Nortel vpn client linux

Nortel Contivity VPN

Howto: Route linux services through VMWARE using split tunneling feature of Nortel Contivity VPN client (NCVPN)

Motivation

The overall goal of this document is to provide instructions on how to route linux services through a vmware virtual windows host connected to the corporate network in a remote situation through ncvpn relying on a nat network interface and exploiting the split tunneling feature of the ncvpn software (Nortel Contivity VPN client).

The specific example of retrieving emails on the corporate imap server imap.corp.com:143 and sending emails through the corporate gateway smtp.corp.com:25 is detailed.

The basic configuration considered is a linux host running a windows virtual machine under vmware with ncvpn installed on the virtual host.

In order to achieve this you need to perform the following steps:

  • install a ssh server with cygwin under windows
  • use ssh to forward ports on the linux host
  • configure vmware on linux host to use the 192.168.128.128 address in nat mode to allow split tunneling under ncvpn
  • operate in nat mode when outside the corporate network (where a bridged ethernet configuration is recommended)
  • allow the firewall (e.g. blackice) to accept ssh connections on the windows virtual host

Note that the method explained in this document can also be applied to the case of a bridged ethernet interface with slight modifications.

Here are some references of interest to understand better the mechanism put in place:

NCVPN configuration

In order to enable split tunneling you often need to reconfigure ncvpn client in order to use a specific authentication (check with your own company settings).

VMWARE configuration

In the default configuration of vmware, the following virtual interfaces vmnet0, vmnet1 and vmnet8 are respectively bridged to eth0, a host-only network on a private subnet and a Nat network on private subnet. All you need to change is to assign the nat virtual interface to subnet 192.168.128.0 through the following command on the linux host:

/opt/vmware/usr/bin/vmware-config.pl

It is possible to do so also by tweaking manually the following files: /etc/vmware/vmnet8/dhcpd/dhcpd.conf and /etc/vmware/vmnet8/nat/nat.conf. Note that it is a mandatory step: if you do not comply, when ncvpn will be activated you won’t have access to your windows virtual host from linux. Reminder: your linux host will have address 192.168.128.1 and the windows virtual host 192.168.128.128 when operating in nat mode. However viewed from the virtual host, the linux host will have address 192.168.128.2.

Blackice firewall settings

For allowing incoming ssh connections you need to enable port 22 connections by entering in the Advanced Firewall Settings/Firewall Rules/Add Firewall Entry tab the following data:

name: ssh IP address: all addresses port: 22 type: TCP mode: accept duration of rule: forever

SSH server installation under CYGWIN

In order to allow port forwarding, we use ssh from cygwin distribution. Follow these steps to install it:

  • install cygwin for openssh support by using [3]
  • synchronize passwords: launch cygwin and then these commands:
mkpasswd -l > /etc/passwd mkgroup -l > /etc/group cd /home mkdir "$USER" passwd "$USER" ssh-keygen -b 1024 -t dsa cd $HOME/.ssh cp id_dsa.pub authorized_keys
  • edit /etc/passwd to make sure that $USER has home dir /home/$USER
  • if $USER and $USERNAME are different variables make sure to have 2 entries in the /etc/passwd with $USER first and $USERNAME second with same password and same home dir
  • create CYGWIN variable: right click on My Computer, Properties, Advanced, Environment Variables, click on New and enter these variables
variable name: CYGWIN variable value: ntsec tty
  • right click on My Computer, Properties, Advanced, Environment Variables, click on New and enter these variables
  • update Path variable: right click on My Computer, Properties, Advanced, Environment Variables, select Path variable and click on Edit and append this at the end of the variable string:
  • configure sshd: under cygwin window issue the following command and answer yes to all the questions except when the script asks you for CYGWIN= where the correct answer isntsec tty
net start sshd cygrunsrv --start sshd
net stop sshd cygrunsrv --stop sshd

Launch the tunnel

This is the end: let’s do the magic. Launching the tunnel is as simple as that:

ssh "$USER"@192.168.128.128 -L 5143:imap.corp.com:143 -L 5025:smtp.corp.com:25 -L 5022:sshhost.corp.com:22

What it does it to forward:

  • imap requests from localhost:5143 to imap.corp.com:143
  • smtp requests from localhost:5025 to smtp.corp.com:25
  • ssh requests from localhost:5022 to sshhost.corp.com:22
Читайте также:  Linux wifi driver rtl8821ce

This solution intentionally uses ports above 1024 to allow a simple user to perform the redirection without requiring root priviledges.

