Topic: Nortel Networks VPN Client and SME5 :(

[Trevor B]

P.S. Don't forget to do the
/sbin/e-smith/signal-event remoteaccess-update

Trevor B wrote:
>
> Hi guys,
>
> I too had the problem until I noticed the deliberate mistake
> in Ritchie's fix (thanks for pointing out the fix Ritchie -
> it was causing me some pain...)
>
> The line
> /sbin/e-smith/db configuration setprop masq ipseq yes
>
> should be
> /sbin/e-smith/db configuration setprop masq ipsec yes
>
> so if you dis a cut-and-paste as I did, it didn't work. If
> you set ipsec to yes it is OK (well at least for me - I am
> using V03_70.30 of Nortel's Extranet Client).
>
> Trevor B
> P.S. I have also removed ALL of my custom tempaltes from the
> masq directory.

[BEAN]

WOW it worked thanks Trevor B.

[Dan G.]

ooooookkkkkkayyyy....

So, this only leaves the question " are you using 51/ip AH, or not."  The information is still confusing on this point.  

I found one doc, dated sometime in 2000, stating that NAT/IPSec problems were "being fixed" --- so it would seem that two years later it could be fixed.  Then, the Linux IPSec Masq FAQ states clearly that 51/ip still does not work.  I'm inclined to believe this, but I see a lot of mixed info.

At any rate, I'm glad you got it to work.  I have an SME gateway that my wife goes thru, using SecureRemote --- but it does not use 51/ip, only 50/ip and 500/udp.  When she got a laptop, it brought up the need for a second passthru connection, but the SME box could not be forced to do that --- so I have another Linux box she uses as a gateway for the second connection.

Would it be possible to put tcpdump on your SME box, and see if it is passing 51/ip, or just 50/ip?  That would be useful information.

Dan

[Bryan]

That did it!  Trevor, Dan, and Richie - thanks for all of your help!

[Ritchie Logan]

wow.... praise and I didn't even take part in this discussion!!

Dan.... I know for sure that my Nortel client ONLY uses protocol 50, and UDP 500. I have also had e-smith masqing more than one connection at the same time.

Guys... apologies for the typo!!!!

Ritchie

[JD]

The AH protocol will fail an IP checksum due to the packet being rewritten by the firewall as the packet gets NAT'd.  If you
are using AH - the VPN tunnel will never be established.

I enable the ip_masq_ipsec.o module and did not have to
change any of the ipchains to get the EOC to build
and maintain IPSec tunnels (3DES with MD5 - not AH).
Worked well on dialup and now on DSL.  

A 486 laptop SME private server supports multiple users each on their own EOC client PC.  Using two 3Com PCMCIA NICs on 486
hardware with 24M.

Added the following to my /etc/rc.local file:

 insmod /lib/modules/2.2.19-7.0.8/ipv4/ip_masq_ipsec.o

[Francis]

I tried this and the tunnel finally comes up but I cannot access anything on the other side. Did you make any other changes to IPChains from the default install ?

Francis....

[JD]

No ... the EOC client was able to reach everything
once the IP_MASQ_IPSEC.O file was loaded.

Have you checked the IP address provided by the tunnel and the route table.

The nortel box I connect to does not use 'split tunnels' and the default router is through the tunnel.  I am not able to access anything else except devices on the other side of the tunnel.

I did not have to touch the ipchains.  But you could flush the input chain and change the policy to accept and retry.

>>JD<<