Nortel VPN Router Configuration Guide

In this post I’ll provide an example of how to configure a Nortel VPN Router. We’ll configure the remote office VPN router for a tunnel with 3DES/SHA1 encryption and DH2 using pre-shared keys, routing all traffic to the main office across the tunnel (no split tunneling). You should start by connecting up to the local console port on the VPN router (the diskless 1100,1050,1010 require a special RJ45 -> DB9 console cable). Log into the VPN router with the default username of “admin” and the default password of “setup” and reset it to factory defaults. You’ll find the option under “R” for “Reset System to Factory Defaults”.

Welcome to the Contivity Secure IP Services Gateway
Copyright (c) 1999-2004 Nortel Networks, Inc.

Version:                 V05_00.136
Creation date:           Aug 20 2004, 15:50:15

Date:                    07/23/1980
Unit Serial Number:      11221

Please enter the administrator's user name: admin

Please enter the administrator's password:

Main Menu:  System is currently in NORMAL mode.
1) Interfaces
2) Administrator
3) Default Private Route Menu
4) Default Public Route Menu
5) Create A User Control Tunnel(IPsec) Profile
6) Restricted Management Mode       FALSE
7) Allow HTTP Management            TRUE
8) Firewall Options
9) Shutdown
B) System Boot Options
P) Configure Serial Port
C) Controlled Crash
L) Command Line Interface
R) Reset System to Factory Defaults
E) Exit, Save and Invoke Changes

Please select a menu choice (1 - 9,B,P,C,L,R,E):

The first step will be to configure the IP addressing for the private LAN and public WAN interfaces. Using the serial console select “L) Command Line Interface” from the menu options.

CES>

Upon entering the CLI environment the prompt will be changed to “CES>”. You must now enter privileged mode using the “enable” command entering the default admin password of “setup”.

CES>enable
Password: *********

Let’s take care of the easy stuff first. I’m currently working in the Eastern time zone;

CES#clock timezone est
CES#clock set 15:22:30 12 JANUARY 2005

You can discern from the syntax above that #clock set <hh:mm:ss> <day> <month> <year>
Now you must enter configuration mode using the commands listed below. We’ll reset the admin password before anything else.

CES#configure terminal
Enter configuration commands, one per line.  End with Ctrl/z.
CES(config)#
CES(config)#adminname admin password <standard password>

We’ll configure the private LAN IP Address. In the example below I’m using 10.2.203.1 as the LAN address of the branch office VPN router.

CES(config)#interface FastEthernet 0/1
CES(config-if)#ip address 10.2.203.1 255.255.255.0
CES(config-if)#exit

Next we’ll configure the MANAGEMENT IP Address. The LAN address and management IP address must be on the same subnet.

CES(config)#ip address 10.2.203.10
Management address set to 10.2.203.10 successfully !
Next, make sure Mgt addr and private LAN addr are on same subnet
CES(config)#

You should use the IP addressing that’s been assigned to the equipment your configuring in place of the IP addressing used above. Next we’ll assign the public WAN IP Address provided by the Internet Service Provider (ISP) which in this case happens to be Verizon DSL;

CES(config)#interface FastEthernet 1/1
CES(config-if)#ip address 70.256.1.10 255.255.255.0
%Warning: The IP address type is changed from DHCP dynamic to static
CES(config-if)#exit
CES(config)#ip default-network 70.256.1.1 public
CES(config)#ip name-server 151.197.0.38 151.197.0.39 199.45.32.43

NOTE: FastEthernet 0/1 is the PRIVATE LAN while FastEthernet 1/1 is the PUBLIC WAN
Let’s disable those services we won’t be using and enable those we will be using;

CES(config)#no tunnel protocol pptp public
CES(config)#no tunnel protocol pptp private
CES(config)#no tunnel protocol l2tp public
CES(config)#no tunnel protocol l2tp private
CES(config)#ipsec encryption 3des-sha1
CES(config)#ipsec encryption aes256-sha1
CES(config)#no ipsec encryption aes128-sha1
CES(config)#no ipsec encryption des40-md5
CES(config)#no ipsec encryption des40-sha1
CES(config)#no ipsec encryption des56-md5
CES(config)#no ipsec encryption des56-sha1
CES(config)#no ipsec encryption hmac-md5
CES(config)#no ipsec encryption hmac-sha1

Let’s configure the “Base” default Branch Office Group with the standard settings.