All you need now to do is to set your imap server as localhost:5143 and set your smtp server as localhost:5025. The specific case of mutt and fetchmail are detailed in the next section.

Note that if you want to login to another machine on the corporate network you can still do it directly by issuing (incurring a delay increase in the connection):

ssh $USER@192.168.128.128 -t 'ssh sshhost.corp.com'

Personal additional tricks

The tools I personally use for email purposes are:

  • fetchmail to retrieve emails and procmail as local delivery agent
  • esmtp local email server for forwarding the emails as a replacement of postfix when in vpn mode only since I want to preserve postfix functional at the same time

In order to use the above tunnel with mutt and fetchmail I use the following tricks:

  • tell mutt to use as sendmail command esmtp by specifying in the $HOME/.muttrc file the following line:
set sendmail = /usr/bin/esmtp
  • for enabling imap support under mutt the following options need to be set in the $HOME/.muttrc file:
set imap_user = "$USER" set imap_pass = ". " set spoolfile = set ssl_starttls = no
  • configure fetchmail by editing $HOME/.fetchmailrc.remote and replacing username by your real user name $USER:
set postmaster "username" set no bouncemail set no spambounce poll localhost with proto IMAP port 5143 user 'username' there with password '. ' is 'username' here options fetchall stripcr folder INBOX mda '/usr/bin/procmail -Yf-'
fetchmail -quit cp $HOME/.fetchmailrc.remote $HOME/.fetchmailrc fetchmail

This is all for now, any feedback?

Читайте также:  Postgresql not starting linux

Authors

Marc de Courville and Mohamed Kammoun

Источник

nortel vpn client

есть некий nortel vpn router к которому вендовые юзеры подключаются некой нортеловской проприетарной софтиной под названием nortel vpn client
интересует, не встречал ли кто линуксового клиента кроме как того что у них на сайте лежит триальный, пятый год не обновлявшийся?

наверняка это ipsec и можно заюзать ipsec-tools

не подскажешь документацию для настойки ipsec клиента с аутентификацией об смарткарту?

Там ipsec, параметры активно и успешно exception13 подбирал, тереби.

У меня та же проблема. Есть IP, логин и пароль (ни сертификатов, ни групповых id и пр. нет). Зацепиться не могу :(( В инете тема нортел и люнукс заканчивается 2007 годом, или зацепиться действительно невозможно или очень просто, знать бы только как?

Ну у меня не логин и пароль, а смарткарта + пинкод. Что с картой делать (кроме как втыкать в смарткард-картридер 🙂 покамест хз.

Смотрел KVpnc? Там что-то про смарт карту при настройке IPSEC пробегает

>не подскажешь документацию для настойки ipsec клиента с аутентификацией об смарткарту?
хз. но если там обычный файл сертификата, то всё должно быть реально

>обычный файл сертификата
емнип смарткарты через крипто-апи доступ дают только, это не флэшка.

Источник

Getting Linux talking to a Nortel VPN

At work we’re currently in a managed office, which means we don’t control the network in any way. As a result we’re all individually VPNing back to the lab network in the US. Not a great situation, but it does the job while we work out what’s happening with our own building and a local lab.

The HQ end is running on a Nortel Contivity. This causes a bit of a problem; I need a working VPN setup in order to work, but the Nortel stuff is non standard. How to get it going under Linux so I can switch from XP to Debian?

I found 3 options, in order of preference:

vpnc

There’s a Nortel branch of vpnc, though it’s from an old release (0.3.2). There are some reports of it working ok, and quite a few of problems. vpnc gains points for being entirely Free software. http://ubuntuforums.org/showthread.php?t=441042 has some further details.

