
&gt; Supported Hash-Methods: md5 sha1<br>
&gt; Supported Encryptions: null des 3des aes128 aes192 aes256<br>
&gt; Supported Auth-Methods: psk psk+xauth hybrid(rsa)<br>
&gt;<br>
&gt; Here is what I get when I run it:<br>
&gt; zeppelin:bin pswenson$ sudo vpnc --local-port 0<br>
&gt; response was invalid [1]: &nbsp;(ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)<br>
&gt;<br>
&gt; my config looks something like:<br>
&gt;<br>
&gt; IPSec gateway mygatewaygoeshere<br>
&gt; IPSec ID mynortelgroupidgoeshere<br>
&gt; IPSec secret grouppwgoeshere<br>
&gt; IKE Authmode<br>
&gt; Xauth username ame\pswenson<br>
&gt; Xauth password mypassword<br>
&gt;<br>
&gt; I assume the problem is specifying Nortel auth somewhere, but I'm not<br>
&gt; sure how to do it. &nbsp;I do notice that IKE isn't in the supported<br>
&gt; authmodes. &nbsp;is that the issue?<br>
&gt;<br>
&gt; thanks for any thoughts.<br>
&gt; phil<br>
&gt;<br>
_______________________________________________<br>
vpnc-devel mailing list<br><a href="mailto:vpnc-devel@...">vpnc-devel@...e</a><br><a href="https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel" target="_blank">https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel</a><br><a href="http://www.unix-ag.uni-kl.de/%7Emassar/vpnc/" target="_blank">http://www.unix-ag.uni-kl.de/~massar/vpnc/</a><br>
</blockquote>
</div>
<br>
</div>

Re: VPNC on mac / nortel

Ciao Mike,

seems your system does not have the development version of the library
libgcrypt.
In Fedora is the RPM package libgcrypt-devel-...
In fact, is missing the shell command "libgcrypt-config", usually in
/usr/bin/libgcrypt-config, and the include file "gcrypt.h", usually in
/usr/include/gcrypt.h.
Please install them, and try again.

Best Regards,
Antonio Borneo

On Sat, May 2, 2009 at 3:31 AM, Michael Gofman <gofman.mike@...> wrote:
> Antonio
> I am running Ubuntu 9.04
> Trying to compile the nortel branch.
> After I checkout out the latest from svn and applied the patch from the
> e-mail you mentioned
> ,(http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html)
>
> I'm getting the following error:
> make: libgcrypt-config: Command not found
> gcc -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings
> -DVERSION=\"0.5.2-394M\"   -c -o isakmp-pkt.o isakmp-pkt.c
> In file included from isakmp-pkt.c:31:
> math_group.h:38:20: error: gcrypt.h: No such file or directory
> In file included from isakmp-pkt.c:31:
> math_group.h:62: error: expected specifier-qualifier-list before
> ‘gcry_mpi_t’
> In file included from vpnc.h:24,
>                  from isakmp-pkt.c:32:
> tunip.h:43: error: expected specifier-qualifier-list before
> ‘gcry_cipher_hd_t’
> make: *** [isakmp-pkt.o] Error 1
>
>
> On Fri, May 1, 2009 at 1:11 PM, Antonio Borneo <borneo.antonio@...>
> wrote:
>>
>> Ciao Phil,
>> I'm putting in copy vpnc-devel list. This reply could help somebody else
>> too.
>>
>> You are right, before configuring split tunnel you need vpnc-nortel
>> working.
>>
>> I believe the main issue you have is that you are NOT using the right
>> code.
>> The code specific for Nortel is still not merged in the main branch of
>> vpnc.
>> So, don't use the official version 0.5.3, but download from SVN the
>> code in the Nortel branch
>> http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel/
>>
>> Before compiling it, it's important you apply the patch in this mail
>>
>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html
>> that gives access to all the authentication modes supported by Nortel.
>>
>> There are other patches not yet included in the Nortel branch, listed
>> in this mail
>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-March/003010.html
>> but are not mandatory for your first steps. Skip them for the moment.
>>
>> Compile the code.
>> In your mail I noticed you added openssl support. Nortel does not need it.
>>
>> In the config file you didn't put the mandatory line
>> Vendor nortel
>> and you also need to provide information about the authentication mode
>> required by your Nortel server. This options is also in the
>> configuration of your official Nortel client.
>> I guess in your case should be "Response Only Token" or "Group
>> Password Authentication".
>> The proper line in the config file will then be
>> IKE Authmode token
>> or
>> IKE Authmode gpassword
>>
>> Let me know the result, and don't hesitate contacting me if any further
>> problem.
>>
>> Best Regards,
>> Antonio Borneo
>>
>> On Fri, May 1, 2009 at 10:08 AM, phil swenson <phil.swenson@...>
>> wrote:
>> > Hi.  Your name keeps popping up on google searches on "nortel VPNC".
>> > I hope you don't mind me asking for some help.
>> >
>> > I first came across this:
>> >
>> > http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-February/002990.html
>> >
>> > Split tunneling is my goal.  But first I need to get VPNC working with
>> > Nortel.  I haven't had much luck.
>> >
>> > Here is what I get on version:
>> > zeppelin:bin pswenson$ vpnc --version
>> > vpnc version 0.5.3
>> > Copyright (C) 2002-2006 Geoffrey Keating, Maurice Massar, others
>> > vpnc comes with NO WARRANTY, to the extent permitted by law.
>> > You may redistribute copies of vpnc under the terms of the GNU General
>> > Public License.  For more information about these matters, see the files
>> > named COPYING.
>> > Built with openssl (certificate) support. Be aware of the
>> > license implications.
>> >
>> > Supported DH-Groups: nopfs dh1 dh2 dh5
>> > Supported Hash-Methods: md5 sha1
>> > Supported Encryptions: null des 3des aes128 aes192 aes256
>> > Supported Auth-Methods: psk psk+xauth hybrid(rsa)
>> >
>> > Here is what I get when I run it:
>> > zeppelin:bin pswenson$ sudo vpnc --local-port 0
>> > response was invalid [1]:  (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)
>> >
>> > my config looks something like:
>> >
>> > IPSec gateway mygatewaygoeshere
>> > IPSec ID mynortelgroupidgoeshere
>> > IPSec secret grouppwgoeshere
>> > IKE Authmode
>> > Xauth username ame\pswenson
>> > Xauth password mypassword
>> >
>> > I assume the problem is specifying Nortel auth somewhere, but I'm not
>> > sure how to do it.  I do notice that IKE isn't in the supported
>> > authmodes.  is that the issue?
>> >
>> > thanks for any thoughts.
>> > phil
>> >
>> _______________________________________________
>> vpnc-devel mailing list
>> vpnc-devel@...
>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
>> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>
>
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel@...
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>
>

Re: VPNC on mac / nortel

Is it for Ubuntu or Mac? Because, to my knowledge, VPNC + Nortel is  
not working on Mac, because this platform doesn't support ESP socket.