CES(config)#bo-group ipsec /Base
CES(config-bo_group/ipsec)#encryption 3des-sha1
CES(config-bo_group/ipsec)#encryption ike 3des-group2
CES(config-bo_group/ipsec)#antireplay enable
CES(config-bo_group/ipsec)#no compress
CES(config-bo_group/ipsec)#initial-contact enable
CES(config-bo_group/ipsec)#exit

Let’s add a designator for the local network (to be used later – replace with your IP network)

CES(config)#network add LocalNetwork ip 10.2.203.0 mask 255.255.255.0

Let’s add a sub group for our IPsec tunnel configuration;

CES(config)#bo-group add /Base/AcmeHealth
CES(config)#bo-conn add Acme-1 /Base/AcmeHealth
CES(config)#bo-conn Acme-1 /Base/AcmeHealth
CES(config/bo_conn)#conn-type peer2peer
CES(config/bo_conn)#local-endpoint 70.256.1.10
CES(config/bo_conn)#remote-endpoint 192.1.1.124
CES(config/bo_conn)#tunnel-type ipsec
CES(config/bo_conn)#ipsec authentication text-pre-shared-key password987
CES(config/bo_conn)#routing type static
CES(config/bo_conn)#state enable
CES(config/bo_conn)#routing static
CES(config/bo_conn/routing_static)#local-network LocalNetwork
CES(config/bo_conn/routing_static)#remote-network 0.0.0.0 mask 0.0.0.0 state enable cost 1
CES(config/bo_conn/routing_static)#exit

Let’s setup the DHCP relay agent forwarding our DHCP/BOOTP requests to 10.2.16.40;

CES(config)#no service dhcp enable
CES(config)#ip default-network 70.20.130.1 public
CES(config)#ip dhcp-relay 10.2.203.1
CES(config)#ip dhcp-relay 10.2.203.1 enable
CES(config)#ip helper-address 10.2.203.1 server 1 10.2.16.40
CES(config)#ip forward-protocol dhcp-relay

Since we’re routing everything over the IPSec tunnel (the remote-network was 0.0.0.0 with a mask of 0.0.0.0) we need to change the default route preference.

CES(config)#ip default-route-preference private private

That’s the short approach to using the CLI interface to configure the Nortel VPN Router. There is a somewhat old and slow web interface that you can also use to configure the VPN router. You only need to point a web browser to the mangement IP address.

Cheers!

Update: Wednesday December 10, 2008
Here’s the pinout for the special RJ45 to DB9 serial cable used to access the diskless VPN routers;

Cheers!

This entry was posted by Michael McNamara on September 19, 2008 at 11:00 pm, and is filed under Nortel, VPNRouter. Follow any responses to this post through RSS 2.0.You can leave a response or trackback from your own site.