Novell VPN client

Novell have a hacked up version of ipsec-tools that adds http://forge.novell.com/modules/xfmod/project/?turnpike, a framework for different types of IKE. They have a novell-nortelplugins package that has a binary plugin supposedly supporting Nortel VPN access. Not quite as nice as vpnc, but it’s still userland and does use the kernel’s IPSEC stack.

Apani Nortel client

Apani do a commerical Nortel VPN client for Linux, as well as Windows CE/MacOS and Solaris. It’s not that up to date (supports up to kernel 2.6.18, though there are patches that get it working on 2.6.22) and involves a binary blob kernel driver, but they do claim to offer support for it and it’s where Nortel will point you for single client licenses.

I have, of course, ended up with the (paid for) Apani client. I tried vpnc and the Novell client but couldn’t get any degree of success from them. VPN remote ends don’t really provide a lot of feedback (which is understandable — it hardly wants to tell me if I’m failing on a username, password, or something entirely different) and I don’t have any access to the Contivity device to read its logs. I think the main issue is that my connection has no IPSEC group id or password, and both vpnc and the Novell stuff ask for that. The Apani client is happy with just my username and password, which I think is used for some corruption of xauth.

Читайте также:  Postgresql сборка astra linux

At some point I’ll try fighting vpnc again, but for the moment I have my VPN connection working under Debian and thus I’m back to Debian at work. As an added bonus the reaction of my coworkers has been good — instead of «Why would you want to?» I’ve had comments like «I wish I’d installed Linux when I started.» and «Actually, I might do that myself after Christmas.»

Noodles’ Emptiness

Источник

Installing Nortel VPNC on Ubuntu

I’m running Ubuntu 12.04.1 wheezy/sid and I needed a way to connect to the office Nortel VPN server. On a Windows machine you normally use Nortel Contivity Client. But this is not available for Linux. There is a nortel branch available of vpnc which you can find here.

The first step is to install svn-buildpackage, use the command below for this. There some extra packages coming with this install, but this is OK.

apt-get install svn-buildpackage

Now you can do a check-out on the SVN repository:

svn co -r517 http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel

This downloads the files in a new directory (vpnc-nortel) in the location you are at this moment.

Now it is time to install the vpnc client. go to the vpnc-nortel directory you just downloaded and perform the command:

This should make the compile the files for your OS, but the first time this failed form me with the error message:

root@ubuntu:~/vpnc-nortel# make Package gnutls was not found in the pkg-config search path. Perhaps you should add the directory containing `gnutls.pc' to the PKG_CONFIG_PATH environment variable No package 'gnutls' found .

To solve this issue you should first install libgnutls-dev:

apt-get install libgnutls-dev

The make install should give an output like this:

root@ubuntu:~/vpnc-nortel# make install install -d /etc/vpnc /usr/local/bin /usr/local/sbin /usr/local/share/man/man1 /usr/local/share/man/man8 /usr/local/share/doc/vpnc if [ "`uname -s | cut -c-6`" = "CYGWIN" ]; then \ install vpnc-script-win /etc/vpnc/vpnc-script; \ install vpnc-script-win.js /etc/vpnc; \ else \ install vpnc-script /etc/vpnc; \ fi install -m600 vpnc.conf /etc/vpnc/default.conf install -m755 vpnc-disconnect /usr/local/sbin install -m755 pcf2vpnc /usr/local/bin install -m644 vpnc.8 /usr/local/share/man/man8 install -m644 pcf2vpnc.1 /usr/local/share/man/man1 install -m644 cisco-decrypt.1 /usr/local/share/man/man1 install -m644 COPYING /usr/local/share/doc/vpnc install -m755 vpnc /usr/local/sbin install -m755 cisco-decrypt /usr/local/bin

The last thing to do is to edit the configuration file to the settings of your company. In my case this configuration file (/etc/vpnc/default.conf) looks like:

IPSec gateway IPSec ID IPSec secret Xauth username Vendor nortel IKE Authmode gpassword Enable Single DES IKE DH Group dh1

Now your ready!
To start vpnc perfrom:

Источник

Оцените статью
Adblock
detector