-- 
Georges-Etienne Legendre, Jr Eng.

On 1-May-09, at 11:38 PM, Antonio Borneo wrote:

> Ciao Mike,
>
> seems your system does not have the development version of the library
> libgcrypt.
> In Fedora is the RPM package libgcrypt-devel-...
> In fact, is missing the shell command "libgcrypt-config", usually in
> /usr/bin/libgcrypt-config, and the include file "gcrypt.h", usually in
> /usr/include/gcrypt.h.
> Please install them, and try again.
>
> Best Regards,
> Antonio Borneo
>
>
> On Sat, May 2, 2009 at 3:31 AM, Michael Gofman  
> <gofman.mike@...> wrote:
>> Antonio
>> I am running Ubuntu 9.04
>> Trying to compile the nortel branch.
>> After I checkout out the latest from svn and applied the patch from  
>> the
>> e-mail you mentioned
>> ,(http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html 
>> )
>>
>> I'm getting the following error:
>> make: libgcrypt-config: Command not found
>> gcc -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings
>> -DVERSION=\"0.5.2-394M\"   -c -o isakmp-pkt.o isakmp-pkt.c
>> In file included from isakmp-pkt.c:31:
>> math_group.h:38:20: error: gcrypt.h: No such file or directory
>> In file included from isakmp-pkt.c:31:
>> math_group.h:62: error: expected specifier-qualifier-list before
>> ‘gcry_mpi_t’
>> In file included from vpnc.h:24,
>>                 from isakmp-pkt.c:32:
>> tunip.h:43: error: expected specifier-qualifier-list before
>> ‘gcry_cipher_hd_t’
>> make: *** [isakmp-pkt.o] Error 1
>>
>>
>> On Fri, May 1, 2009 at 1:11 PM, Antonio Borneo
<borneo.antonio@... 
>> >
>> wrote:
>>>
>>> Ciao Phil,
>>> I'm putting in copy vpnc-devel list. This reply could help  
>>> somebody else
>>> too.
>>>
>>> You are right, before configuring split tunnel you need vpnc-nortel
>>> working.
>>>
>>> I believe the main issue you have is that you are NOT using the  
>>> right
>>> code.
>>> The code specific for Nortel is still not merged in the main  
>>> branch of
>>> vpnc.
>>> So, don't use the official version 0.5.3, but download from SVN the
>>> code in the Nortel branch
>>> http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel/
>>>
>>> Before compiling it, it's important you apply the patch in this mail
>>>
>>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html
>>> that gives access to all the authentication modes supported by  
>>> Nortel.
>>>
>>> There are other patches not yet included in the Nortel branch,  
>>> listed
>>> in this mail
>>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-March/003010.html
>>> but are not mandatory for your first steps. Skip them for the  
>>> moment.
>>>
>>> Compile the code.
>>> In your mail I noticed you added openssl support. Nortel does not  
>>> need it.
>>>
>>> In the config file you didn't put the mandatory line
>>> Vendor nortel
>>> and you also need to provide information about the authentication  
>>> mode
>>> required by your Nortel server. This options is also in the
>>> configuration of your official Nortel client.
>>> I guess in your case should be "Response Only Token" or "Group
>>> Password Authentication".
>>> The proper line in the config file will then be
>>> IKE Authmode token
>>> or
>>> IKE Authmode gpassword
>>>
>>> Let me know the result, and don't hesitate contacting me if any  
>>> further
>>> problem.
>>>
>>> Best Regards,
>>> Antonio Borneo
>>>
>>> On Fri, May 1, 2009 at 10:08 AM, phil swenson
<phil.swenson@... 
>>> >
>>> wrote:
>>>> Hi.  Your name keeps popping up on google searches on "nortel  
>>>> VPNC".
>>>> I hope you don't mind me asking for some help.
>>>>
>>>> I first came across this:
>>>>
>>>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-February/002990.html
>>>>
>>>> Split tunneling is my goal.  But first I need to get VPNC working  
>>>> with
>>>> Nortel.  I haven't had much luck.
>>>>
>>>> Here is what I get on version:
>>>> zeppelin:bin pswenson$ vpnc --version
>>>> vpnc version 0.5.3
>>>> Copyright (C) 2002-2006 Geoffrey Keating, Maurice Massar, others
>>>> vpnc comes with NO WARRANTY, to the extent permitted by law.
>>>> You may redistribute copies of vpnc under the terms of the GNU  
>>>> General
>>>> Public License.  For more information about these matters, see  
>>>> the files
>>>> named COPYING.
>>>> Built with openssl (certificate) support. Be aware of the
>>>> license implications.
>>>>
>>>> Supported DH-Groups: nopfs dh1 dh2 dh5
>>>> Supported Hash-Methods: md5 sha1
>>>> Supported Encryptions: null des 3des aes128 aes192 aes256
>>>> Supported Auth-Methods: psk psk+xauth hybrid(rsa)
>>>>
>>>> Here is what I get when I run it:
>>>> zeppelin:bin pswenson$ sudo vpnc --local-port 0
>>>> response was invalid [1]:  (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)
>>>>
>>>> my config looks something like:
>>>>
>>>> IPSec gateway mygatewaygoeshere
>>>> IPSec ID mynortelgroupidgoeshere
>>>> IPSec secret grouppwgoeshere
>>>> IKE Authmode
>>>> Xauth username ame\pswenson
>>>> Xauth password mypassword
>>>>
>>>> I assume the problem is specifying Nortel auth somewhere, but I'm  
>>>> not
>>>> sure how to do it.  I do notice that IKE isn't in the supported
>>>> authmodes.  is that the issue?
>>>>
>>>> thanks for any thoughts.
>>>> phil
>>>>
>>> _______________________________________________
>>> vpnc-devel mailing list
>>> vpnc-devel@...
>>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
>>> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>>
>>
>> _______________________________________________
>> vpnc-devel mailing list
>> vpnc-devel@...
>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
>> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>>
>>
>
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel@...
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/

Re: VPNC on mac / nortel

Hi Georges-Etienne,
I always skipped Mac related threads since neither user nor expert of
this platform.
Digging in the list I found messages confirming what you say, that
current vpnc-nortel cannot work on Mac.

