Re: Nortel Contivity Client works without router but not with router.
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||
|
Posted by DigitalVinyl on November 24, 2005, 6:54 pm
Please log in for more thread options this exact router with the same firmware and the box is unreliable as all hell. I basically have to reboot it once a day. I've already struggled through LInksys once with no help. I keep hoping the box dies entirely and I just have a lemon, but it could just be firmware bugs. Linksys early revs are commonly riddled with bugs. IPSEC passthrough should be what makes it work. AH/ESP are separate IP-based protocols. They aren't part of TCP or UDP so you can't specify port forwarding for protocol 50 & 51. At least of these will likely be used by the client. Also some of the communications (port 500 if I recall) can't get nat'd, it screws it up. You might have to turn off the firewall functions. I'm using a different brand VPN and mine works from home fine. Check on the Nortel Client for a PASS THROUGH option. I think that is the term they use. Actually on the Nortel contivity they used to call it something like NAT TRAVERSAL or TRANSPARENCY. VPN clients usually have an alternate method to get around routers. HOwever your VPN profile on the VPN gateway at work must allow NAT traversal. This solved issues with some home setups in my previous company's Nortel VPN deployment. DiGiTAL_ViNYL (no email) | |||||||||||||
|
Posted by finite9 on November 25, 2005, 9:31 am
Please log in for more thread options noticed that when viewing the information about the connection, when connected without the router, then it would say NAT Traversal disabled. I wasn't sure at the time, if it was just saying that because I wasn't using NAT or because the option was turned off, thus implying that it could be manually configured. The problem is that my client seems to be of the 'locked down' type, where the company has disabled options--I have no such option in my client to enable pass through, in fact there are no connection options at all other than auth. and name server options, but maybe its worth a shot getting a pirate copy of the full (open) client to see if the option exists? My main problem, and the reason for searching on usenet, is that my companys IT department point blank refuses to help me fixing this problem because "it works fine without the router" and they "dont support routers when using VPN". Totally absurd stance if you ask me. This also means that I cannot get support from Nortel because you need to go through your account manager: you cannot simply ask for Nortel support as an end user. It was interesting what you said about not being able to simply open port 500 for IPSec. Maybe this explains why I had to use port triggering, and why it doesn't work as it should even then? If the IPSec VPN option within the router is not functioning as it should with this firmware, then what you say implies that I will not get this working simply by enabling ports in 'port forwarding' due to the NAT aspect of the connection? Regards, Andrew | |||||||||||||
|
Posted by Simon on November 26, 2005, 9:46 am
Please log in for more thread options finite9 wrote:
> Thanks for the tip about the pass through option in the client! I had
Hi,
> noticed that when viewing the information about the connection, when > connected without the router, then it would say NAT Traversal disabled. > I wasn't sure at the time, if it was just saying that because I wasn't > using NAT or because the option was turned off, thus implying that it > could be manually configured. > > The problem is that my client seems to be of the 'locked down' type, > where the company has disabled options--I have no such option in my > client to enable pass through, in fact there are no connection options > at all other than auth. and name server options, but maybe its worth a > shot getting a pirate copy of the full (open) client to see if the > option exists? > > My main problem, and the reason for searching on usenet, is that my > companys IT department point blank refuses to help me fixing this > problem because "it works fine without the router" and they "dont > support routers when using VPN". Totally absurd stance if you ask me. > This also means that I cannot get support from Nortel because you need > to go through your account manager: you cannot simply ask for Nortel > support as an end user. > > It was interesting what you said about not being able to simply open > port 500 for IPSec. Maybe this explains why I had to use port > triggering, and why it doesn't work as it should even then? If the > IPSec VPN option within the router is not functioning as it should with > this firmware, then what you say implies that I will not get this > working simply by enabling ports in 'port forwarding' due to the NAT > aspect of the connection? > > Regards, > Andrew > Sorry I can't help much on this, but that attitude of " "it works fine without the router" and they "dont support routers when using VPN". " seems totally obsurd to me, would they rather people were without the protection of nat/routers all the time they don't connect to the office then catch something and then connect into the corporate network ? - idiots if you ask me. Simon | |||||||||||||
|
Posted by DigitalVinyl on November 26, 2005, 11:29 am
Please log in for more thread options
>finite9 wrote:
>> Thanks for the tip about the pass through option in the client! I had
>> noticed that when viewing the information about the connection, when >> connected without the router, then it would say NAT Traversal disabled. >> I wasn't sure at the time, if it was just saying that because I wasn't >> using NAT or because the option was turned off, thus implying that it >> could be manually configured. >> >> The problem is that my client seems to be of the 'locked down' type, >> where the company has disabled options--I have no such option in my >> client to enable pass through, in fact there are no connection options >> at all other than auth. and name server options, but maybe its worth a >> shot getting a pirate copy of the full (open) client to see if the >> option exists? >> >> My main problem, and the reason for searching on usenet, is that my >> companys IT department point blank refuses to help me fixing this >> problem because "it works fine without the router" and they "dont >> support routers when using VPN". Totally absurd stance if you ask me. >> This also means that I cannot get support from Nortel because you need >> to go through your account manager: you cannot simply ask for Nortel >> support as an end user. >> >> It was interesting what you said about not being able to simply open >> port 500 for IPSec. Maybe this explains why I had to use port >> triggering, and why it doesn't work as it should even then? If the >> IPSec VPN option within the router is not functioning as it should with >> this firmware, then what you say implies that I will not get this >> working simply by enabling ports in 'port forwarding' due to the NAT >> aspect of the connection? >> >> Regards, >> Andrew >> >Hi,
