We recently started looking for a more cost effective VPN router for small office and home office environments. With the current price of gas over $4.13/gallon there are a lot of businesses looking to try and ease the strain by effectively utilizing telecommuting for both voice and data applications. In my next few posts I’m going to look at some different technologies that a telecommuter could potential use in the virtual office.
We’re currently using the Nortel VPN Router 1010, 1050 and 1100 models for mid-size to large offices but needed a more cost effective solution for home office environments such as remote call center agents and other professionals. It also doesn’t help that Nortel has manufacture discontinued the 1010, 1050 and 1100 models (the bulletin from Nortel can be viewed here). There are two approaches that we are currently looking at with respect to the remote call center agents; 1) hardware solution with VPN router and IP phone; 2) software solution with VPN client and IP softphone. In this post I’m going to discuss my impressions of the Nortel Business Secure Router 222.
Let me be honest up front and tell you that I’m no fan of the Nortel VPN 200 Series Router from which this product was born. I know from opening a Nortel VPN 221 Router that it appears as if Nortel has OEM the product from Zyxel. I’m not sure if that’s still the case but the GUI of the BSR 222 looks almost identical to the VPN 221.
“The Business Secure Router 222, specifically designed for the small to medium business (SMB), is a converged broadband access router that provides a secure connection to the Internet via digital subscriber line (DSL) or cable modem broadband services. The Business Secure Router 222 is an advanced, feature-rich router offered at an affordable price.”
We tested the BSR 222 and were very happy with the results. We provisioned multiple IPSec tunnels with Triple DES encryption to a Nortel VPN Router 1700 (V06_05.140) using Asymmetric Branch Office Tunnel (ABOT) in Aggressive mode. In our previous tests with the VPN 221 router we had all sorts of issues with the IPSec tunnels staying up in Aggressive mode. With the BSR 222 we had no such issues using the exact same profile on the VPN Router 1700 we used for the VPN 221.
We also tested connecting a Nortel i2002 over the BSR 222 and found the call quality to be excellent. While I could have paired a BES 50 with the BSR 222 to provide PoE I decided to just use a power supply on the i2002. The hardware solution seems to be a very reliable and stable solution as it probably should be. I would probably guess that a hardware solution such as this would probably cost around $800 (IP ISM, IP Phone, BSR 222). Please just remember that any VPN solution is only as stable as your broadband connection to the Internet.
The default username is “nnadmin” and the default password is “PlsChgMe!”. The default IP address is 192.168.1.1 and the router can be configured from a web browser by using the URL http://192.168.1.1.
In defense of the VPN 221 router it does support a feature called “Control Ping”. When this feature was configured it allowed the VPN 221 to determine if an IPSec tunnel had become disconnected from the far side. It did this by pinging an IP address that was within the tunnel network range. If the ping failed the router would essentially restart the tunnel by disconnecting it and reconnecting it. It would also keep the tunnel active on the far side preventing any keepalive issues from arising. When I configured this feature on the VPN 221 the tunnels seemed to work flawlessly. This same feature is available on the BSR 222 and it may be required if you find your tunnels bouncing up and down.
Cheers!
Hello,
I’m glad to read that you had no problems connecting a BSR 222 to a VPN Router 1700…
I’m trying to establish a branch office tunnel between a BSR 222 and a VPN Router 1010 and wonder if you have documentation that you used on the 1700 that could assist me with this issue.
Thanks so much.
-Leandro
Hi Leandro,
What problems are you having connecting to the two? The biggest problem I’ve had with the Nortel VPN Router 221 and the Nortel Business Secure Router 222 is the lack of IKE keepalives. On occasion one side of the tunnel will go down but the other side will remain active. I never have had a problem using the “fully featured” Nortel VPN Router 17000, 1100, 1050 or 1010 since they all run the same software and support IKE keepalives. The “Control Ping” feature of the 221/222 generally keeps the tunnel stable by sending traffic across of it. I’ve had to use the “Control Ping” feature even when I set both sides for “Nailed Up”. I can post some screen shots if you’re completely lost. Let me know.
Thanks for the comment!
Hello,
I tried to connect i2004 phone with BSR 222 but the problem is that the phone i2004 can’t take any ip I don’t why although I connect BSR 222 whit laptop and it works..
