Connect to Cisco Nortel Contivity VPN from Ubuntu

I finally figured out how to get Ubuntu to connect to a Nortel Contivity VPN. It took quite a while to find the right app and configuration, but after a lot of search, I’ve found a package called vpnc (vpn client for cisco3000 VPN Concentrator). The project homepage is found here and it is supposed to work with:

* Cisco VPN concentrator 3000 Series
* Cisco IOS routers
* Cisco PIX / ASA Zecurity Appliances
* Juniper/Netscreen

and it supports the following:

Authentications: Hybrid, Pre-Shared-Key + XAUTH, Pre-Shared-Key
IKE DH-Groups: dh1 dh2 dh5
Hash Algo (IKE/IPSEC): md5 sha1
Encryptions (IKE/IPSEC): (null) (1des) 3des aes128 aes192 aes256
Perfect Forward Secrecy: nopfs dh1 dh2 dh5

However, the version we need to work with the Nortel Contivity group authentication is found in the svn repos.
Before we get there, we need to install some dependencies:

1. Install dependencies

sudo apt-get install libcrypt*
sudo apt-get install gnutls-bin
sudo apt-get install libgnutls-devsudo 
sudo apt-get install resolvconf

*** VERY IMPORTANT ***
You will find there are different branches of vpnc client, you need the one from the vpnc-nortel branch as I mentioned above. The branches you’ll find are:
vpnc-0.3.2-hybrid/
vpnc-0.4.0-hybrid/
vpnc-nortel/
vpnc-sonicwall/
There is also a package called vpnc-0.5.3.tar.gz, DON’T get this one either.

The reason you need the vpnc-nortel branch is because it supports these 2 options, which are crucial for this to work:
–auth-mode gpassword –vendor nortel

2. Go to a directory where you’d like to download the app and download the latest vpnc-nortel client from here via svn. The version I currently installed is revision 457. Once the command below is ran, a new folder is created called vpnc-nortel

svn checkout http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel/

3. Install the vpn client:

cd vpnc-nortel
make
sudo make install

4. Run the app. There are 2 ways you can start the vpn:
4.1 Method 1 (Command line):

sudo vpnc --gateway vpn.server.name --id yourgroupid --username yourusername --natt-mode nortel-udp --pfs dh5 --dh dh5 --debug 1 --auth-mode gpassword --vendor nortel

sudo route add default gw 192.168.69.2
sudo route del -net 10.36.0.0 netmask 255.255.248.0 dev tun0
sudo route del -net default netmask 0.0.0.0 dev tun0
sudo route add -net 10.0.0.0 netmask 255.0.0.0 dev tun0

4.2 Method 2 (Config file):

Create the vpn config file called whatevername.conf (obviously you can name the conf file whatever you’d like) in /etc/vpnc/ so you don’t have to type all the above. Also create the file contivity-ip-split-script (also can be called anything you’d like) to configure the network and route, in the same folder /etc/vpnc/.
whatevername.conf

#### whatevername.conf begins here

IPSec gateway vpn.server.name
IPSec ID yourgroupid
IPSec secret yourgrouppassword
Xauth username yourusername
Xauth password yourpassword
#### This is specific to  Nortel Contivity Server Config 
NAT Traversal Mode nortel-udp
Vendor nortel
Perfect Forward Secrecy dh5
IKE DH Group dh5
IKE Authmode gpassword
Debug 1 

Script /etc/vpnc/contivity-ip-split-script

#### end whatevername.conf

Now we create the script that’ll handle the route. Script is called
/etc/vpnc/contivity-ip-split-script. Remember to change the settings in this file to match your needs.

contivity-ip-split-script

#!/bin/sh
# ===== /etc/vpnc/contivity-ip-split-script

add_ip ()
{
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=$1
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=255.255.255.255
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=32
        export CISCO_SPLIT_INC=$(($CISCO_SPLIT_INC + 1))
}
add_Csubnet ()
{
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=$1
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=255.255.255.0
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=24
        export CISCO_SPLIT_INC=$(($CISCO_SPLIT_INC + 1))
}
add_Bsubnet ()
{
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=$1
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=255.255.0.0
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=16
        export CISCO_SPLIT_INC=$(($CISCO_SPLIT_INC + 1))
}
add_Asubnet ()
{
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=$1
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=255.0.0.0
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=8
        export CISCO_SPLIT_INC=$(($CISCO_SPLIT_INC + 1))
}

# Initialize empty split tunnel list
export CISCO_SPLIT_INC=0

# Delete DNS info provided by VPN server to use internet DNS
# Comment following line to use DNS beyond VPN tunnel
unset INTERNAL_IP4_DNS

# List of IPs beyond VPN tunnel
# These should be listed in /etc/hosts also...

### Substitute YYY, AAA, BBB ... for meaningful values i.e 10.11.1.48
add_ip 10.11.1.48  #someserver name 
#add_ip 10.YYY.YYY.YYY # www server
#add_ip 10.AAA.BBB.CCC # your workstation
#add_ip 10.ZZZ.ZZZ.ZZZ # some other server
# add_Asubnet 10.0.0.0     # full 10.0.0.0 private class A subnet
# add_Bsubnet 10.10.0.0   # eg class B subnet
# add_Csubnet 10.10.10.0 # eg class C subnet

# Execute default script
. /etc/vpnc/vpnc-script

# End of script

5. Now chmod both scripts:

sudo chmod 600 /etc/vpnc/whatevername.conf
sudo chmod 700 /etc/vpnc/contivity-ip-split-script

6. Start up the vpn (obviously only run this if using the config file method, otherwise you’d already have started the vpn in step 4.1. Since we named the config file whatevername.conf, we start the vpn as such:

sudo vpnc whatevername

6. You should be connected now, to disconect the vpn just do:

sudo vpnc-disconnect 

7. If you can’t reach hosts inside the vpn it might be because you haven’t added them to /etc/hosts, so go ahead and do that and you should be good to go. Congratulations, you’re done.

Without the posts below I would not have been able to get this working:
Nortel Group Authentication
vpnc-nortel with group password authentication
vpnc with Nortel Contivity VPN using group auth

Hopefully this tutorial helped you. Thank you for stopping by and please share with others, after all, code should be free.