|
Home > Archive > VPN > November 2005 > Nortel Contivity Client works without router but not with router.
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Nortel Contivity Client works without router but not with router.
|
|
| finite9 2005-11-24, 7:46 am |
| Hi,
I have the following situation:
I'm trying to connect to my employers VPN service from home. I have
ADSL with a provider called Bredbandsbolaget (Swedish). When I connect
my stationary computer or my laptop directly to the ADSL modem, the VPN
works fine. When I connect my Linksys router to the modem and then the
stationary PC to the router or the laptop to the router via 802.11g
then the VPN client doesn't work.
I have the following equipment:
no-name ADSL modem looks very much like an Alcatel Speedtouch
Linksys WRT54GX-v2 wireless router/switch/firewall with 2.00.8 firmware
(latest available)
PC with WinXP Pro SP2, windows firewall disabled, Norton AV.
laptop with WinXP Home SP2, windows firewall disabled, McAfee AV.
Nortel Contivity Client 5.01d
I have tried the following suggestions separately and together:
Opened IPSEC passthrough in the router
Opened UDP ports 500, 8000 (needed by employer), 1723
Put the PC on the DMZ (if this fails then it must mean its not a port
problem right?)
Assigned a static IP to the PC outside of the DHCP range of the router
reflashed the firmware in the router (note that the router works fine
in every other aspect other than using VPN)
For one thing, IPSEC passthrough doesnt seem to work in this router,
because all it should do is open up port 500 UDP, but if I enable this,
the the host name cannot be reached. As soon as I open port 500 UDP
manually, then the host can at least be reached! Also, using port
forwarding does not work either--I have to enable port 500 with port
triggering. I do not understand why this is different, but it doesn't
seem right. I opened a port for FTP and BitTorrent using port
forwarding and these both work fine! Once I open these ports (500 &
8000) then I get past the initial contact stage and then it hangs on a
message saying "Retrieving banner text".
According to a Nortel tech document, this means I have a router
blocking NAT traffic. Unfortunately, they give no real solution--they
just explain all about NAT and ESP/AH etc etc. I have colleagues with
all-in-one ADSL modems/routers that can connect without problems, but I
have not found anyone else who has a separate modem and router. I have
spoken to Linksys support many times and received dumbass suggestions
that have not solved the problem. I am sick of hearing "have you
flashed the router with the latest firmware". Yes, I have. Twice. I
have also tried an old Netgear RP614 router and it has the same issue,
so I suspect it's a problem with NAT not getting through the modem then
router to the PC rather than it being a pure Linksys fault.
If anyone has any advice I would very much appreciate it.
Regards,
Andrew
| |
| DigitalVinyl 2005-11-24, 8:46 pm |
| MY first suspicsion would be the Linksys WRT54GX-v2. You see I have
this exact router with the same firmware and the box is unreliable as
all hell. I basically have to reboot it once a day. I've already
struggled through LInksys once with no help. I keep hoping the box
dies entirely and I just have a lemon, but it could just be firmware
bugs. Linksys early revs are commonly riddled with bugs.
IPSEC passthrough should be what makes it work. AH/ESP are separate
IP-based protocols. They aren't part of TCP or UDP so you can't
specify port forwarding for protocol 50 & 51. At least of these will
likely be used by the client. Also some of the communications (port
500 if I recall) can't get nat'd, it screws it up. You might have to
turn off the firewall functions. I'm using a different brand VPN and
mine works from home fine.
Check on the Nortel Client for a PASS THROUGH option. I think that is
the term they use. Actually on the Nortel contivity they used to call
it something like NAT TRAVERSAL or TRANSPARENCY. VPN clients usually
have an alternate method to get around routers. HOwever your VPN
profile on the VPN gateway at work must allow NAT traversal. This
solved issues with some home setups in my previous company's Nortel
VPN deployment.
"finite9" <adhenry.9@gmail.com> wrote:
>Hi,
>
>I have the following situation:
>
>I'm trying to connect to my employers VPN service from home. I have
>ADSL with a provider called Bredbandsbolaget (Swedish). When I connect
>my stationary computer or my laptop directly to the ADSL modem, the VPN
>works fine. When I connect my Linksys router to the modem and then the
>stationary PC to the router or the laptop to the router via 802.11g
>then the VPN client doesn't work.
>
>I have the following equipment:
>
>no-name ADSL modem looks very much like an Alcatel Speedtouch
>Linksys WRT54GX-v2 wireless router/switch/firewall with 2.00.8 firmware
>(latest available)
>PC with WinXP Pro SP2, windows firewall disabled, Norton AV.
>laptop with WinXP Home SP2, windows firewall disabled, McAfee AV.
>
>Nortel Contivity Client 5.01d
>
>I have tried the following suggestions separately and together:
>
>Opened IPSEC passthrough in the router
>Opened UDP ports 500, 8000 (needed by employer), 1723
>Put the PC on the DMZ (if this fails then it must mean its not a port
>problem right?)
