At work we're currently in a managed office, which means we don't control the network in any way. As a result we're all individually VPNing back to the lab network in the US. Not a great situation, but it does the job while we work out what's happening with our own building and a local lab.

The HQ end is running on a Nortel Contivity. This causes a bit of a problem; I need a working VPN setup in order to work, but the Nortel stuff is non standard. How to get it going under Linux so I can switch from XP to Debian?

I found 3 options, in order of preference:


There's a Nortel branch of vpnc, though it's from an old release (0.3.2). There are some reports of it working ok, and quite a few of problems. vpnc gains points for being entirely Free software. has some further details.

Novell VPN client

Novell have a hacked up version of ipsec-tools that adds, a framework for different types of IKE. They have a novell-nortelplugins package that has a binary plugin supposedly supporting Nortel VPN access. Not quite as nice as vpnc, but it's still userland and does use the kernel's IPSEC stack.

Apani Nortel client

Apani do a commerical Nortel VPN client for Linux, as well as Windows CE/MacOS and Solaris. It's not that up to date (supports up to kernel 2.6.18, though there are patches that get it working on 2.6.22) and involves a binary blob kernel driver, but they do claim to offer support for it and it's where Nortel will point you for single client licenses.

I have, of course, ended up with the (paid for) Apani client. I tried vpnc and the Novell client but couldn't get any degree of success from them. VPN remote ends don't really provide a lot of feedback (which is understandable - it hardly wants to tell me if I'm failing on a username, password, or something entirely different) and I don't have any access to the Contivity device to read its logs. I think the main issue is that my connection has no IPSEC group id or password, and both vpnc and the Novell stuff ask for that. The Apani client is happy with just my username and password, which I think is used for some corruption of xauth.

At some point I'll try fighting vpnc again, but for the moment I have my VPN connection working under Debian and thus I'm back to Debian at work. As an added bonus the reaction of my coworkers has been good - instead of "Why would you want to?" I've had comments like "I wish I'd installed Linux when I started." and "Actually, I might do that myself after Christmas."