[vpnc-devel] Various questions with netscreen

Johan Fischer jfischer at cmss-systems.com
Mon Sep 10 20:37:34 CEST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> 
>> the second question is about the possibility of autodetecting the vendor using
>> the IKE initial received packet.
> ...
>> Looking at ike-scan template file, this payload represent 'Netscreen-15'.
>> So if we parsed that payload, it could set the vendor option to netscreen
>> automatically (shouldn't it?).
> 
> Hmm, that would be worth trying at least: We'd need to send all the
> vendor ids from all the supported platforms in the initial packet.
> If all vendors ignore the attributes from other vendors then yes, that's
> a very good idea!
I don't think you even need that much, in my example, that VID payload was
received from the netscreen without sending anything special to it, it was
really the initial IKE packet received by vpnc (trunk r245):

S4.4 AM_packet2

   BEGIN_PARSE
   Recieved Packet Len: 424
   i_cookie: 157b7a96 808663d8
   r_cookie: f2cae16e 52da6419
   payload: 01 (ISAKMP_PAYLOAD_SA)
   isakmp_version: 10
   exchange_type: 04 (ISAKMP_EXCHANGE_AGGRESSIVE)
   flags: 00
   message_id: 00000000
   len: 000001a8

   PARSING PAYLOAD type: 01 (ISAKMP_PAYLOAD_SA)
   next_type: 0d (ISAKMP_PAYLOAD_VID)
   length: 0030
   sa.doi: 00000001 (ISAKMP_DOI_IPSEC)
   sa.situation: 00000001 (ISAKMP_IPSEC_SIT_IDENTITY_ONLY)

   PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
   next_type: 00 (ISAKMP_PAYLOAD_NONE)
   length: 0024
   p.number: 01
   p.prot_id: 01 (ISAKMP_IPSEC_PROTO_ISAKMP)
   p.spi_size: 00
   length: 01
   p.spi:

   PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
   next_type: 00 (ISAKMP_PAYLOAD_NONE)
   length: 001c
   t.number: 01
   t.id: 01 (ISAKMP_IPSEC_KEY_IKE)
   t.attributes.type: 0001 (IKE_ATTRIB_ENC)
   t.attributes.u.attr_16: 0007 (IKE_ENC_AES_CBC)
   t.attributes.type: 0002 (IKE_ATTRIB_HASH)
   t.attributes.u.attr_16: 0002 (IKE_HASH_SHA)
   t.attributes.type: 0004 (IKE_ATTRIB_GROUP_DESC)
   t.attributes.u.attr_16: 0002 (IKE_GROUP_MODP_1024)
   t.attributes.type: 0003 (IKE_ATTRIB_AUTH_METHOD)
   t.attributes.u.attr_16: fde9 (IKE_AUTH_XAUTHInitPreShared)
   t.attributes.type: 000e (IKE_ATTRIB_KEY_LENGTH)
   t.attributes.u.attr_16: 0100
   DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)

   PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
   DONE PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)

   PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
   DONE PARSING PAYLOAD type: 01 (ISAKMP_PAYLOAD_SA)

   PARSING PAYLOAD type: 0d (ISAKMP_PAYLOAD_VID)
   next_type: 0d (ISAKMP_PAYLOAD_VID)
   length: 0020
   ke.data:
   166f932d 55eb64d8 e4df4fd3 7e2313f0 d0fd8451 00000000 00000000
   (unknown)
   DONE PARSING PAYLOAD type: 0d (ISAKMP_PAYLOAD_VID)


At this point, I haven't used by cisco/netscreen vendor option, but I received a
vendor info from the vpn end point without asking for it.

As well, trying on our cisco test router, I get:
   PARSING PAYLOAD type: 0d (ISAKMP_PAYLOAD_VID)
   next_type: 0d (ISAKMP_PAYLOAD_VID)
   length: 0014
   ke.data: 12f5f28c 457168a9 702d9fe2 74cc0100
   (Cisco Unity)
   DONE PARSING PAYLOAD type: 0d (ISAKMP_PAYLOAD_VID)

so it seems that a vendor string is always sent to the vpn client on the first
packet. (Cisco Unity / Netscree-15). so we could have the vendor option =
auto|cisco|netscreen with auto autodetecting the vendor based on that VID.

If that makes sense, I can try to work on a patch...

Cheers.
J.

- --
Johan Fischer
Capital Markets Surveillance Services Pty Limited
Level 4, 55 Harrington Street, Sydney NSW 2000
Tel: +61 2 8083 9000   Direct: +61 2 8083 9050
Fax: +61 2 8083 9099   http://www.cmss-systems.com

Capital Markets Surveillance Services Pty Ltd (CMSS) - Confidential
Communication
The information contained in this e-mail is confidential. It is intended
solely for the addressee. If you receive this e-mail by mistake please
promptly inform us by reply e-mail and then delete the e-mail and
destroy any printed copy. You must not disclose or use in any way the
information in the e-mail. There is no warranty that this e-mail is
error or virus free. It may be a private communication, and if so, does
not represent the views of the CMCRC and its associates. If it is a
private communication, care should be taken in opening it to ensure that
undue offence is not given.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG5Y7tVTWY7Y0+uVoRAk0nAJ9aBuWJrDwkxdvIXAVgbqPM1wAawACfeI8X
Ozk/gzdvFX4O/xb9ohtK2sw=
=vzTc
-----END PGP SIGNATURE-----

More information about the vpnc-devel mailing list