>Assigned a static IP to the PC outside of the DHCP range of the router
>reflashed the firmware in the router (note that the router works fine
>in every other aspect other than using VPN)
>
>For one thing, IPSEC passthrough doesnt seem to work in this router,
>because all it should do is open up port 500 UDP, but if I enable this,
>the the host name cannot be reached. As soon as I open port 500 UDP
>manually, then the host can at least be reached! Also, using port
>forwarding does not work either--I have to enable port 500 with port
>triggering. I do not understand why this is different, but it doesn't
>seem right. I opened a port for FTP and BitTorrent using port
>forwarding and these both work fine! Once I open these ports (500 &
>8000) then I get past the initial contact stage and then it hangs on a
>message saying "Retrieving banner text".
>
>According to a Nortel tech document, this means I have a router
>blocking NAT traffic. Unfortunately, they give no real solution--they
>just explain all about NAT and ESP/AH etc etc. I have colleagues with
>all-in-one ADSL modems/routers that can connect without problems, but I
>have not found anyone else who has a separate modem and router. I have
>spoken to Linksys support many times and received dumbass suggestions
>that have not solved the problem. I am sick of hearing "have you
>flashed the router with the latest firmware". Yes, I have. Twice. I
>have also tried an old Netgear RP614 router and it has the same issue,
>so I suspect it's a problem with NAT not getting through the modem then
>router to the PC rather than it being a pure Linksys fault.
>
>If anyone has any advice I would very much appreciate it.
>
>Regards,
>Andrew
DiGiTAL_ViNYL (no email)
| |
| finite9 2005-11-25, 5:47 pm |
| Thanks for the tip about the pass through option in the client! I had
noticed that when viewing the information about the connection, when
connected without the router, then it would say NAT Traversal disabled.
I wasn't sure at the time, if it was just saying that because I wasn't
using NAT or because the option was turned off, thus implying that it
could be manually configured.
The problem is that my client seems to be of the 'locked down' type,
where the company has disabled options--I have no such option in my
client to enable pass through, in fact there are no connection options
at all other than auth. and name server options, but maybe its worth a
shot getting a pirate copy of the full (open) client to see if the
option exists?
My main problem, and the reason for searching on usenet, is that my
companys IT department point blank refuses to help me fixing this
problem because "it works fine without the router" and they "dont
support routers when using VPN". Totally absurd stance if you ask me.
This also means that I cannot get support from Nortel because you need
to go through your account manager: you cannot simply ask for Nortel
support as an end user.
It was interesting what you said about not being able to simply open
port 500 for IPSec. Maybe this explains why I had to use port
triggering, and why it doesn't work as it should even then? If the
IPSec VPN option within the router is not functioning as it should with
this firmware, then what you say implies that I will not get this
working simply by enabling ports in 'port forwarding' due to the NAT
aspect of the connection?
Regards,
Andrew
| |
|
| finite9 wrote:
> Thanks for the tip about the pass through option in the client! I had
> noticed that when viewing the information about the connection, when
> connected without the router, then it would say NAT Traversal disabled.
> I wasn't sure at the time, if it was just saying that because I wasn't
> using NAT or because the option was turned off, thus implying that it
> could be manually configured.
>
> The problem is that my client seems to be of the 'locked down' type,
> where the company has disabled options--I have no such option in my
> client to enable pass through, in fact there are no connection options
> at all other than auth. and name server options, but maybe its worth a
> shot getting a pirate copy of the full (open) client to see if the
> option exists?
>
> My main problem, and the reason for searching on usenet, is that my
> companys IT department point blank refuses to help me fixing this
> problem because "it works fine without the router" and they "dont
> support routers when using VPN". Totally absurd stance if you ask me.
> This also means that I cannot get support from Nortel because you need
> to go through your account manager: you cannot simply ask for Nortel
> support as an end user.
>
> It was interesting what you said about not being able to simply open
> port 500 for IPSec. Maybe this explains why I had to use port
> triggering, and why it doesn't work as it should even then? If the
> IPSec VPN option within the router is not functioning as it should with
> this firmware, then what you say implies that I will not get this
> working simply by enabling ports in 'port forwarding' due to the NAT
> aspect of the connection?
>
> Regards,
> Andrew
>
Hi,
Sorry I can't help much on this, but that attitude of " "it works fine
without the router" and they "dont
support routers when using VPN". " seems totally obsurd to me, would
they rather people were without the protection of nat/routers all the
time they don't connect to the office then catch something and then
connect into the corporate network ? - idiots if you ask me.
Simon
| |
| DigitalVinyl 2005-11-26, 5:46 pm |
| Simon <simon@not-here.com> wrote:
>finite9 wrote:
>Hi,
>Sorry I can't help much on this, but that attitude of " "it works fine
>without the router" and they "dont
>support routers when using VPN". " seems totally obsurd to me, would
>they rather people were without the protection of nat/routers all the
>time they don't connect to the office then catch something and then
>connect into the corporate network ? - idiots if you ask me.
