Very Computer

Someone was looking for a linux client to connect to a Nortel Networks's Contivity VPn device, over IPSec.

Here is some info.

-------------------------------

The Contivity Extranet Switch (CES) supports third-party IPsec clients in Version
2.60. The CES has been configured and tested with Version 1.3 of the Linux
FreeS/WAN client. If you are using the FreeS/WAN Linux client, you must configure your user and CES as a Branch Office
tunnel.

Linux FreeS/WAN is an implementation of IPsec (Internet Protocol SECurity) and IKE for Linux. IPsec uses strong cryptography
to provide both authentication and encryption services. Authentication ensures that packets are from the correct sender and
have not been altered in transit. Encryption prevents the unauthorized reading of packet contents. Linux FreeS/WAN supports
IPsec Main mode, which secures an ISAKMP security association (SA) in three two-way exchanges between the initiator and the
recipient. Both exchange public keys and verify each others identity. The FreeS/WAN Linux client must use a static address
inside the protected network that must be the same as the static address configured for the
branch office that represents the user on the CES. The following figure shows a
sample FreeS/WAN configuration:

Configuring the CES as a Branch Office Tunnel
The following steps describe how to configure the CES to terminate a branch office tunnel:

1 Go to the Profiles-->Branch Office screen and click on the Define Branch Office Connection button. The Branch Office-->
Define Connection screen appears:

2 Set the local and remote endpoints to 2.0.0.1 and 1.0.0.1, as shown in the figure of the sample configuration. You must
also be sure that you configure accessible networks on both the CES and client sides.

3 Set the tunnel type to IPSec.

4 Linux FreeS/WAN clients can only use pre-shared keys (with Version 1.3). Click to enable the User Name and Password to
authenticate the user identity. The user name is the users IP address and the password can be any password. Match the pre-
shared secret with the Linux shared secret.

5 Go the Profiles-->Branch Office screen and click on the Edit button, scroll
down to the IPSec section and click on the Configure button. The Branch Office screen appears:

6 Select ESP - Triple DES with MD5 Integrity.

7 Optionally, select AH- Authentication Only (HMAC-SHA1) and/or AH - Authentication Only (HMAC-MD5).

8 Disable VendorID.

9 Set Perfect Forward Secrecy (PFS) to match the Linux FreeS/WAN side. PFS ensures that if one key is compromised, subsequent
keys will not be compromised.

10 In the Rekey Timeout section, enter the time you want to limit the lifetime of a single key used to encrypt data. The
default is 08:00:00 (8 hours).

11 In the Rekey Data Count section, you can choose to set a Rekey Data Count depending on how much data you expect to
transmit through the tunnel with a single key. The default is 0 Kbytes; a setting of 0 disables this count.

Setting Up Linux FreeS/WAN

To set up your Linux system:

1 Go the FreeS/WAN Web site at http://www.freeswan.org.

2 Download and untar the Linux FreeS/WAN tar file, which contains source, documentation, and patches for Linux systems, and
recompile the Linux kernel, as instructed.

3 On you Linux system, edit the /etc/ipsec.config and /etc/ipsec.secrets files. The ipsec.config file would be similar to the
following:
conn ces
type=tunnel
left=1.0.0.1
leftsubnet=1.0.0.0/24
leftnexthop=1.0.0.2
right=2.0.0.1
right nexthop=2.0.0.2
right subnet=2.0.0.0/24
keyexchange=ike
pfs=no
lifetime=8h

The ipsec.secrets file would be similar to the following:
1.0.0.1 2.0.0.1 sharedsecret

4 To bring up the tunnel on the Linux system (after you configure the CES) and establish a security association (SA), issue
the following command:
ipsec auto -up ces