Comments (124)
Related Posts

#1 written by Curtis 3 years ago
Actually, the web interface in version 7.0x code is much improved than the Java-based user interface on 6.x and older.
However, they could make me happy if they’d get rid of the little musical interlude when accessing the 7.0x web interface and Java device manager.
Reply Quote
#2 written by Michael McNamara 3 years ago
Hi Curtis,
The new web interface is definitely much cleaner but it’s still rather slow for my liking. Nortel’s Java Device Manager plays the same little musical interlude, which you can disable. I haven’t seen a place to disable the one you’re referring to just yet.
Thanks for the comment!
Reply Quote
#3 written by Randy Banaria 3 years ago
This is good sample configuration though i haven’t tested it yet. :)
Thanks a lot.
regards,
randy
Reply Quote
#4 written by Benny 3 years ago
Hi there!
Does anyone of you know how to reset admin password on Nortel Conectivity VPN 1050? this has not been used for long time now I want it to reconfigure but noluck cause I forgot the admin password…:(
Reply Quote
#5 written by Emil 3 years ago
Sory for my bad english
where i can find pinouts for this “special RJ45 -> DB9 console cable”
I try cisco console cable and Straight through cable they not work
Help please
Reply Quote
#6 written by Michael McNamara 3 years ago
Hi Emil,
I found the pinout on page 44 of the “Nortel VPN Router Installation — VPN Router 1010/1050/1100″. I’ve updated the article above with a graphic of the pinout.
Good Luck!
Reply Quote
#7 written by Michael McNamara 3 years ago
Hi Benny,
Here’s an excerpt from the Nortel documentation.
Diskless VPN Routers (1010, 1050, 1100)
1. Restart the router and push the button (pinhole) marked REC on the back panel during the memory test. Note it is not necessary to hold it. This will put the router into Recovery mode.
2. Once the startup is complete, open a web browser and direct it to the management IP address to open the GUI.
3. Once there, select the radio button marked Restore original factory settings and click on the Restore button.
4. When the message “Successful Factory Restore” appears at the top of the screen perform a restart. It is now at Factory Default. The administrator userid will be returned to admin, with the password returned to setup. As the management IP address is no longer present, the console must be used to enter both the management and private interface IP addresses.
Good Luck!
Reply Quote
#8 written by Muhamad M.Shaker 3 years ago
Dear sir ,
Kindly , I work as Telecom network engineer and i haven’t experince with nortel and all our system from nortel and i am a new joiner so i would like to send me the troubleshoting of 1750 VPN connection and confoguration also 1100 router and i shall contact with you again in case of i desire to know some information related to nortel products, thanx for caring and efforts.
Reply Quote
#9 written by Muhamad M.Shaker 3 years ago
Dear sir,
Kindly , i have nortel CS 1000 (IP Telephony) when the tephone conected to PC the link get speed 100 Mbp/s and when i conect the cable direct to PC without phone its get 1Gbp in case of all pc’s connect to phone and get the 1Gbp/s because our link speed is 1 gbp/s , what is the problem in this case and how i troubleshot .. i use Telephone manger to monitor and mangement the systems.
Muhamad M.Shaker
Reply Quote
#10 written by Michael McNamara 3 years ago
Hi Muhamad,
Your welcome to review the information I have concerning the Nortel VPN Router. If you are looking for the manuals I would suggest you create an account on Nortel’s website and download the specific manuals you’re looking for.
Your second post is off topic with respect to VPN routers although I’ll answer your question. What model of Nortel phone are you using? The i2002/i2004 phones only support 100Mbps, you need to use the 1120e/1140e/1150e models if you want 1Gbps.
Good Luck!
Reply Quote
#11 written by Muhamad M.Shaker 3 years ago
Good Day Sir,
Kindly , i use 1120E,1140E,1150E and all of them is working fine with 1gbp/s but i have problem with some phones when connected the pc through this phone it give 100mbp/s in case of all phone work as 1gbp/s. what is the problem and how i am able to troubleshot.