Possible options:
- port the patch made by Mattias in 2004 for kernel-ipsec, available in
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2004-September/000228.html
I did'n found any further development since then. Georges-Etienne, I
read some later mail from you. Do you confirm this is a viable option?
Anyone wants work on it?

- port in vpnc the protocol AH, that is one alternative protocol to
ESP. Will MAC support AH? If also AH requires kernel-ipsec, no way.

- I have an "almost" working version of vpnc-nortel with NATT through
UDP encapsulation. I should find time to finalize it in a working
patch. This mode does not requires ESP or AH.
There are already other patches pending for commit in SVN, and some
are quite invasive; I was waiting to have them committed before
posting a new one.

If you are aware of ony other option, let us know.

Best Regards,
Antonio Borneo

On Sat, May 2, 2009 at 9:12 PM, Georges-Etienne Legendre
<legege@...> wrote:
> Is it for Ubuntu or Mac? Because, to my knowledge, VPNC + Nortel is
> not working on Mac, because this platform doesn't support ESP socket.
>
> --
> Georges-Etienne Legendre, Jr Eng.
>
> On 1-May-09, at 11:38 PM, Antonio Borneo wrote:
>
>> Ciao Mike,
>>
>> seems your system does not have the development version of the library
>> libgcrypt.
>> In Fedora is the RPM package libgcrypt-devel-...
>> In fact, is missing the shell command "libgcrypt-config", usually in
>> /usr/bin/libgcrypt-config, and the include file "gcrypt.h", usually in
>> /usr/include/gcrypt.h.
>> Please install them, and try again.
>>
>> Best Regards,
>> Antonio Borneo
>>
>>
>> On Sat, May 2, 2009 at 3:31 AM, Michael Gofman
>> <gofman.mike@...> wrote:
>>> Antonio
>>> I am running Ubuntu 9.04
>>> Trying to compile the nortel branch.
>>> After I checkout out the latest from svn and applied the patch from
>>> the
>>> e-mail you mentioned
>>> ,(http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html
>>> )
>>>
>>> I'm getting the following error:
>>> make: libgcrypt-config: Command not found
>>> gcc -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings
>>> -DVERSION=\"0.5.2-394M\"   -c -o isakmp-pkt.o isakmp-pkt.c
>>> In file included from isakmp-pkt.c:31:
>>> math_group.h:38:20: error: gcrypt.h: No such file or directory
>>> In file included from isakmp-pkt.c:31:
>>> math_group.h:62: error: expected specifier-qualifier-list before
>>> ‘gcry_mpi_t’
>>> In file included from vpnc.h:24,
>>>                 from isakmp-pkt.c:32:
>>> tunip.h:43: error: expected specifier-qualifier-list before
>>> ‘gcry_cipher_hd_t’
>>> make: *** [isakmp-pkt.o] Error 1
>>>
>>>
>>> On Fri, May 1, 2009 at 1:11 PM, Antonio Borneo <borneo.antonio@...
>>> >
>>> wrote:
>>>>
>>>> Ciao Phil,
>>>> I'm putting in copy vpnc-devel list. This reply could help
>>>> somebody else
>>>> too.
>>>>
>>>> You are right, before configuring split tunnel you need vpnc-nortel
>>>> working.
>>>>
>>>> I believe the main issue you have is that you are NOT using the
>>>> right
>>>> code.
>>>> The code specific for Nortel is still not merged in the main
>>>> branch of
>>>> vpnc.
>>>> So, don't use the official version 0.5.3, but download from SVN the
>>>> code in the Nortel branch
>>>> http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel/
>>>>
>>>> Before compiling it, it's important you apply the patch in this mail
>>>>
>>>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html
>>>> that gives access to all the authentication modes supported by
>>>> Nortel.
>>>>
>>>> There are other patches not yet included in the Nortel branch,
>>>> listed
>>>> in this mail
>>>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-March/003010.html
>>>> but are not mandatory for your first steps. Skip them for the
>>>> moment.
>>>>
>>>> Compile the code.
>>>> In your mail I noticed you added openssl support. Nortel does not
>>>> need it.
>>>>
>>>> In the config file you didn't put the mandatory line
>>>> Vendor nortel
>>>> and you also need to provide information about the authentication
>>>> mode
>>>> required by your Nortel server. This options is also in the
>>>> configuration of your official Nortel client.
>>>> I guess in your case should be "Response Only Token" or "Group
>>>> Password Authentication".
>>>> The proper line in the config file will then be
>>>> IKE Authmode token
>>>> or
>>>> IKE Authmode gpassword
>>>>
>>>> Let me know the result, and don't hesitate contacting me if any
>>>> further
>>>> problem.
>>>>
>>>> Best Regards,
>>>> Antonio Borneo
>>>>
>>>> On Fri, May 1, 2009 at 10:08 AM, phil swenson <phil.swenson@...
>>>> >
>>>> wrote:
>>>>> Hi.  Your name keeps popping up on google searches on "nortel
>>>>> VPNC".
>>>>> I hope you don't mind me asking for some help.
>>>>>
>>>>> I first came across this:
>>>>>
>>>>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-February/002990.html
>>>>>
>>>>> Split tunneling is my goal.  But first I need to get VPNC working
>>>>> with
>>>>> Nortel.  I haven't had much luck.
>>>>>
>>>>> Here is what I get on version:
>>>>> zeppelin:bin pswenson$ vpnc --version
>>>>> vpnc version 0.5.3
>>>>> Copyright (C) 2002-2006 Geoffrey Keating, Maurice Massar, others
>>>>> vpnc comes with NO WARRANTY, to the extent permitted by law.
>>>>> You may redistribute copies of vpnc under the terms of the GNU
>>>>> General
>>>>> Public License.  For more information about these matters, see
>>>>> the files
>>>>> named COPYING.
>>>>> Built with openssl (certificate) support. Be aware of the
>>>>> license implications.
>>>>>
>>>>> Supported DH-Groups: nopfs dh1 dh2 dh5
>>>>> Supported Hash-Methods: md5 sha1
>>>>> Supported Encryptions: null des 3des aes128 aes192 aes256
>>>>> Supported Auth-Methods: psk psk+xauth hybrid(rsa)
>>>>>
>>>>> Here is what I get when I run it:
>>>>> zeppelin:bin pswenson$ sudo vpnc --local-port 0
>>>>> response was invalid [1]:  (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)
>>>>>
>>>>> my config looks something like:
>>>>>
>>>>> IPSec gateway mygatewaygoeshere
>>>>> IPSec ID mynortelgroupidgoeshere
>>>>> IPSec secret grouppwgoeshere
>>>>> IKE Authmode
>>>>> Xauth username ame\pswenson
>>>>> Xauth password mypassword
>>>>>
>>>>> I assume the problem is specifying Nortel auth somewhere, but I'm
>>>>> not
>>>>> sure how to do it.  I do notice that IKE isn't in the supported
>>>>> authmodes.  is that the issue?
>>>>>
>>>>> thanks for any thoughts.
>>>>> phil
>>>>>
>>>> _______________________________________________
>>>> vpnc-devel mailing list
>>>> vpnc-devel@...
>>>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
>>>> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>>>
>>>
>>> _______________________________________________
>>> vpnc-devel mailing list
>>> vpnc-devel@...
>>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
>>> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>>>
>>>
>>
>> _______________________________________________
>> vpnc-devel mailing list
>> vpnc-devel@...
>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
>> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>
>
>
>
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel@...
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>