Hi Alia,
The problem is that the Nortel i2004 will always say “Starting DHCP…” never giving you a real understanding of the problem.
Have you configured the phone for partial DHCP?
Have you configured the S1 values?
I’m going to assume that you have the phone configured for Full DHCP, in which case the phone will sit waiting (displaying “Starting DHCP…”) until it receives the all the proper DHCP options even if it has received a DHCP address.
Cheers!
I have a couple of questions:
1. Should I enable the firewall for the BSR222 at my remote sites?
2. Should I change the username and passwords that the installer kept (very similar to those listed above)
3. Why can’t I get ping returns from one of my remote sites (but I can ping the BSR222s at all sites)
Thanks,
Janine
Hi Janie,
You should leave the firewall enabled (it’s enabled by default). The firewall really only comes into play when public Internet devices try to access your BSR222. It shouldn’t have any affect on tunnel traffic in it’s out-of-the-box state. I would advise you to change the password at a minimum, it’s best practice. Just remember to document the username and passwords that you’ve configured the moment you change them. If I had a 1$ for everytime someone changed a password only to forget the password they used the following day. Assuming that your Branch Office Tunnels (BOTs) and setup properly along with the necessary IP routing you should be able to ping. You don’t have the Windows XP/Vista firewall enabled do you?
Good Luck!
I have a BSR 252 business secure router with me..
i want to configure it please help me
i don’t know what is the default username and password
Jamal
dubai
Hi Jamal,
The default username and password are included in the post above.
Good Luck!
Michael – I called Nortel support who could not tell me the default username and password for this box. I really need to buy you a beer sometime buddy!
I am the IT manager premiumcolor group
we have two offices.
HQ has BES50 with digital phones and a bsr222 to tunnel over to the branch.
the branch has pcs sharing the liones with the voip phones using 1 bsr 222 and 2 poe nortel switches.
VZ implmented the system, dealing with them was a nightmare, and they had no 911 solution for this setup, enter Mark Flecther whom assisted us to force VZ and NT engineers to create the solution which is now implemented.
questions:
how many vpn connections at once can the 222 accomadate? and two, I have a time clock program that broadcasts to update the server, but the braodcast does not seem to allow for the the server to reply back to the client properly through the 222’s even though I have attached both machines directly to the 222’s, what could be the issue here?
Hi Richard,
I believe you can run 5 tunnels on the BSR222, you can probably look it up in the manuals on Nortel’s website if you want to be sure.
You mention the word “broadcast”, is it really a broadcast packet? You should be able to utilize NTP via Unicast packets without any issue. I maintain 2 centralized NTP servers for my entire organization (32,000+ ports). The devices that are at the branch office sync their time over the VPN/IPSec tunnel to the centralized NTP servers. It works great and keys the time sync’d across every system (Windows, MacOS, Linux, etc).
I will warn you that I’ve seen very odd behavior from BES50 switches. We purchased 2 of them for testing and decided against purchasing them because we had all sorts of interoperability issues with different devices. Even though you mention you’re physically connected to the BSR222 you could try removing the BES50 and see if that resolves your problem. The LAN ports of the BSR222 should act just like a switch, although you may want to disable IGMP since I believe it’s enabled by default.
Good Luck!
Hey Richard
I need to configure client dialup VPN connection on 3x BSR252, can you please give me some information how to configure? Which vpn client do i need for windows Vista?
I have some experience with Fortigate, i did the same steps but it doesn’t work.
Thnx in advanced for a quick answer.
Philip
Hi Philip,
The BSR252 has a built-in ADSL2+ interface for connecting to DSL networks. I would suggest you refer to the documentation. I haven’t personally touched these devices in years now but they were pretty straight forward with an easy to understand web GUI. I’m not sure which VPN client software they might use for end-users.
Good Luck!
I run all technology for a small company. We currently have a BCM50 and two remote sites on BSR222s. We have not had any problems with them. I am moving to Thailand and want to know if I should/could install a BSR222 in my home instead of running the Softphone. I would prefer to have a phone on my desk. My question is, can I have someone configure the BSR222 remotely. We have used Verizon to set up everything and haven’t had to call them about any problems (for two years). Am I crazy to want the BSR222 for one remote phone line? I would also love to have the VPN capabilities. One last question… I read in the Avaya docs that I could have a BSR installed with dynamic ip address, but I thought you had to have a static IP. Do you have to have a static IP?
