VPNC for Nortel on Mac

VPNC-Nortel is an alternative for Nortel Contivity Client for the Mac.

Contivity Client
The Netlock/Apani/Nortel Contivity Client for the Mac is a horrible piece of software. It digs very deep in the OS when it sets up a VPN connection: for example, the VPN connection does not show up in the routing table. Also, it crashed my Mac.

Uninstall
Uninstall Apani VPN client on Mac OS X: sudo rm -rf /System/Library/Extensions/ApaniKernel.kext sudo rm -rf /etc/netlock sudo rm -rf /Library/StartupItems/Nleac

Note: this permanently removes Contivity, so be sure vpnc works for you or you can re-install Contivity in case you get stuck for whatever reason.

If you want to try vpnc before you remove the Apani client and/or Cisco Anyconnect, here is how to disable Apani and Cisco Anyconnect:

sudo kextunload /System/Library/Extensions/ApaniKernel.kext sudo /System/Library/StartupItems/CiscoTUN/CiscoTUN stop

VPNC-Nortel Client
Fortunately, there is an open source software alternative, which can provide the required functionality in a much more robust way. The software is called vpnc, or vpnc-nortel. VPNC stands for VPN Cisco, but since the Nortel VPN is very similar, there is a branch of the vpnc code that support Nortel VPN too. Unfortunately, the Mac is not fully supported, but there is a patch to support that too.

A big thanks to Swapnil Pandit, Antonio Borneo for describing on the vpnc-devel list how to get vpnc-nortel to work on the Mac.

Install Requirements
Requirements:
 * 1) Mac OS 10.5, 10.6 or 10.7
 * 2) gnutls
 * 3) libgcrypt
 * 4) libgpg-error (for libgcrypt)
 * 5) pkg-config (only during installation)
 * 6) tuntap interface

If you use MacPorts, you can install gnutls, libgcrypt, libgpg-error and pkg-config with: sudo port install gnutls libgcrypt libgpg-error pkgconfig

You can create tun/tap interfaces with TunTap for OSX

(It may be possible that you need to reboot for tun/tap to take effect. Check for files /dev/tun0 and /dev/tap0 to see if it is installed.)

If you forget to install the tun/tap inteface, you will get this error:
 * Can't initialise tunnel interface: No such file or directory

Note that the tun kernel extension will NOT install if a previous tun extension (from either the Cisco Anyconnect or the Apani Contivity client) is installed. So you have to choose which one you want to use. I recommend removing the Cisco and Nortel software and go open source.

Download
Now download the correct version along with a patch:

svn co -r464 http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel cd vpnc-nortel wget -O patch-20110823.diff \ http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/attachments/20110823/4aeede62/attachment.obj

Compile
Apply the patch:

patch -p3 < patch-20110823.diff

(You can ignore the error "patch unexpectedly ends in middle of line", but only if the next line says "Hunk #6 succeeded")

Compile:

make

(You can ignore all the gcrypt.h warnings; some function calls have been deprecated, but they still work, and a patch is in the making).

Install
Install:

sudo make install

and all you now have to do is edit the file /etc/vpnc/default.conf.

Alternatively, you can manually installed the required files:

sudo cp vpnc vpnc-disconnect /usr/local/sbin/ sudo mkdir /etc/vpnc sudo cp vpnc-script /etc/vpnc/ sudo chmod a+x /etc/vpnc/vpnc-script

Configure
Create a configuration file /etc/vpnc/default.conf:

For example:

Vendor nortel kernel ipsec IPSec gateway 192.0.2.8 Local Port 501 IKE Authmode gpassword IKE DH group dh1 Enable Single DES IPSec ID my_group_name IPSec secret my_group_password Xauth username my_personal_username Xauth password my_personal_password

(with the words in italic replaced with the correct values).

You may leave out the lines with passwords. In that case, VPNC will ask them each time you connect. If you keep the passwords in the file, make sure no-one else can read the config file:

sudo chown root /etc/vpnc/default.conf sudo chmod go-r /etc/vpnc/default.conf

Run
Finally, run the VPN client:

sudo vpnc

To disconnect, run:

sudo vpnc-disconnect

Troubleshooting
I'm no longer using VPNC as of October 2011. If the hints bellow do not help, please search the vpnc mailing list and post your questions there.

ESP Error
If you see this error:

Couldn't open socket of ESP. Maybe something registered ESP already. Please try '--natt-mode force-natt' or disable whatever is using ESP. socket(PF_INET, SOCK_RAW, IPPROTO_ESP): Protocol wrong type for socket

This means that Apple does not accept raw ESP (Encapsulated Security Payload) packets. The reason is that IPsec is compiled in the kernel on Mac OS X. You have to enable the kernel mode for ipsec on Mac OS X. Add the following line to your configuration file:

kernel ipsec

IPSec Error
If you see this error:

vpnc[2939] : packet on the tunnel interface while in kernel IPSEC mode. check your security policy! vpnc[2939] : esp sendto: Bad file descriptor

Then please let me know. I've heard about it, but don't know the proper solution yet. Did you try:

kernel ipsec

in the configuration file?

Failed writing to socket
If you see this error:

add net 10.138.64.0: gateway 10.138.73.27: File exists route: writing to routing socket: File exists

It seems that another vpnc is still running. Try killing all vpnc clients:

sudo vpnc-disconnect sudo killall vpnc

Debugging
The proper way for vpnc to behave is something like this.

By default, the routing table looks something like:

% netstat -rn -f inet Routing tables Internet: Destination       Gateway            Flags        Refs      Use   Netif Expire default           192.168.1.1        UGSc            6        0     en0 127.0.0.0/8       127.0.0.1          UCS             0        0     lo0 127.0.0.1         127.0.0.1          UH              2    17280     lo0 192.168.1.0/24    link#4             UCS             7        0     en0 192.168.1.76      127.0.0.1          UHS             0        1     lo0

Now run vpnc, which sets a few routes, according to information that the VPN servers sends us:

% sudo ./vpnc add net 10.138.73.0: gateway 10.138.73.26 add host 10.138.148.10: gateway 192.168.1.1 add net 10.138.64.0: gateway 10.138.73.26 add net 10.138.84.0: gateway 10.138.73.26 add net 10.138.88.0: gateway 10.138.73.26 VPNC started in background (pid: 22334)...

This can be verified in the routing table:

% netstat -rn -f inet Routing tables Internet: Destination       Gateway            Flags        Refs      Use   Netif Expire 127.0.0.0/8       127.0.0.1          UCS             0        0     lo0 127.0.0.1         127.0.0.1          UH              2    17280     lo0 192.168.1.0/24    link#4             UCS             7        0     en0 192.168.1.76      127.0.0.1          UHS             0        1     lo0 10.138.64/20      10.138.73.26       UGSc            0        0    tun0 10.138.73/25      10.138.73.26       UGSc            0        0    tun0 10.138.73.26      10.138.73.26       UH              4        0    tun0 10.138.84/22      10.138.73.26       UGSc            0        0    tun0 10.138.88/21      10.138.73.26       UGSc            0        0    tun0 10.138.148.10     192.168.1.1        UGHS            0        0     en0

To disconnect the tunnel, run:

% sudo ./vpnc-disconnect Terminating vpnc daemon (pid: 22334)

And now the routing table should look like the first (without the tun0 entries)

Shimo3
Shimo is a commercial VPN client that supports multiple VPN connections, including PPTP, IPsec and OpenVPN. It explicitly supports Nortel VPNC in its release 3.

VPNC on Ubuntu 12
My former colleague Peter Tavenier wrote a how to for VPNC on Ubuntu 12.04.1 in December 2012.