Re: VPNC on mac / nortel

This is Ubuntu so it should be:

sudo apt-get install libgcrypt11-dev

Regards,
Nick.

Antonio Borneo wrote:
> Ciao Mike,
> 
> seems your system does not have the development version of the library
> libgcrypt.
> In Fedora is the RPM package libgcrypt-devel-...
> In fact, is missing the shell command "libgcrypt-config", usually in
> /usr/bin/libgcrypt-config, and the include file "gcrypt.h", usually in
> /usr/include/gcrypt.h.
> Please install them, and try again.
> 
> Best Regards,
> Antonio Borneo
> 
> 
> On Sat, May 2, 2009 at 3:31 AM, Michael Gofman
<gofman.mike@...> wrote:
>> Antonio
>> I am running Ubuntu 9.04
>> Trying to compile the nortel branch.
>> After I checkout out the latest from svn and applied the patch from the
>> e-mail you mentioned
>> ,(http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html)
>>
>> I'm getting the following error:
>> make: libgcrypt-config: Command not found
>> gcc -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings
>> -DVERSION=\"0.5.2-394M\"   -c -o isakmp-pkt.o isakmp-pkt.c
>> In file included from isakmp-pkt.c:31:
>> math_group.h:38:20: error: gcrypt.h: No such file or directory
>> In file included from isakmp-pkt.c:31:
>> math_group.h:62: error: expected specifier-qualifier-list before
>> ‘gcry_mpi_t’
>> In file included from vpnc.h:24,
>>                  from isakmp-pkt.c:32:
>> tunip.h:43: error: expected specifier-qualifier-list before
>> ‘gcry_cipher_hd_t’
>> make: *** [isakmp-pkt.o] Error 1
>>
>>
>> On Fri, May 1, 2009 at 1:11 PM, Antonio Borneo <borneo.antonio@...>
>> wrote:
>>> Ciao Phil,
>>> I'm putting in copy vpnc-devel list. This reply could help somebody else
>>> too.
>>>
>>> You are right, before configuring split tunnel you need vpnc-nortel
>>> working.
>>>
>>> I believe the main issue you have is that you are NOT using the right
>>> code.
>>> The code specific for Nortel is still not merged in the main branch of
>>> vpnc.
>>> So, don't use the official version 0.5.3, but download from SVN the
>>> code in the Nortel branch
>>> http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel/
>>>
>>> Before compiling it, it's important you apply the patch in this mail
>>>
>>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html
>>> that gives access to all the authentication modes supported by Nortel.
>>>
>>> There are other patches not yet included in the Nortel branch, listed
>>> in this mail
>>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-March/003010.html
>>> but are not mandatory for your first steps. Skip them for the moment.
>>>
>>> Compile the code.
>>> In your mail I noticed you added openssl support. Nortel does not need it.
>>>
>>> In the config file you didn't put the mandatory line
>>> Vendor nortel
>>> and you also need to provide information about the authentication mode
>>> required by your Nortel server. This options is also in the
>>> configuration of your official Nortel client.
>>> I guess in your case should be "Response Only Token" or "Group
>>> Password Authentication".
>>> The proper line in the config file will then be
>>> IKE Authmode token
>>> or
>>> IKE Authmode gpassword
>>>
>>> Let me know the result, and don't hesitate contacting me if any further
>>> problem.
>>>
>>> Best Regards,
>>> Antonio Borneo
>>>
>>> On Fri, May 1, 2009 at 10:08 AM, phil swenson <phil.swenson@...>
>>> wrote:
>>>> Hi.  Your name keeps popping up on google searches on "nortel VPNC".
>>>> I hope you don't mind me asking for some help.
>>>>
>>>> I first came across this:
>>>>
>>>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-February/002990.html
>>>>
>>>> Split tunneling is my goal.  But first I need to get VPNC working with
>>>> Nortel.  I haven't had much luck.
>>>>
>>>> Here is what I get on version:
>>>> zeppelin:bin pswenson$ vpnc --version
>>>> vpnc version 0.5.3
>>>> Copyright (C) 2002-2006 Geoffrey Keating, Maurice Massar, others
>>>> vpnc comes with NO WARRANTY, to the extent permitted by law.
>>>> You may redistribute copies of vpnc under the terms of the GNU General
>>>> Public License.  For more information about these matters, see the files
>>>> named COPYING.
>>>> Built with openssl (certificate) support. Be aware of the
>>>> license implications.
>>>>
>>>> Supported DH-Groups: nopfs dh1 dh2 dh5
>>>> Supported Hash-Methods: md5 sha1
>>>> Supported Encryptions: null des 3des aes128 aes192 aes256
>>>> Supported Auth-Methods: psk psk+xauth hybrid(rsa)
>>>>
>>>> Here is what I get when I run it:
>>>> zeppelin:bin pswenson$ sudo vpnc --local-port 0
>>>> response was invalid [1]:  (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)
>>>>
>>>> my config looks something like:
>>>>
>>>> IPSec gateway mygatewaygoeshere
>>>> IPSec ID mynortelgroupidgoeshere
>>>> IPSec secret grouppwgoeshere
>>>> IKE Authmode
>>>> Xauth username ame\pswenson
>>>> Xauth password mypassword
>>>>
>>>> I assume the problem is specifying Nortel auth somewhere, but I'm not
>>>> sure how to do it.  I do notice that IKE isn't in the supported
>>>> authmodes.  is that the issue?
>>>>
>>>> thanks for any thoughts.
>>>> phil
>>>>
>>> _______________________________________________
>>> vpnc-devel mailing list
>>> vpnc-devel@...
>>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
>>> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>>
>> _______________________________________________
>> vpnc-devel mailing list
>> vpnc-devel@...
>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
>> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>>
>>
> 
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel@...
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/

Re: VPNC on mac / nortel

Just FYI noticed a small bug.
When I run vpnc it looks for vpnc-script in  /etc/vpnc/ instead of a
directory relative to where you are running from.

