Nortel VPN Router

From royhills
Jump to: navigation, search

Platform Notes

The Nortel VPN router uses a proprietary operating system that runs on proprietary hardware. The operating system is based on VxWorks, and the hardware is based on an Intel CPU with a PC motherboard.

The Nortel VPN router was previously known as Nortel Contivity. It was originally a Bay Networks product, called Bay Networks Enterprise Switch. This Bay Networks name can still be seen in the Vendor ID that starts with the letters BNES.

Version History

Version Release Date Notes
V04_85
V04_90
V05_00
V05_05
V06_00
V06_05

Backoff Patterns

The Nortel VPN router has the four-packet backoff pattern:

0, 16, 16, 16

This backoff pattern is the same for all software versions that I have tested. Below is an example from a Contivity 1600 running software version V06_00.310:

$ ike-scan -M --showbackoff 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Main Mode Handshake returned
        HDR=(CKY-R=0af98bad8d200783)
        SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=1:modp768 LifeType=Seconds LifeDuration(4)=0x00007080)

IKE Backoff Patterns:

IP Address      No.     Recv time               Delta Time
192.168.124.152 1       1171799005.325513       0.000000
192.168.124.152 2       1171799021.346876       16.021363
192.168.124.152 3       1171799037.380750       16.033874
192.168.124.152 4       1171799053.414670       16.033920
192.168.124.152 Implementation guess: Nortel Contivity

Vendor IDs

The Nortel VPN router doesn't send any Vendor IDs in Main Mode unless the initiator sends a Vendor ID packet. It doesn't matter what VID the initiator sends; it just has to send something.

Below is an example showing this behaviour:

$ ike-scan -M 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Main Mode Handshake returned
        HDR=(CKY-R=a9516e7f6f5340c8)
        SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=1:modp768 LifeType=Seconds LifeDuration(4)=0x00007080)
$ ike-scan -M --vendor=00 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Main Mode Handshake returned
        HDR=(CKY-R=2aca7e13cf8ee7e9)
        SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=1:modp768 LifeType=Seconds LifeDuration(4)=0x00007080)
        VID=424e45530000000a (Nortel Contivity)

If the initiator sends a main mode request with a Vendor ID payload, the Nortel VPN router will respond with the Nortel Contivity Vendor ID. This consists of the string BNES (hex 424e4553) followed by a 32-bit big-endian value. BNES stands for Bay Networks Enterprise Switch, which gives an insight to the legacy of this product. The 32-bit value appears to be a version number, but I do not know the exact mapping. I have observed values 00000004, 00000005, 00000007, 00000009 and 0000000a.

Authentication Methods

The Nortel VPN router supports Pre-Shared Key and RSA Signature authentication methods. By default, both of these methods are enabled.

The examples below show a Nortel VPN router running software version V06_05.135 responding to Pre-Shared Key and RSA Signature authentication methods.

$ ike-scan -M --trans=1,2,1,1 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Main Mode Handshake returned
        HDR=(CKY-R=9c80d5553c1764cc)
        SA=(Enc=DES Hash=SHA1 Auth=PSK Group=1:modp768 LifeType=Seconds LifeDuration(4)=0x00007080)
$ ike-scan -M --trans=1,2,3,1 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Main Mode Handshake returned
        HDR=(CKY-R=6f4b867e0288bf3f)
        SA=(Enc=DES Hash=SHA1 Auth=RSA_Sig Group=1:modp768 LifeType=Seconds LifeDuration(4)=0x00007080)

ISAKMP SA Lifetime

Lifetime in Seconds

The Nortel VPN router allows no lifetime in seconds, or any non-zero value from 1 to the maximum that can be represented in 4 bytes. It does not allow a value of zero or a variable length attribute with a value length greater than four bytes, in both cases it will return NO-PROPOSAL-CHOSEN.

$ ike-scan -M --lifetime=none --trans=1,2,1,1 192.168.124.152    Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Main Mode Handshake returned
        HDR=(CKY-R=dfbf6c7a2f54467d)
        SA=(Enc=DES Hash=SHA1 Auth=PSK Group=1:modp768)
$ ike-scan -M --lifetime=0 --trans=1,2,1,1 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Notify message 14 (NO-PROPOSAL-CHOSEN)
        HDR=(CKY-R=fe076896a7e24094)
$ ike-scan -M --lifetime=1 --trans=1,2,1,1 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Main Mode Handshake returned
        HDR=(CKY-R=e7678a9a9e66d143)
        SA=(Enc=DES Hash=SHA1 Auth=PSK Group=1:modp768 LifeType=Seconds LifeDuration(4)=0x00000001)
$ ike-scan -M --lifetime=0xffffffff --trans=1,2,1,1 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Main Mode Handshake returned
        HDR=(CKY-R=f3444d274ccff275)
        SA=(Enc=DES Hash=SHA1 Auth=PSK Group=1:modp768 LifeType=Seconds LifeDuration(4)=0xffffffff)
$ ike-scan -M --lifetime=0x0000000000000001 --trans=1,2,1,1 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Notify message 14 (NO-PROPOSAL-CHOSEN)
        HDR=(CKY-R=a8a5feba533c004d)

