VPNC for Nortel on Mac

From Exterior Memory
Jump to: navigation, search
This article was written in September 2010, and last updated in February 2012. This article is no longer updated, and may be outdated.

VPNC-Nortel is an alternative for Nortel Contivity Client for the Mac.

Contivity Client

The Netlock/Apani/Nortel Contivity Client for the Mac is a horrible piece of software. It digs very deep in the OS when it sets up a VPN connection: for example, the VPN connection does not show up in the routing table. Also, it crashed my Mac.

Uninstall

Uninstall Apani VPN client on Mac OS X:

sudo rm -rf /System/Library/Extensions/ApaniKernel.kext
sudo rm -rf /etc/netlock
sudo rm -rf /Library/StartupItems/Nleac

Note: this permanently removes Contivity, so be sure vpnc works for you or you can re-install Contivity in case you get stuck for whatever reason.

If you want to try vpnc before you remove the Apani client and/or Cisco Anyconnect, here is how to disable Apani and Cisco Anyconnect:

sudo kextunload /System/Library/Extensions/ApaniKernel.kext
sudo /System/Library/StartupItems/CiscoTUN/CiscoTUN stop

VPNC-Nortel Client

Fortunately, there is an open source software alternative, which can provide the required functionality in a much more robust way. The software is called vpnc, or vpnc-nortel. VPNC stands for VPN Cisco, but since the Nortel VPN is very similar, there is a branch of the vpnc code that support Nortel VPN too. Unfortunately, the Mac is not fully supported, but there is a patch to support that too.

A big thanks to Swapnil Pandit, Antonio Borneo for describing on the vpnc-devel list how to get vpnc-nortel to work on the Mac.

Install Requirements

Requirements:

  1. Mac OS 10.5, 10.6 or 10.7
  2. gnutls
  3. libgcrypt
  4. libgpg-error (for libgcrypt)
  5. pkg-config (only during installation)
  6. tuntap interface

If you use MacPorts, you can install gnutls, libgcrypt, libgpg-error and pkg-config with:

sudo port install gnutls libgcrypt libgpg-error pkgconfig

You can create tun/tap interfaces with TunTap for OSX

(It may be possible that you need to reboot for tun/tap to take effect. Check for files /dev/tun0 and /dev/tap0 to see if it is installed.)

If you forget to install the tun/tap inteface, you will get this error:

Can't initialise tunnel interface: No such file or directory

Note that the tun kernel extension will NOT install if a previous tun extension (from either the Cisco Anyconnect or the Apani Contivity client) is installed. So you have to choose which one you want to use. I recommend removing the Cisco and Nortel software and go open source.

Download

Now download the correct version along with a patch:

svn co -r464 http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel
cd vpnc-nortel
wget -O patch-20110823.diff \
  http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/attachments/20110823/4aeede62/attachment.obj

Compile

Apply the patch:

patch -p3 < patch-20110823.diff

(You can ignore the error "patch unexpectedly ends in middle of line", but only if the next line says "Hunk #6 succeeded")

Compile:

make

(You can ignore all the gcrypt.h warnings; some function calls have been deprecated, but they still work, and a patch is in the making).

Install

Install:

sudo make install 

and all you now have to do is edit the file /etc/vpnc/default.conf.

Alternatively, you can manually installed the required files:

sudo cp vpnc vpnc-disconnect /usr/local/sbin/
sudo mkdir /etc/vpnc
sudo cp vpnc-script /etc/vpnc/
sudo chmod a+x /etc/vpnc/vpnc-script

Configure

Create a configuration file /etc/vpnc/default.conf:

For example:

Vendor nortel
kernel ipsec
IPSec gateway 192.0.2.8
Local Port 501
IKE Authmode gpassword
IKE DH group dh1
Enable Single DES
IPSec ID my_group_name
IPSec secret my_group_password
Xauth username my_personal_username
Xauth password my_personal_password

(with the words in italic replaced with the correct values).

You may leave out the lines with passwords. In that case, VPNC will ask them each time you connect. If you keep the passwords in the file, make sure no-one else can read the config file:

sudo chown root /etc/vpnc/default.conf
sudo chmod go-r /etc/vpnc/default.conf

Run

Finally, run the VPN client:

sudo vpnc

To disconnect, run:

sudo vpnc-disconnect

Troubleshooting

I'm no longer using VPNC as of October 2011. If the hints bellow do not help, please search the vpnc mailing list and post your questions there.

ESP Error

If you see this error:

Couldn't open socket of ESP. Maybe something registered ESP already.
Please try '--natt-mode force-natt' or disable whatever is using ESP.
socket(PF_INET, SOCK_RAW, IPPROTO_ESP): Protocol wrong type for socket

This means that Apple does not accept raw ESP (Encapsulated Security Payload) packets. The reason is that IPsec is compiled in the kernel on Mac OS X. You have to enable the kernel mode for ipsec on Mac OS X. Add the following line to your configuration file:

kernel ipsec

IPSec Error

If you see this error:

vpnc[2939] <Warning>: packet on the tunnel interface while in kernel IPSEC mode. check your security policy!
vpnc[2939] <Error>: esp sendto: Bad file descriptor

Then please let me know. I've heard about it, but don't know the proper solution yet. Did you try:

kernel ipsec

in the configuration file?

Failed writing to socket

If you see this error:

add net 10.138.64.0: gateway 10.138.73.27: File exists
route: writing to routing socket: File exists

It seems that another vpnc is still running. Try killing all vpnc clients:

sudo vpnc-disconnect
sudo killall vpnc

Debugging

The proper way for vpnc to behave is something like this.

By default, the routing table looks something like:

% netstat -rn -f inet
Routing tables
Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            192.168.1.1        UGSc            6        0     en0
127.0.0.0/8        127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH              2    17280     lo0
192.168.1.0/24     link#4             UCS             7        0     en0
192.168.1.76       127.0.0.1          UHS             0        1     lo0

Now run vpnc, which sets a few routes, according to information that the VPN servers sends us:

% sudo ./vpnc
add net 10.138.73.0: gateway 10.138.73.26
add host 10.138.148.10: gateway 192.168.1.1
add net 10.138.64.0: gateway 10.138.73.26
add net 10.138.84.0: gateway 10.138.73.26
add net 10.138.88.0: gateway 10.138.73.26
VPNC started in background (pid: 22334)...

This can be verified in the routing table:

% netstat -rn -f inet
Routing tables
Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
127.0.0.0/8        127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH              2    17280     lo0
192.168.1.0/24     link#4             UCS             7        0     en0
192.168.1.76       127.0.0.1          UHS             0        1     lo0
10.138.64/20       10.138.73.26       UGSc            0        0    tun0
10.138.73/25       10.138.73.26       UGSc            0        0    tun0
10.138.73.26       10.138.73.26       UH              4        0    tun0
10.138.84/22       10.138.73.26       UGSc            0        0    tun0
10.138.88/21       10.138.73.26       UGSc            0        0    tun0
10.138.148.10      192.168.1.1        UGHS            0        0     en0

To disconnect the tunnel, run:

% sudo ./vpnc-disconnect
Terminating vpnc daemon (pid: 22334)

And now the routing table should look like the first (without the tun0 entries)

Further Reading

Shimo3

Shimo is a commercial VPN client that supports multiple VPN connections, including PPTP, IPsec and OpenVPN. It explicitly supports Nortel VPNC in its release 3.

VPNC on Ubuntu 12

My former colleague Peter Tavenier wrote a how to for VPNC on Ubuntu 12.04.1 in December 2012.