On Sun, 2009-05-03 at 00:48 +0800, Antonio Borneo wrote:
> Hi Georges-Etienne,
> I always skipped Mac related threads since neither user nor expert of
> this platform.
> Digging in the list I found messages confirming what you say, that
> current vpnc-nortel cannot work on Mac.
> 
> Possible options:
> - port the patch made by Mattias in 2004 for kernel-ipsec, available in
> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2004-September/000228.html
> I did'n found any further development since then. Georges-Etienne, I
> read some later mail from you. Do you confirm this is a viable option?
> Anyone wants work on it?
> 
> - port in vpnc the protocol AH, that is one alternative protocol to
> ESP. Will MAC support AH? If also AH requires kernel-ipsec, no way.
> 
> - I have an "almost" working version of vpnc-nortel with NATT through
> UDP encapsulation. I should find time to finalize it in a working
> patch. This mode does not requires ESP or AH.
> There are already other patches pending for commit in SVN, and some
> are quite invasive; I was waiting to have them committed before
> posting a new one.
> 
> If you are aware of ony other option, let us know.
> 
> Best Regards,
> Antonio Borneo
> 
> On Sat, May 2, 2009 at 9:12 PM, Georges-Etienne Legendre
> <legege <at> legege.com> wrote:
> > Is it for Ubuntu or Mac? Because, to my knowledge, VPNC + Nortel is
> > not working on Mac, because this platform doesn't support ESP socket.
> >
> > --
> > Georges-Etienne Legendre, Jr Eng.
> >
> > On 1-May-09, at 11:38 PM, Antonio Borneo wrote:
> >
> >> Ciao Mike,
> >>
> >> seems your system does not have the development version of the library
> >> libgcrypt.
> >> In Fedora is the RPM package libgcrypt-devel-...
> >> In fact, is missing the shell command "libgcrypt-config", usually in
> >> /usr/bin/libgcrypt-config, and the include file "gcrypt.h", usually in
> >> /usr/include/gcrypt.h.
> >> Please install them, and try again.
> >>
> >> Best Regards,
> >> Antonio Borneo
> >>
> >>
> >> On Sat, May 2, 2009 at 3:31 AM, Michael Gofman
> >> <gofman.mike <at> gmail.com> wrote:
> >>> Antonio
> >>> I am running Ubuntu 9.04
> >>> Trying to compile the nortel branch.
> >>> After I checkout out the latest from svn and applied the patch from
> >>> the
> >>> e-mail you mentioned
> >>> ,(http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html
> >>> )
> >>>
> >>> I'm getting the following error:
> >>> make: libgcrypt-config: Command not found
> >>> gcc -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings
> >>> -DVERSION=\"0.5.2-394M\"   -c -o isakmp-pkt.o isakmp-pkt.c
> >>> In file included from isakmp-pkt.c:31:
> >>> math_group.h:38:20: error: gcrypt.h: No such file or directory
> >>> In file included from isakmp-pkt.c:31:
> >>> math_group.h:62: error: expected specifier-qualifier-list before
> >>> ‘gcry_mpi_t’
> >>> In file included from vpnc.h:24,
> >>>                 from isakmp-pkt.c:32:
> >>> tunip.h:43: error: expected specifier-qualifier-list before
> >>> ‘gcry_cipher_hd_t’
> >>> make: *** [isakmp-pkt.o] Error 1
> >>>
> >>>
> >>> On Fri, May 1, 2009 at 1:11 PM, Antonio Borneo <borneo.antonio <at> gmail.com
> >>> >
> >>> wrote:
> >>>>
> >>>> Ciao Phil,
> >>>> I'm putting in copy vpnc-devel list. This reply could help
> >>>> somebody else
> >>>> too.
> >>>>
> >>>> You are right, before configuring split tunnel you need vpnc-nortel
> >>>> working.
> >>>>
> >>>> I believe the main issue you have is that you are NOT using the
> >>>> right
> >>>> code.
> >>>> The code specific for Nortel is still not merged in the main
> >>>> branch of
> >>>> vpnc.
> >>>> So, don't use the official version 0.5.3, but download from SVN the
> >>>> code in the Nortel branch
> >>>> http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel/
> >>>>
> >>>> Before compiling it, it's important you apply the patch in this mail
> >>>>
> >>>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html
> >>>> that gives access to all the authentication modes supported by
> >>>> Nortel.
> >>>>
> >>>> There are other patches not yet included in the Nortel branch,
> >>>> listed
> >>>> in this mail
> >>>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-March/003010.html
> >>>> but are not mandatory for your first steps. Skip them for the
> >>>> moment.
> >>>>
> >>>> Compile the code.
> >>>> In your mail I noticed you added openssl support. Nortel does not
> >>>> need it.
> >>>>
> >>>> In the config file you didn't put the mandatory line
> >>>> Vendor nortel
> >>>> and you also need to provide information about the authentication
> >>>> mode
> >>>> required by your Nortel server. This options is also in the
> >>>> configuration of your official Nortel client.
> >>>> I guess in your case should be "Response Only Token" or "Group
> >>>> Password Authentication".
> >>>> The proper line in the config file will then be
> >>>> IKE Authmode token
> >>>> or
> >>>> IKE Authmode gpassword
> >>>>
> >>>> Let me know the result, and don't hesitate contacting me if any
> >>>> further
> >>>> problem.
> >>>>
> >>>> Best Regards,
> >>>> Antonio Borneo
> >>>>
> >>>> On Fri, May 1, 2009 at 10:08 AM, phil swenson <phil.swenson <at> gmail.com
> >>>> >
> >>>> wrote:
> >>>>> Hi.  Your name keeps popping up on google searches on "nortel
> >>>>> VPNC".
> >>>>> I hope you don't mind me asking for some help.
> >>>>>
> >>>>> I first came across this:
> >>>>>
> >>>>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-February/002990.html
> >>>>>
> >>>>> Split tunneling is my goal.  But first I need to get VPNC working
> >>>>> with
> >>>>> Nortel.  I haven't had much luck.
> >>>>>
> >>>>> Here is what I get on version:
> >>>>> zeppelin:bin pswenson$ vpnc --version
> >>>>> vpnc version 0.5.3
> >>>>> Copyright (C) 2002-2006 Geoffrey Keating, Maurice Massar, others
> >>>>> vpnc comes with NO WARRANTY, to the extent permitted by law.
> >>>>> You may redistribute copies of vpnc under the terms of the GNU
> >>>>> General
> >>>>> Public License.  For more information about these matters, see
> >>>>> the files
> >>>>> named COPYING.
> >>>>> Built with openssl (certificate) support. Be aware of the
> >>>>> license implications.
> >>>>>
> >>>>> Supported DH-Groups: nopfs dh1 dh2 dh5
> >>>>> Supported Hash-Methods: md5 sha1
> >>>>> Supported Encryptions: null des 3des aes128 aes192 aes256
> >>>>> Supported Auth-Methods: psk psk+xauth hybrid(rsa)
> >>>>>
> >>>>> Here is what I get when I run it:
> >>>>> zeppelin:bin pswenson$ sudo vpnc --local-port 0
> >>>>> response was invalid [1]:  (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)
> >>>>>
> >>>>> my config looks something like:
> >>>>>
> >>>>> IPSec gateway mygatewaygoeshere
> >>>>> IPSec ID mynortelgroupidgoeshere
> >>>>> IPSec secret grouppwgoeshere
> >>>>> IKE Authmode
> >>>>> Xauth username ame\pswenson
> >>>>> Xauth password mypassword
> >>>>>
> >>>>> I assume the problem is specifying Nortel auth somewhere, but I'm
> >>>>> not
> >>>>> sure how to do it.  I do notice that IKE isn't in the supported
> >>>>> authmodes.  is that the issue?
> >>>>>
> >>>>> thanks for any thoughts.
> >>>>> phil
> >>>>>
> >>>> _______________________________________________
> >>>> vpnc-devel mailing list
> >>>> vpnc-devel <at> unix-ag.uni-kl.de
> >>>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> >>>> http://www.unix-ag.uni-kl.de/~massar/vpnc/
> >>>
> >>>
> >>> _______________________________________________
> >>> vpnc-devel mailing list
> >>> vpnc-devel <at> unix-ag.uni-kl.de
> >>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> >>> http://www.unix-ag.uni-kl.de/~massar/vpnc/
> >>>
> >>>
> >>
> >> _______________________________________________
> >> vpnc-devel mailing list
> >> vpnc-devel <at> unix-ag.uni-kl.de
> >> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> >> http://www.unix-ag.uni-kl.de/~massar/vpnc/
> >
> >
> >
> >
> > _______________________________________________
> > vpnc-devel mailing list
> > vpnc-devel <at> unix-ag.uni-kl.de
> > https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> > http://www.unix-ag.uni-kl.de/~massar/vpnc/
> >
> 
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel <at> unix-ag.uni-kl.de
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/