>Sorry I can't help much on this, but that attitude of " "it works fine >without the router" and they "dont >support routers when using VPN". " seems totally obsurd to me, would >they rather people were without the protection of nat/routers all the >time they don't connect to the office then catch something and then >connect into the corporate network ? - idiots if you ask me. > >Simon The problem is that most of the cost incurred by corporate VPNs is not the 10s of thousands spent on VPN gateways nor the $50-$100 per user license, nor the monthly cost of the internet bandwidth consumed by VPN usage. It is supporting the desktop user. Flat and simple. User support for VPn is painful, I've seen these implemented by four companies and it is still painful. Often requires users dispatched to individual homes!! Which is a waste of hours, often to resolve basic issues. Many corporations now only support VPN on company issued laptops. And saying you support routers at home means you support every cheap bad piece of crap the market pumps out. It is a nightmare to even try. Lastly, PC technicians know as much about netowrking and routers as the average person does about surgery. It has nothing to do with their field of expertise. However, everything bleeds into everything. The same attitude can be turned around on the consumer/user. As the user it is YOUR router. NOT theirs. WHy don't YOU know how to make YOUR router work properly. Why does the user get to act the helpless victim and everyone else must make the router they bought with the ISP they choose and the PC they bought with software they installed work with one function of a company's offering. I've been on both sides of the issue, so i'm familiar with this situation. DiGiTAL_ViNYL (no email) | |||||||||||||
|
Posted by DigitalVinyl on November 26, 2005, 12:21 pm
Please log in for more thread options You could ask why IT has decided to reduce Contivity compatibility
with home setups by not supporting NAT Traversal. Nortel developed this feature to make it more compatible with ever-increasing presence of NAT'd devices. Cisco supports this type of technology for the same reason. Compatibilty with the wide variety of setups that exist in home environments. I don't know of any specific security concerns with NAT-T but I would guess their lack of support for this option is based upon... - the guy who setup the Contivity VPN left or was a consultant and they are afraid to touch the magic box that "VPN"s - they are running an old software rev on their contivity and it doesn't support NAT-T - they don't understand or even know about NAT traversal; or that this is a desireable feature that eliminates tech support calls, especially with mobile users - they know of some specific bug regarding NAT-T and are shaking in their boots over it, justified or unjustified - they need a firewall rule opened for it and they can't figure it out or the Firewall admin is playing god and pretending it is a big deal to acomplish - their change control process is so painful that nobody wants to schedule public changes unless forced to and they'll only lie and make small unnoticeable changes illegally These are basic scenarios that occur in IT shops and impede progress in general. DiGiTAL_ViNYL (no email) | |||||||||||||
>
>I have the following situation:
>
>I'm trying to connect to my employers VPN service from home. I have
>ADSL with a provider called Bredbandsbolaget (Swedish). When I connect
>my stationary computer or my laptop directly to the ADSL modem, the VPN
>works fine. When I connect my Linksys router to the modem and then the
>stationary PC to the router or the laptop to the router via 802.11g
>then the VPN client doesn't work.
>
>I have the following equipment:
>
>no-name ADSL modem looks very much like an Alcatel Speedtouch
>Linksys WRT54GX-v2 wireless router/switch/firewall with 2.00.8 firmware
>(latest available)
>PC with WinXP Pro SP2, windows firewall disabled, Norton AV.
>laptop with WinXP Home SP2, windows firewall disabled, McAfee AV.
>
>Nortel Contivity Client 5.01d
>
>I have tried the following suggestions separately and together:
>
>Opened IPSEC passthrough in the router
>Opened UDP ports 500, 8000 (needed by employer), 1723
>Put the PC on the DMZ (if this fails then it must mean its not a port
>problem right?)
>Assigned a static IP to the PC outside of the DHCP range of the router
>reflashed the firmware in the router (note that the router works fine
>in every other aspect other than using VPN)
>
>For one thing, IPSEC passthrough doesnt seem to work in this router,
>because all it should do is open up port 500 UDP, but if I enable this,
>the the host name cannot be reached. As soon as I open port 500 UDP
>manually, then the host can at least be reached! Also, using port
>forwarding does not work either--I have to enable port 500 with port
>triggering. I do not understand why this is different, but it doesn't
>seem right. I opened a port for FTP and BitTorrent using port
>forwarding and these both work fine! Once I open these ports (500 &
>8000) then I get past the initial contact stage and then it hangs on a
>message saying "Retrieving banner text".
>
>According to a Nortel tech document, this means I have a router
>blocking NAT traffic. Unfortunately, they give no real solution--they
>just explain all about NAT and ESP/AH etc etc. I have colleagues with
>all-in-one ADSL modems/routers that can connect without problems, but I
>have not found anyone else who has a separate modem and router. I have
>spoken to Linksys support many times and received dumbass suggestions
>that have not solved the problem. I am sick of hearing "have you
>flashed the router with the latest firmware". Yes, I have. Twice. I
>have also tried an old Netgear RP614 router and it has the same issue,
>so I suspect it's a problem with NAT not getting through the modem then
>router to the PC rather than it being a pure Linksys fault.
>
>If anyone has any advice I would very much appreciate it.
>
>Regards,
>Andrew