If the nature of IPSec tunnel is dynamic you can replace it with a static tunnel if the Nortel is capable to do it. This means an IPSec tunnel is established automatically when there is "interesting traffic". In some cases the use of MD5 instead of SHA helps to bring up the tunnel. So you can try to use a transform set with MD5. Of course in this case the Nortel's config must be changed also to use MD5 and disable AH. Also you can try to use the IP address of the interface for the identity with the "crypto isakmp identity address" command.