Nortel - Contivity Linux client - VPN - IPSec

Nortel - Contivity Linux client - VPN - IPSec

Post by BJ » Wed, 07 Feb 2001 10:20:29

Someone was looking for a linux client to connect to a Nortel Networks's Contivity VPn device, over IPSec.

Here is some info.


The Contivity Extranet Switch (CES) supports third-party IPsec clients in Version
2.60. The CES has been configured and tested with Version 1.3 of the Linux
FreeS/WAN client. If you are using the FreeS/WAN Linux client, you must configure your user and CES as a Branch Office

Linux FreeS/WAN is an implementation of IPsec (Internet Protocol SECurity) and IKE for Linux. IPsec uses strong cryptography
to provide both authentication and encryption services. Authentication ensures that packets are from the correct sender and
have not been altered in transit. Encryption prevents the unauthorized reading of packet contents. Linux FreeS/WAN supports
IPsec Main mode, which secures an ISAKMP security association (SA) in three two-way exchanges between the initiator and the
recipient. Both exchange public keys and verify each others identity. The FreeS/WAN Linux client must use a static address
inside the protected network that must be the same as the static address configured for the
branch office that represents the user on the CES. The following figure shows a
sample FreeS/WAN configuration:

Configuring the CES as a Branch Office Tunnel
The following steps describe how to configure the CES to terminate a branch office tunnel:

1 Go to the Profiles-->Branch Office screen and click on the Define Branch Office Connection button. The Branch Office-->
Define Connection screen appears:

2 Set the local and remote endpoints to and, as shown in the figure of the sample configuration. You must
also be sure that you configure accessible networks on both the CES and client sides.

3 Set the tunnel type to IPSec.

4 Linux FreeS/WAN clients can only use pre-shared keys (with Version 1.3). Click to enable the User Name and Password to
authenticate the user identity. The user name is the users IP address and the password can be any password. Match the pre-
shared secret with the Linux shared secret.

5 Go the Profiles-->Branch Office screen and click on the Edit button, scroll
down to the IPSec section and click on the Configure button. The Branch Office screen appears:

6 Select ESP - Triple DES with MD5 Integrity.

7 Optionally, select AH- Authentication Only (HMAC-SHA1) and/or AH - Authentication Only (HMAC-MD5).

8 Disable VendorID.

9 Set Perfect Forward Secrecy (PFS) to match the Linux FreeS/WAN side. PFS ensures that if one key is compromised, subsequent
keys will not be compromised.

10 In the Rekey Timeout section, enter the time you want to limit the lifetime of a single key used to encrypt data. The
default is 08:00:00 (8 hours).

11 In the Rekey Data Count section, you can choose to set a Rekey Data Count depending on how much data you expect to
transmit through the tunnel with a single key. The default is 0 Kbytes; a setting of 0 disables this count.

Setting Up Linux FreeS/WAN

To set up your Linux system:

1 Go the FreeS/WAN Web site at

2 Download and untar the Linux FreeS/WAN tar file, which contains source, documentation, and patches for Linux systems, and
recompile the Linux kernel, as instructed.

3 On you Linux system, edit the /etc/ipsec.config and /etc/ipsec.secrets files. The ipsec.config file would be similar to the
conn ces
right nexthop=
right subnet=

The ipsec.secrets file would be similar to the following: sharedsecret

4 To bring up the tunnel on the Linux system (after you configure the CES) and establish a security association (SA), issue
the following command:
ipsec auto -up ces


1. Connecting a Nortel VPN client through OpenBSD (2.9) to Nortel VPN Switch

I am trying to allow a system on my local net (using Nortel Extranet Access
Client) to connect through my OpenBSD Gateway (ver 2.9) to my companies
Nortel VPN Switch. I have been reading a ton on esp, gre, a possible patch
to ipf but nothing seems to work and there are no definitive howto's?

Any suggestions (and please not buy a LinkSys/DLink/NetGEAR home broadband
gateway - I want to do this with my OpenBSD box and it should be possible
either via proxy or passthrough?)

Thanks in advance,

- will

2. Does Solaris 7 x86 supports 64-bit PCI?

3. IPsec, solaris, and nortel contivity switch

4. ** Help witth installing getty_ps **

5. Nortel Extranet VPN client (IPSec) through OpenBSD2.7 w/ ipf and ipnat ??

6. Passive Mode FTP through a firewall fails!

7. Nortel Contivity VPN

8. RIVA128 Xconfigurator Guide

9. VPN: Linux equivalent to Contivity client?

10. Nortel Contivity & Linux

11. Nortel 2600 VPN Switch and IPSEC

12. Contivity VPN Client for Unix v1.2

13. Contivity VPN client behind PF firewall/nat