Hi Mike,
It’s possible to manage the BSR222 from the public interface if it’s been configured to allow that functionality ahead of time. You have two options available if you want to remotely connect an IP deskphone to your BCM50, 1) you can purchase the 1100 series IP phone along with a license for the built-in VPN client (requires a Nortel VPN router on the main office side) or 2) you can use equipment to create a branch to branch VPN tunnel such as what you are doing with the BSR222. You can use a dynamic IP address on the branch office site (this is called an Aggressive Mode tunnel) but the main office side needs a static IP address.
Good Luck!
Dear Richard,
I have a home-office set up with my own 2WIRE ADSL gateway (supplied by Bell Canada, my ISP); a Nortel BSR222 router and a Nortel IP phone.
Up until 4 weeks ago, everything was working fine. I disconnected the BSR222 and the IP phone because I had to go to work from Head-Office. When I came back and reconnected the system, the IP Phone displys the message “Server Unreachable”. I can see that the 2WIRE gateway is assigning an IP address to the BSR222, but the latter doesn’t seem to acess the phone server in Head-Office.
We tried the same system (BSR222 and IP phone) at 2 other locations, who have Rogers cable as their ISP, and it works perfectly.
My home PCs and personal wireless devices have had access to the Internet all along and were never affected.
When I call Bell Canada Tech Support, they don’t see any problems with the 2WIRE gateway, and can’t resolve the conflict with the BSR222 (or the IP Phone). Consequently, they suggested that I contact 2WIRE, the OEM of the gateway.
2WIRE says that I should contact Nortel to find out what Ports I should open in the 2WIRE gateway (Port Forwarding) for the BSR222 to work its way to the Internet, but I’m hesitant to open ports that were not required before.
Please advise if you have seen a case like this before, and could suggest a solution. Let me know if you have any questions that might help you in finding a solution… before I ditch Bell Canada and switch to Rogers Communications or ACANAC…
Sincerely,
Carlos
Hi Carlos,
If you replace the IP phone with your laptop or PC (don’t forget to change the IP address if you are using static IP addressing) can you ping main office CS1000?
I would start with that testing first.. make sure you have connectivity first, then worry about the IP telephony component.
Good Luck!
Michael,
Is the BSR222 capable of port forwarding and if so how is that setup? I’ve looked at the firewall and added the port, rule and protocol – no desired progress. Done the same under SUA/NAT and still getting nowhere really fast. I turned off the firewall, momentarily, with very little forward progress.
My aim is to get this BSR222 to allow a biometric clock traffic to pass through a specific port.
I called Avaya/Nortel desk help for assistance and nothing as yet.
I know your post is old, but we have several remote users who are work from home and use a high speed internet access (some Comcast, some Verizon FIOS, etc). They are all complaining that after about 2 seconds, the person they called can’t him them. The customer complains that the sound is garbled or it sounds like they are under water. After a few seconds, sometimes it returns to normal, but then repeats. Other times, they have to disconnect the phone and call back but it happens again. They are using a BSR222 and Nortel IP Phone 2004. We’ve tried reconfiguring another BSR222 for them and replacing their IP phone, but nothing has helped. Is it their ISP? A configuration issue with the tunnels, the BSR222 or the phone??? Any ideas or troubleshooting tactics we can use would be appreciated.
Hi Stephanie,
I was never a fan of the BSR222 and have since abandoned it for the Juniper SRX Branch series where I have about 25 remote contact center agents working very reliably every day. If you are reporting that this happens to all your users I would probably start with the bandwidth at your main office. What are you terminating the tunnels on in the main office? I would look at that side of the equation. In general if the users have 10Mbps/2Mbps (down/up) then you should be go so long as they are not connected via wireless and don’t have too many kids at home sucking away the bandwidth.
What type of ICMP ping times do you get when pinging the Nortel i2004 from the main office? You should be getting around 20-40ms for a reliable call with good quality.
Good Luck!