Reply Quote
#12 written by Michael McNamara 3 years ago
Hi Muhamad,
This really isn’t on topic for a VPN router post but I’m happy to reply. I can’t really provide you the magic bullet answer. What firmware version are you running your IP phones? Is it the latest and greatest? If not I would advise you to upgrade. What has your voice reseller said about the problem, I assuming the phones are all configured for autonegotiation on the PC ports. I haven’t observed any autonegotiation issues myself with any of the aforementioned phones.
Good Luck!
Reply Quote
#13 written by Muhamad M.Shaker 3 years ago
Hi Michael,
how r u today,
i would like to tell me fourm site inquries about nortel voice and nortel product .. please
Thanks and regards.
Muhamad M.Shaker
Reply Quote
#14 written by Michael McNamara 3 years ago
Hi Muhamad,
If you look at the right sidebar under “Links” you’ll see two Tek-Tips forums that I believe you’ll find helpful.
In case you can’t find them;
Tek-Tips Nortel Networking Forum
Tek-Tips Nortel Succession Forum
Good Luck!
Reply Quote
#15 written by duzers 3 years ago
Hi!
I have BO tunnel 1010! And I want direct 0.0.0.0 on BO side to tunnel! But i can’t
ip default-route-preference private ?
private Defines that private routes will be preferred as default routes
public Defines that public routes will be preferred as default routes
sh running-config profile bo-conn
bo-conn add “CO-Ochak” “/Base/C-Ok” conn-type peer2peer
bo-conn “CO-Ochak” “/Base/C-Ok”
state enable
filter “permit all”
local-endpoint 212.26..x.y
remote-endpoint 212.26.x.y
routing type static
routing static
local-network “LAN”
remote-network 0.0.0.0 mask 0.0.0.0 state enable cost 1
exit
tunnel-type ipsec
ipsec authentication etext-pre-shared-key “a”
no mtu enable
mtu 1788
exit
Reply Quote
#16 written by Michael McNamara 3 years ago
Hi Duzers,
I’m going to assume that you have the tunnel configured properly on both sides. In general the default configuration will not route 0.0.0.0 across the tunnel even if you have the networks setup properly. You need to issue the following command;
CES(config)#ip default-route-preference private
That command will instruct the CES to route traffic that matches the default route across the private tunnel interface as oppose to the public interface. You will still need a public “default route” and public IP address for the CES to communicate properly with the MO (Main Office).
If you’re having issues try just setting up a Class C network in the tunnel configuration and testing that. Once you know that works you can go back to troubleshooting the default route issues.
Thanks for the comment!
Reply Quote
- #17 written by ibrahim 1 year ago
  HAI,
  We have installed new broadband connection. DSL router itself doing natting function. We have a nortel contivity 1010 box. We need to connect it to the DSL router. Could you suggest us how to proceed.
  Thanks
  Ibrahim.
  Reply Quote
  - #18 written by Michael McNamara 12 months ago
    Hi Ibrahim,
    You should probably download the documentation and read it over… setting up a VPN for the first time is not a trivial matter and can be quite complicated depending on your configuration.
    Cheers!
    Reply Quote
#19 written by duzers 3 years ago
Tunnel properly up. And i cant issue following command
CES(config)#ip default-route-preference private
because my CES tell me
ip default-route-preference private enter
result
ip default-route-preference private
^
% Incomplete command. See ‘^’ marker.
ip default-route-preference private ?
private Defines that private routes will be preferred as default routes
public Defines that public routes will be preferred as default routes
Reply Quote
#20 written by Michael McNamara 3 years ago
We’re missing another “private” on the end of that command;
CES(config)#ip default-route-preference private private
Give that a try.
Good Luck!
Reply Quote
#21 written by duzers 3 years ago
Doesnt work :(
I cant ping MO net from BO!
Help me please!
I dont want to deploy dynamic routing or set my MO nets manually