_______________________________________________
vpnc-devel mailing list
vpnc-devel <at> unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

ubuntu 9.04 username/pass authentication

Ough Wow Antonio.
It finally worked.
It established a connection.
I am so very grateful for your efforts. 
Thank you so much, this is one of the biggest thing currently holding me
back in Windows.

Now I just have to figure out how to configure that tunnel.

Using the --target-network XX.XXX.X.0/255.255.254.0
it looks like the connection was established.
ifconfig gives me the following info:
--------------start----------------------------------
tun0      Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.104.6.62  P-t-P:XX.XXX.X.62  Mask:255.255.254.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1412  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:532 (532.0 B)  TX bytes:232 (232.0 B)
--------------end----------------------------------

XX.XXX.X.0 : is an ip adress similar to what I normally get for my VPN
connection with the last octet at 0
XX.XXX.X.62 : is the ip adress I probably got from the tunnel server.

Can anyone provide any help on what else I am missing?

On Sun, 2009-05-03 at 00:48 +0800, Antonio Borneo wrote:
> Hi Georges-Etienne,
> I always skipped Mac related threads since neither user nor expert of
> this platform.
> Digging in the list I found messages confirming what you say, that
> current vpnc-nortel cannot work on Mac.
> 
> Possible options:
> - port the patch made by Mattias in 2004 for kernel-ipsec, available in
> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2004-September/000228.html
> I did'n found any further development since then. Georges-Etienne, I
> read some later mail from you. Do you confirm this is a viable option?
> Anyone wants work on it?
> 
> - port in vpnc the protocol AH, that is one alternative protocol to
> ESP. Will MAC support AH? If also AH requires kernel-ipsec, no way.
> 
> - I have an "almost" working version of vpnc-nortel with NATT through
> UDP encapsulation. I should find time to finalize it in a working
> patch. This mode does not requires ESP or AH.
> There are already other patches pending for commit in SVN, and some
> are quite invasive; I was waiting to have them committed before
> posting a new one.
> 
> If you are aware of ony other option, let us know.
> 
> Best Regards,
> Antonio Borneo
> 
> On Sat, May 2, 2009 at 9:12 PM, Georges-Etienne Legendre
> <legege <at> legege.com> wrote:
> > Is it for Ubuntu or Mac? Because, to my knowledge, VPNC + Nortel is
> > not working on Mac, because this platform doesn't support ESP socket.
> >
> > --
> > Georges-Etienne Legendre, Jr Eng.
> >
> > On 1-May-09, at 11:38 PM, Antonio Borneo wrote:
> >
> >> Ciao Mike,
> >>
> >> seems your system does not have the development version of the library
> >> libgcrypt.
> >> In Fedora is the RPM package libgcrypt-devel-...
> >> In fact, is missing the shell command "libgcrypt-config", usually in
> >> /usr/bin/libgcrypt-config, and the include file "gcrypt.h", usually in
> >> /usr/include/gcrypt.h.
> >> Please install them, and try again.
> >>
> >> Best Regards,
> >> Antonio Borneo
> >>
> >>
> >> On Sat, May 2, 2009 at 3:31 AM, Michael Gofman
> >> <gofman.mike <at> gmail.com> wrote:
> >>> Antonio
> >>> I am running Ubuntu 9.04
> >>> Trying to compile the nortel branch.
> >>> After I checkout out the latest from svn and applied the patch from
> >>> the
> >>> e-mail you mentioned
> >>> ,(http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html
> >>> )
> >>>
> >>> I'm getting the following error:
> >>> make: libgcrypt-config: Command not found
> >>> gcc -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings
> >>> -DVERSION=\"0.5.2-394M\"   -c -o isakmp-pkt.o isakmp-pkt.c
> >>> In file included from isakmp-pkt.c:31:
> >>> math_group.h:38:20: error: gcrypt.h: No such file or directory
> >>> In file included from isakmp-pkt.c:31:
> >>> math_group.h:62: error: expected specifier-qualifier-list before
> >>> ‘gcry_mpi_t’
> >>> In file included from vpnc.h:24,
> >>>                 from isakmp-pkt.c:32:
> >>> tunip.h:43: error: expected specifier-qualifier-list before
> >>> ‘gcry_cipher_hd_t’
> >>> make: *** [isakmp-pkt.o] Error 1
> >>>
> >>>
> >>> On Fri, May 1, 2009 at 1:11 PM, Antonio Borneo <borneo.antonio <at> gmail.com
> >>> >
> >>> wrote:
> >>>>
> >>>> Ciao Phil,
> >>>> I'm putting in copy vpnc-devel list. This reply could help
> >>>> somebody else
> >>>> too.
> >>>>
> >>>> You are right, before configuring split tunnel you need vpnc-nortel
> >>>> working.
> >>>>
> >>>> I believe the main issue you have is that you are NOT using the
> >>>> right
> >>>> code.
> >>>> The code specific for Nortel is still not merged in the main
> >>>> branch of
> >>>> vpnc.
> >>>> So, don't use the official version 0.5.3, but download from SVN the