>
>Simon
The problem is that most of the cost incurred by corporate VPNs is not
the 10s of thousands spent on VPN gateways nor the $50-$100 per user
license, nor the monthly cost of the internet bandwidth consumed by
VPN usage. It is supporting the desktop user. Flat and simple. User
support for VPn is painful, I've seen these implemented by four
companies and it is still painful. Often requires users dispatched to
individual homes!! Which is a waste of hours, often to resolve basic
issues.
Many corporations now only support VPN on company issued laptops. And
saying you support routers at home means you support every cheap bad
piece of crap the market pumps out. It is a nightmare to even try.
Lastly, PC technicians know as much about netowrking and routers as
the average person does about surgery. It has nothing to do with
their field of expertise. However, everything bleeds into everything.
The same attitude can be turned around on the consumer/user.
As the user it is YOUR router. NOT theirs. WHy don't YOU know how to
make YOUR router work properly. Why does the user get to act the
helpless victim and everyone else must make the router they bought
with the ISP they choose and the PC they bought with software they
installed work with one function of a company's offering.
I've been on both sides of the issue, so i'm familiar with this
situation.
DiGiTAL_ViNYL (no email)
| |
| DigitalVinyl 2005-11-26, 5:46 pm |
| "finite9" <adhenry.9@gmail.com> wrote:
>Thanks for the tip about the pass through option in the client! I had
>noticed that when viewing the information about the connection, when
>connected without the router, then it would say NAT Traversal disabled.
> I wasn't sure at the time, if it was just saying that because I wasn't
>using NAT or because the option was turned off, thus implying that it
>could be manually configured.
>
>The problem is that my client seems to be of the 'locked down' type,
>where the company has disabled options--I have no such option in my
>client to enable pass through, in fact there are no connection options
>at all other than auth. and name server options, but maybe its worth a
>shot getting a pirate copy of the full (open) client to see if the
>option exists?
The Nortel client is controlled by the gateway you are trying to
attach to. The software isn't locked down by itself. The gateway you
are signing into determines how the client reacts and what you can do.
They have to enable NAT TRAVERSAL for your group's options to permit
the client to even try. It may also require opening firewall ports if
the company runs their Contivity box behind a firewall.
>My main problem, and the reason for searching on usenet, is that my
>companys IT department point blank refuses to help me fixing this
>problem because "it works fine without the router" and they "dont
>support routers when using VPN". Totally absurd stance if you ask me.
>This also means that I cannot get support from Nortel because you need
>to go through your account manager: you cannot simply ask for Nortel
>support as an end user.
Well you probably could pay them. Microsoft works the same way.
Microsoft will not support WIndows or Office. Whoever you bought it
from must support it. M$ charges a fee to call them.
>It was interesting what you said about not being able to simply open
>port 500 for IPSec. Maybe this explains why I had to use port
>triggering, and why it doesn't work as it should even then? If the
>IPSec VPN option within the router is not functioning as it should with
>this firmware, then what you say implies that I will not get this
>working simply by enabling ports in 'port forwarding' due to the NAT
>aspect of the connection?
Well putting the PC as the DMZ host should have avoided most of it.
However outbound NAT'ing will still screw up some of the protocols
being used.
I would approach LInksys, although my experience with their tech
support has been poor so far. Simply approach it that IPSEC
passthrough doesn't work with Nortel Client. They may have a bug--it
does work with cisco Client. Also keep watch for new firmware as they
will be sending out updates since the box still has bugs.
DiGiTAL_ViNYL (no email)
| |
| DigitalVinyl 2005-11-26, 5:46 pm |
| You could ask why IT has decided to reduce Contivity compatibility
with home setups by not supporting NAT Traversal.
Nortel developed this feature to make it more compatible with
ever-increasing presence of NAT'd devices. cisco supports this type of
technology for the same reason. Compatibilty with the wide variety of
setups that exist in home environments.
I don't know of any specific security concerns with NAT-T but I would
guess their lack of support for this option is based upon...
- the guy who setup the Contivity VPN left or was a consultant and
they are afraid to touch the magic box that "VPN"s
- they are running an old software rev on their contivity and it
doesn't support NAT-T
- they don't understand or even know about NAT traversal; or that
this is a desireable feature that eliminates tech support calls,
especially with mobile users
- they know of some specific bug regarding NAT-T and are shaking in
their boots over it, justified or unjustified
- they need a firewall rule opened for it and they can't figure it
out or the Firewall admin is playing god and pretending it is a big
deal to acomplish
- their change control process is so painful that nobody wants to
schedule public changes unless forced to and they'll only lie and make
small unnoticeable changes illegally
These are basic scenarios that occur in IT shops and impede progress
in general.
DiGiTAL_ViNYL (no email)
| |
| finite9 2005-11-29, 7:47 am |
| I'm really leaning towards 'a fault with the Linksys router' after
reading your comments. I assume that my employer has enabled NAT-T as
there are others who have routers that can connect without problems.
The thing is, that I'm confused over the fact that I used a Netgear
RP614v2 router and that gave the same error. Either NAT isn't working
properly in either router or i've done something wrong somewhere in the
router configuration. It cannot be my PC as it works fine without the
router. I checked the version on the client with others and they have
the same version.
Regards,
Andrew
|
|
|
|
|