Reply Quote
#22 written by Michael McNamara 3 years ago
Unfortunately all my Nortel VPN Routers are now running OSPF and are dual-homed to two Internet Service Providers so I don’t have an example to immediately look at. So you’ve built the network as 0.0.0.0/0.0.0.0 and that tunnel is up and packets are going in and out. When you dump your routing table does it have a destination of 0.0.0.0 pointing to the tunnel interface?
Sorry I can’t help more.
Reply Quote
#23 written by Ganesh Kumar 3 years ago
Hi,
I have one query on Nortel VPN router functionality on Tunnel Redundancy using Static route
We can have tunnel redundancy if we configured OSPF as routing protocol on tunnel parameter.
Local Side is Nortel 600 & Remote location is Nortel 2700
Configured 2 tunnel with remote site (RS) 1 & 2 for same remote network
Tunnel 1 (Terminated to RS 1 with static cost 10)
Tunnel 2 (Terminated to RS 2 with static cost 20)
I have tried the same using Static route, but it fails and I checked the routing table and found the routing update is still available for tunnel 1 due to this update traffic is not able to flow through Tunnel 2
If you have any suggestion kindly provide the same to fix this issue
Regards,
Ganesh
Reply Quote
#24 written by Michael McNamara 3 years ago
Hi Ganesh,
Here’s the problem you need to confront with static routing – how to update the route depending on which path is available. The issue here is that the Nortel VPN Router will always have an entry in the routing table regardless of the state the actual tunnel is in (up/down). The routing table entry needs to be there so traffic makes it to the VPN router and the router can then bring up the actual tunnel. If you had redundant physical connections (multiple ISPs) then I believe you might be able to do something with static routes to provide redundancy.
I’m doing exactly what you are trying to-do with OSPF routing. I’ve adjusted the OSPF costing on one of the tunnels so that traffic will only traverse the primary tunnel unless it goes down. I have two main office VPN Router 1700s connected to my network at different geographic locations using two different Internet Service Providers. I run OSPF between the two on my core backbone.
You’ll need the Advanced Routing License for the Nortel VPN Routers to enable OSPF functionality.
Cheers!
Reply Quote
#25 written by duzers 2 years ago
Hi!
(MO)172.16.16.209/20— 172.16.19.44/20(Router)192.168.40.1—192.168.40.3(Contivity 1010 BO)—192.168.41.1(LAN)
What i must write for route 0.0.0.0 on BO to MO work properly!
I have following routing table on BO:
CES#sh ip route
Protocol IP Address Mask Cost Next Hop Interface
————————————————————————
STATIC 0.0.0.0 0.0.0.0 [11] 172.16.16.209 192.168.40.3
STATIC 0.0.0.0 255.255.255.255 [1] 192.168.40.1 192.168.40.3
DIRECT_N 192.168.40.0 255.255.255.0 [0] 192.168.40.3 192.168.40.3
DIRECT_H 192.168.40.3 255.255.255.255 [0] 127.0.0.1 127.0.0.1
MGMT 192.168.41.2 255.255.255.255 [0] 127.0.0.1 127.0.0.1
I did
CES(config)#ip default-route-preference private private
but
CES#sh branch-office sessions
Summary:
Current Sessions:
Branch Office: 0
When i write assume net that is on MO
CES(config/bo_conn/routing_static)#remote-network 192.168.1.1 mask 255.255.255.0
Tunnel is on and i can ping remote net MO from BO LAN
CES#sh branch-office sessions
Summary:
Current Sessions:
Branch Office: 1
Where is my fault?
Reply Quote
#26 written by Frank 2 years ago
Hi Michael, Do you know how to do a password recovery without reseting the factory default in a contivity 1750?
Thanks.
Reply Quote
#27 written by Michael McNamara 2 years ago
Hi Frank,
I don’t believe it’s possible but please don’t take my word as gospel. I’ll ask around and let you know but I’m thinking it’s not possible without using some extraordinary means (extracting the physical hard disk and then mounting the disk/filesystem with another computer – perhaps Linux – and coping the necessary files to an alternate location so you could restore the configuration after you factory reset the VPN router itself)
You can refer to the Nortel VPN Router Recovery Floppy post for a link that will show you how factory reset the switch.