> >>>> code in the Nortel branch
> >>>> http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel/
> >>>>
> >>>> Before compiling it, it's important you apply the patch in this mail
> >>>>
> >>>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-January/002959.html
> >>>> that gives access to all the authentication modes supported by
> >>>> Nortel.
> >>>>
> >>>> There are other patches not yet included in the Nortel branch,
> >>>> listed
> >>>> in this mail
> >>>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-March/003010.html
> >>>> but are not mandatory for your first steps. Skip them for the
> >>>> moment.
> >>>>
> >>>> Compile the code.
> >>>> In your mail I noticed you added openssl support. Nortel does not
> >>>> need it.
> >>>>
> >>>> In the config file you didn't put the mandatory line
> >>>> Vendor nortel
> >>>> and you also need to provide information about the authentication
> >>>> mode
> >>>> required by your Nortel server. This options is also in the
> >>>> configuration of your official Nortel client.
> >>>> I guess in your case should be "Response Only Token" or "Group
> >>>> Password Authentication".
> >>>> The proper line in the config file will then be
> >>>> IKE Authmode token
> >>>> or
> >>>> IKE Authmode gpassword
> >>>>
> >>>> Let me know the result, and don't hesitate contacting me if any
> >>>> further
> >>>> problem.
> >>>>
> >>>> Best Regards,
> >>>> Antonio Borneo
> >>>>
> >>>> On Fri, May 1, 2009 at 10:08 AM, phil swenson <phil.swenson <at> gmail.com
> >>>> >
> >>>> wrote:
> >>>>> Hi.  Your name keeps popping up on google searches on "nortel
> >>>>> VPNC".
> >>>>> I hope you don't mind me asking for some help.
> >>>>>
> >>>>> I first came across this:
> >>>>>
> >>>>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-February/002990.html
> >>>>>
> >>>>> Split tunneling is my goal.  But first I need to get VPNC working
> >>>>> with
> >>>>> Nortel.  I haven't had much luck.
> >>>>>
> >>>>> Here is what I get on version:
> >>>>> zeppelin:bin pswenson$ vpnc --version
> >>>>> vpnc version 0.5.3
> >>>>> Copyright (C) 2002-2006 Geoffrey Keating, Maurice Massar, others
> >>>>> vpnc comes with NO WARRANTY, to the extent permitted by law.
> >>>>> You may redistribute copies of vpnc under the terms of the GNU
> >>>>> General
> >>>>> Public License.  For more information about these matters, see
> >>>>> the files
> >>>>> named COPYING.
> >>>>> Built with openssl (certificate) support. Be aware of the
> >>>>> license implications.
> >>>>>
> >>>>> Supported DH-Groups: nopfs dh1 dh2 dh5
> >>>>> Supported Hash-Methods: md5 sha1
> >>>>> Supported Encryptions: null des 3des aes128 aes192 aes256
> >>>>> Supported Auth-Methods: psk psk+xauth hybrid(rsa)
> >>>>>
> >>>>> Here is what I get when I run it:
> >>>>> zeppelin:bin pswenson$ sudo vpnc --local-port 0
> >>>>> response was invalid [1]:  (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)
> >>>>>
> >>>>> my config looks something like:
> >>>>>
> >>>>> IPSec gateway mygatewaygoeshere
> >>>>> IPSec ID mynortelgroupidgoeshere
> >>>>> IPSec secret grouppwgoeshere
> >>>>> IKE Authmode
> >>>>> Xauth username ame\pswenson
> >>>>> Xauth password mypassword
> >>>>>
> >>>>> I assume the problem is specifying Nortel auth somewhere, but I'm
> >>>>> not
> >>>>> sure how to do it.  I do notice that IKE isn't in the supported
> >>>>> authmodes.  is that the issue?
> >>>>>
> >>>>> thanks for any thoughts.
> >>>>> phil
> >>>>>
> >>>> _______________________________________________
> >>>> vpnc-devel mailing list
> >>>> vpnc-devel <at> unix-ag.uni-kl.de
> >>>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> >>>> http://www.unix-ag.uni-kl.de/~massar/vpnc/
> >>>
> >>>
> >>> _______________________________________________
> >>> vpnc-devel mailing list
> >>> vpnc-devel <at> unix-ag.uni-kl.de
> >>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> >>> http://www.unix-ag.uni-kl.de/~massar/vpnc/
> >>>
> >>>
> >>
> >> _______________________________________________
> >> vpnc-devel mailing list
> >> vpnc-devel <at> unix-ag.uni-kl.de
> >> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> >> http://www.unix-ag.uni-kl.de/~massar/vpnc/
> >
> >
> >
> >
> > _______________________________________________
> > vpnc-devel mailing list
> > vpnc-devel <at> unix-ag.uni-kl.de
> > https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> > http://www.unix-ag.uni-kl.de/~massar/vpnc/
> >
> 
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel <at> unix-ag.uni-kl.de
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/

_______________________________________________
vpnc-devel mailing list
vpnc-devel <at> unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

Re: ubuntu 9.04 username/pass authentication

Mike,
why you need additional settings for the tunnel? What is the issue?
You claim connection is established, so I expect it should work as is.