Lifetime in Kilobytes

The Nortel VPN router does not support a lifetime in kilobytes for the ISAKMP SA, and always returns NO-PROPOSAL-CHOSEN if one is specified.

$ ike-scan -M --lifetime=none --lifesize=0 --trans=1,2,1,1 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Notify message 14 (NO-PROPOSAL-CHOSEN)
        HDR=(CKY-R=2d5d0747f3b68bd2)
$ ike-scan -M --lifetime=none --lifesize=1 --trans=1,2,1,1 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Notify message 14 (NO-PROPOSAL-CHOSEN)
        HDR=(CKY-R=459aab1087c26c35)
$ ike-scan -M --lifetime=none --lifesize=1000 --trans=1,2,1,1 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Notify message 14 (NO-PROPOSAL-CHOSEN)
        HDR=(CKY-R=60aafe6517f85fb5)
$ ike-scan -M --lifetime=none --lifesize=0xffffffff --trans=1,2,1,1 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Notify message 14 (NO-PROPOSAL-CHOSEN)
        HDR=(CKY-R=4bdd62eff10118f4)

Transform Attribute ordering and re-writing

Nortel Contivity generally returns the transform attributes in the order that they are supplied by the initiator.

In the example below, we specify the four mandatory transform attributes in order Enc, Hash, Auth, Group and then in reverse order Group, Auth, Hash, Enc, and observe that in both cases the target returns the attributes in the same order as the initiator specified them.

$ ike-scan -M --trans="(1=1,2=2,3=1,4=1)" 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Main Mode Handshake returned
        HDR=(CKY-R=14395bb3dc072aed)
        SA=(Enc=DES Hash=SHA1 Auth=PSK Group=1:modp768)
$ ike-scan -M --trans="(4=1,3=1,2=2,1=1)" 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Main Mode Handshake returned
        HDR=(CKY-R=f4617f8492037abf)
        SA=(Group=1:modp768 Auth=PSK Hash=SHA1 Enc=DES)

Here is another example, this time including a lifetime in seconds. Again, the attributes are returned in the same order that the initiator sent them.

$ ike-scan -M --trans="(11=1,12=12345,4=1,3=1,2=2,1=1)" 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Main Mode Handshake returned
        HDR=(CKY-R=fdb0408c7d573059)
        SA=(LifeType=Seconds LifeDuration=12345 Group=1:modp768 Auth=PSK Hash=SHA1 Enc=DES)

Aggressive Mode

The Nortel VPN router supports IKE aggressive mode.

Here is a simple aggressive mode response, with no client ID specified.

$ ike-scan -A -M --trans=1,2,1,1 --dhgroup=1 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Aggressive Mode Handshake returned
        HDR=(CKY-R=98e1ce1a384b510c)
        SA=(Enc=DES Hash=SHA1 Auth=PSK Group=1:modp768 LifeType=Seconds LifeDuration(4)=0x00007080)
        KeyExchange(96 bytes)
        Nonce(20 bytes)
        ID(Type=ID_IPV4_ADDR, Value=192.168.124.152)
        Hash(20 bytes)

Response to Noncompliant and Malformed Packets

The examples below are from software version 6.05

No acceptable transforms

$ ike-scan -M --trans=2,2,1,1 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Notify message 14 (NO-PROPOSAL-CHOSEN)
        HDR=(CKY-R=249165333597ad6b)

Bad IKE version

$ ike-scan -M --trans=1,2,1,1 --headerver=0x30 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Notify message 5 (INVALID-MAJOR-VERSION)
        HDR=(CKY-R=37cd960d926d266f)
$ ike-scan -M --trans=1,2,1,1 --headerver=0x11 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Notify message 6 (INVALID-MINOR-VERSION)
        HDR=(CKY-R=7f73b228982e696c)

Invalid DOI

$ ike-scan -M --doi=2 --trans=1,2,1,1 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Notify message 2 (DOI-NOT-SUPPORTED)
        HDR=(CKY-R=8950c773a1379ce5)

Invalid Situation

$ ike-scan -M --situation=2 --trans=1,2,1,1 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Notify message 3 (SITUATION-NOT-SUPPORTED)
        HDR=(CKY-R=64112f25a9e9b475)

Invalid Initiator Cookie

Nortel VPN router ignores an invalid cookie, or perhaps it considers a zero initiator cookie as valid.