Good Luck!
Reply Quote
#28 written by Michael McNamara 2 years ago
Hi Duzers,
I’m not sure I follow your IP addressing scheme. You understand that whatever IP networks you setup in the BO must be setup in the MO? I’m very suspicious of your configuration and I’m not sure you understand exactly what your doing. If you change the IP networks/hosts in the tunnel on the BO side you need to make the same change on the MO side. The IP networks/hosts need to match or the tunnel won’t come up.
In the article I describe how to configure a BO (Branch Office) Nortel VPN router. How did you setup the MO (Main Office)?
On the Main Office you’d need to setup a matching tunnel. The endpoints would be reversed from the Branch Office and the IP networks would be reversed. Here’s a quick example which would match the example from my original post above;
CES(config)#network add DefaultNetwork ip 0.0.0.0 mask 0.0.0.0
…
…
CES(config/bo_conn)#conn-type peer2peer
CES(config/bo_conn)#local-endpoint 192.1.1.124
CES(config/bo_conn)#remote-endpoint 70.256.1.10
CES(config/bo_conn)#tunnel-type ipsec
CES(config/bo_conn)#ipsec authentication text-pre-shared-key password987
CES(config/bo_conn)#routing type static
CES(config/bo_conn)#state enable
CES(config/bo_conn)#routing static
CES(config/bo_conn/routing_static)#local-network DefaultNetwork
CES(config/bo_conn/routing_static)#remote-network 10.2.203.0 mask 255.255.255.0 state enable cost 1
CES(config/bo_conn/routing_static)#exit
If the tunnel doesn’t come up you’ve got other problems that you’ll need to fix. I would suggest you examine the logs for an idea of where you might start troubleshooting.
CES# show logging event
Good Luck!
Reply Quote
#29 written by Ganesh Kumar 2 years ago
Hi,
You are recommending us to with Advance routing, it is not feasible to use Static route for Tunnel redundancy.
Regards,
Ganesh
Reply Quote
#30 written by duzers 2 years ago
Thanks for your support!
I did what i want to do!
Ive just had experience with Cisco routers but not Nortel
At first time Nortel router very confuse me
Thanks a lot for your helping
Reply Quote
#31 written by Michael McNamara 2 years ago
Hi Ganesh,
The issue here is using static routing to provide redundancy. There are a number of different vendors, Nortel included, where you can provide redundancy with static routes if you are using interfaces where the router can detect a link failure such as a serial link and then remove the static route from the routing table. There’s also the question of what side (Main Office / Branch Office) has the redundant Internet connection. When you throw Virtual Private Networking into the mix you really have a stew of problems. I’m only familiar with the Nortel VPN router but it will always advertise a route to a tunnel even if the tunnel isn’t up and/or available. In that case you need OSPF to provide a mean of decided which tunnel to use and then feed that information back into the backbone routing table.
I believe the only way to accomplish redundancy from the Main Office side is to use OSPF. In this case you’d have two Internet links into different locations for redundancy at the Main Office side. You could load-balance traffic across the two tunnels or you could set the OSPF costs such that one tunnel would be the primary and the second would be the standby.
Cheers!
Reply Quote
#32 written by Dan 2 years ago
I’m having this on a NVR1750:
—–
Boot Image Version: V07_00
Creation date: Oct 19 2006, 13:08:04
auto-booting…
done.
Performing Check Disk on [/ide0/] …
Copyright (c) 1993-1996 RST Software Industries Ltd. All rights reserved
ver: 2.6 FCS
Disk Check In Progress …
total disk space (bytes) : 2,146,631,680
bytes in each allocation unit : 32,768
total allocation units on disk : 65,510
bad allocation units : 0
available bytes on disk : 2,145,746,944
available clusters on disk : 65,483
maximum available contiguous chain (bytes) : 2,145,746,944
available space fragmentation (%) : 0
clusters allocated : 27
Done Checking Disk.
Cannot open “/ide0/system/bin/vxWorks”.
Error loading /ide0/: errno = 0×380003.