By the way, the flag --target-network is not used by Nortel part of the code.
Only usage of this flag is within statement "if (opt_vendor !=
VENDOR_NORTEL) {...}"

Best Regards,
Antonio Borneo

On Sun, May 3, 2009 at 10:14 AM, Mike Gofman <gofman.mike@...> wrote:
> Ough Wow Antonio.
> It finally worked.
> It established a connection.
> I am so very grateful for your efforts.
> Thank you so much, this is one of the biggest thing currently holding me
> back in Windows.
>
> Now I just have to figure out how to configure that tunnel.
>
> Using the --target-network XX.XXX.X.0/255.255.254.0
> it looks like the connection was established.
> ifconfig gives me the following info:
> --------------start----------------------------------
> tun0      Link encap:UNSPEC  HWaddr
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>          inet addr:10.104.6.62  P-t-P:XX.XXX.X.62  Mask:255.255.254.0
>          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1412  Metric:1
>          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:500
>          RX bytes:532 (532.0 B)  TX bytes:232 (232.0 B)
> --------------end----------------------------------
>
> XX.XXX.X.0 : is an ip adress similar to what I normally get for my VPN
> connection with the last octet at 0
> XX.XXX.X.62 : is the ip adress I probably got from the tunnel server.
>
> Can anyone provide any help on what else I am missing?

Re: ubuntu 9.04 username/pass authentication

Mike,
DNS should be ok
Check /etc/resolv.conf, you should have the proper DNS settings in place.

What is still missing in current vpnc-nortel is default domain.
You can use full network name (host.domain.com) to enquire DNS, should work.

Try also this attached patch to get default domain info during login.
I was sure I already posted it, but seems not.

Best Regards,
Antonio Borneo

On Sun, May 3, 2009 at 12:02 PM, Mike Gofman <gofman.mike@...> wrote:
> Your message made me double-check everything, And you are correct it
> actually works correctly. I am able to ping and connect to everything as
> you suspected.
> All I am missing is the remote DNS server setup.
> and the split tunnel setup.
> I've been seeing a lot of messages regarding that lately.
> Can you direct me to where I should be looking?
> I will also post my finding to the Ubuntu forums and eventually the
> launchpad page.
>
> Thank you again for your help.
> Mike.
>
>
>
>
> On Sun, 2009-05-03 at 11:26 +0800, Antonio Borneo wrote:
>> Mike,
>> why you need additional settings for the tunnel? What is the issue?
>> You claim connection is established, so I expect it should work as is.
>>
>> By the way, the flag --target-network is not used by Nortel part of the code.
>> Only usage of this flag is within statement "if (opt_vendor !=
>> VENDOR_NORTEL) {...}"
>>
>> Best Regards,
>> Antonio Borneo
>>
>> On Sun, May 3, 2009 at 10:14 AM, Mike Gofman <gofman.mike@...> wrote:
>> > Ough Wow Antonio.
>> > It finally worked.
>> > It established a connection.
>> > I am so very grateful for your efforts.
>> > Thank you so much, this is one of the biggest thing currently holding me
>> > back in Windows.
>> >
>> > Now I just have to figure out how to configure that tunnel.
>> >
>> > Using the --target-network XX.XXX.X.0/255.255.254.0
>> > it looks like the connection was established.
>> > ifconfig gives me the following info:
>> > --------------start----------------------------------
>> > tun0      Link encap:UNSPEC  HWaddr
>> > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>> >          inet addr:10.104.6.62  P-t-P:XX.XXX.X.62  Mask:255.255.254.0
>> >          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1412  Metric:1
>> >          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
>> >          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
>> >          collisions:0 txqueuelen:500
>> >          RX bytes:532 (532.0 B)  TX bytes:232 (232.0 B)
>> > --------------end----------------------------------
>> >
>> > XX.XXX.X.0 : is an ip adress similar to what I normally get for my VPN
>> > connection with the last octet at 0
>> > XX.XXX.X.62 : is the ip adress I probably got from the tunnel server.
>> >
>> > Can anyone provide any help on what else I am missing?
>
>

Mike,
DNS should be ok
Check /etc/resolv.conf, you should have the proper DNS settings in place.

What is still missing in current vpnc-nortel is default domain.
You can use full network name (host.domain.com) to enquire DNS, should work.

Try also this attached patch to get default domain info during login.
I was sure I already posted it, but seems not.

Best Regards,
Antonio Borneo

On Sun, May 3, 2009 at 12:02 PM, Mike Gofman <gofman.mike@...> wrote:
> Your message made me double-check everything, And you are correct it
> actually works correctly. I am able to ping and connect to everything as
> you suspected.
> All I am missing is the remote DNS server setup.
> and the split tunnel setup.
> I've been seeing a lot of messages regarding that lately.
> Can you direct me to where I should be looking?
> I will also post my finding to the Ubuntu forums and eventually the
> launchpad page.
>
> Thank you again for your help.
> Mike.
>
>
>
>
> On Sun, 2009-05-03 at 11:26 +0800, Antonio Borneo wrote:
>> Mike,
>> why you need additional settings for the tunnel? What is the issue?
>> You claim connection is established, so I expect it should work as is.
>>
>> By the way, the flag --target-network is not used by Nortel part of the code.
>> Only usage of this flag is within statement "if (opt_vendor !=
>> VENDOR_NORTEL) {...}"
>>
>> Best Regards,
>> Antonio Borneo
>>
>> On Sun, May 3, 2009 at 10:14 AM, Mike Gofman <gofman.mike@...> wrote:
>> > Ough Wow Antonio.
>> > It finally worked.
>> > It established a connection.
>> > I am so very grateful for your efforts.
>> > Thank you so much, this is one of the biggest thing currently holding me
>> > back in Windows.
>> >
>> > Now I just have to figure out how to configure that tunnel.
>> >
>> > Using the --target-network XX.XXX.X.0/255.255.254.0
>> > it looks like the connection was established.
>> > ifconfig gives me the following info:
>> > --------------start----------------------------------
>> > tun0      Link encap:UNSPEC  HWaddr
>> > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>> >          inet addr:10.104.6.62  P-t-P:XX.XXX.X.62  Mask:255.255.254.0
>> >          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1412  Metric:1
>> >          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
>> >          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
>> >          collisions:0 txqueuelen:500
>> >          RX bytes:532 (532.0 B)  TX bytes:232 (232.0 B)
>> > --------------end----------------------------------
>> >
>> > XX.XXX.X.0 : is an ip adress similar to what I normally get for my VPN
>> > connection with the last octet at 0
>> > XX.XXX.X.62 : is the ip adress I probably got from the tunnel server.
>> >
>> > Can anyone provide any help on what else I am missing?
>
>