$ ike-scan -M --cookie=0000000000000000 --trans=1,2,1,1 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Main Mode Handshake returned
        HDR=(CKY-R=f5fa02b7ec7d2ded)
        SA=(Enc=DES Hash=SHA1 Auth=PSK Group=1:modp768 LifeType=Seconds LifeDuration(4)=0x00007080)

Invalid Flags

Strangely, Nortel VPN router reports INVALID-COOKIE rather than INVALID-FLAGS.

$ ike-scan -M --hdrflags=255 --trans=1,2,1,1 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Notify message 4 (INVALID-COOKIE)
        HDR=(CKY-R=8d8fadb5c075528b)

Invalid Protocol

Nortel VPN router reports NO-PROPOSAL-CHOSEN rather than INVALID-PROTOCOL-ID.

$ ike-scan -M --protocol=2 --trans=1,2,1,1 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Notify message 14 (NO-PROPOSAL-CHOSEN)
        HDR=(CKY-R=23c56761f7369896)

Invalid SPI

$ ike-scan -M --spisize=32 --trans=1,2,1,1 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Main Mode Handshake returned
        HDR=(CKY-R=28717ef5119e1c3c)
        SA=(Enc=DES Hash=SHA1 Auth=PSK Group=1:modp768 LifeType=Seconds LifeDuration(4)=0x00007080)

Non-Zero Reserved Fields

$ ike-scan -M --mbz=255 --trans=1,2,1,1 192.168.124.152
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.152 Main Mode Handshake returned
        HDR=(CKY-R=d7488c1ec9313143)
        SA=(Enc=DES Hash=SHA1 Auth=PSK Group=1:modp768 LifeType=Seconds LifeDuration(4)=0x00007080)

NAT Traversal

The Nortel VPN router supports NAT Traversal. There are three settings:

  • NAT Traversal enabled or disabled (default is disabled)
  • Disable Client IKE Source Port Switching (default is not selected)
  • UDP port (no default, Nortel recommend port 10001)

I have not been able to get the Nortel VPN router to respond to ike-scan with NAT Traversal.

The command line entries that control NAT traversal are:

ipsec nat-traversal port 4500
no ipsec nat-traversal
ipsec nat-traversal client-ike-source-port-switching enable

IVEv2

The Nortel VPN Router does not support IKEv2 as of software version 6_05.

Remote Access VPN Client

Nortel VPN Client V06_01.014

The Nortel VPN Router uses the Nortel VPN Client. The screenshot on the right shows version V06_01.014 of this client.

The table below shows the transforms offered by the Nortel client using username/password authentication without an initial group authentication. With this authentication scheme, the client uses IKE Aggressive Mode.

No. Encryption Hash Authentication DH Group Other attributes
1 AES/256 SHA1 PSK 8 (EC2N 283) 32767=26
2 AES/128 SHA1 PSK 8 (EC2N 283) 32767=26

Note the use of the elliptic curve Diffie-Hellman group 8, and the use of the proprietary transform attribute 32767 with value 26.

Other Interesting Behaviour

Default Configuration

Nortel VPN Router v06_00 Default IKE Phase-1 Authentication Methods
Nortel VPN Router v06_00 Default IKE Phase-1 Encryption Algorithms and DH Groups

The screenshot on the right shows the default settings in the web-based GUI, and the config file excerpt below shows the default settings in command-line mode.

ipsec authentication local username-password
ipsec authentication local rsa-sig
ipsec authentication radius axent-defender
ipsec authentication radius dynamic-securid
ipsec authentication radius username-password
ipsec encryption ike des56-group1
ipsec encryption ike 3des-group2
ipsec encryption ike 3des-group7
ipsec encryption ike 128aes-group5
ipsec encryption ike 128aes-group8
no ipsec encryption ike 128aes-group2
no ipsec encryption ike 256aes-group8
no ipsec encryption ike 256aes-group5

Note that the Weak DES with DH Group 1 is offered by default.

Also note that the ECC Diffie-Hellman groups 7 and 8 are supported, and are enabled by default in some transforms.

Discovered Vulnerabilities