Attaching to floppy disk device… dosFsDevInit failed on [/fd0/system/bin/floppyos.i86].
usrFdConfig failed.
Error loading file: errno = 0×380001.
Error during dosFsDevInit[0,0]: d0006
usrIdeConfig /ide0/ failed.
Error loading /ide0/: errno = 0xd0006.
Can’t load boot file!!
Task tBoot Crashed in $Id: rebootLib.c 1.1 1997/09/16 13:38:51 JLawrence SafetySave $ at line 86. ( 0x18edb)
[Nortel Networks Boot]:
——-
Floppy boot doesnt allow me to restore the system (i got some sort of access denied error when i try to write to the disk), and i’m trying to boot the system from FTP (looks like it’s possible)
but i don’t know the commands and parameters to change the boot device from this menu to ftp, even if i see many parameters that suggest it can be possible.
Any sugestions?
Thanks,
Dan.-
Reply Quote
#33 written by Dan 2 years ago
This is the error i get when i try to upload the software to the vpn router after a drive format:
02/12/2009 13:14:08 0 FTP Restore [13] Beginning to Restore from host 192.168.1.3
02/12/2009 13:14:16 0 FTP Restore [11] Starting to restore files from host 192.168.1.3
02/12/2009 13:14:16 0 FTP Restore [13] Error Creating file: /ide0/system/V07_00.062.tar.gz. Error: S_dosFsLib_ILLEGAL_NAME
02/12/2009 13:15:16 0 FTP Restore [11] Restore error = 000000a3.
Reply Quote
#34 written by Michael McNamara 2 years ago
Hi Dan,
How did this problem come about? Did you replace the hard drive with one you purchased on your own?
I’m guessing the format option completes successfully? I’m not really sure what to make of this, unless the drive is formatted (FAT16/FAT32) in such a way that the VPN router doesn’t understand. What filesystem does the Nortel VPN router use? Sorry I can’t be of more help, perhaps someone else will chime in.
Thanks for the comment!
Reply Quote
#35 written by Dan 2 years ago
OK. Here is all what happened in very short steps.
1) New VPN Router 1750
2) Upgrade a Version 8
3) Something went wrong and had a intermitent Noise comming out of the VPN Router 1750
4) Factory Default de NVR1750
5) Noise still there
6) Boot with Recovery Disk
7) Format HD sucessfully
8) Unable to restore an image
9) Dan is dead
I guess in the end i just need the correct procedure to install the image to a formatted hard disk OR someone kind enough to provide an image of a 1750 so i can take the HD out, and d/l the image to that one (if that could even work, of course)
Reply Quote
#36 written by Michael McNamara 2 years ago
Hmm… it was sounding bad but still running fine? Does it still sound bad now?
What version of software did you use to make the recovery/boot diskette?
I’m wondering if they changed the filesystem format in the new release, although I doubt it. The recovery diskette might not know how to deal with compressed (optimized) archives. I would try un-compress (tar zxvf -filename-) the archive and then try having the VPN router download the software.
Good Luck!
Reply Quote
#37 written by Joyce Vong 2 years ago
Hi Mike,
I am new to Contivity. I have a dumb question. What is 0.0.0.0/0 and 0.0.0.0/32 represent? I have a hard time to understand which is public default route and which is private default route and which is public interface and which is private interface. So if I am in MO where I have the outside interface facing internet and where the tunnel is built. And I have an inside interface where I am facing a firewall where in turn will face the LAN.
so is inside interface = private interface?
Is outside interface = public interface?
virtual tunnel interface is what?
What is public default route mean? which interface?
what is private default route mean? which interface?
So there are 3 routing I need. Forget about the NAT that kind of stuff, just pure routing. Say MO LAN is 10.1.1.0/24. Say BO LAN is 10.2.1.0/24. So MO ISP public address is 65.65.65.65 and BO ISP address is 66.66.66.66.
So when MO LAN wants to talk to BO LAN. So the packet has 10.2.1.x as destination and go thru the firewall and hit the Contivity inside interface. So now here is the first routing,
Convitiy will need to know how to reach 10.2.1.x, so let’s say we put a static route saying for 10.2.1.x, the next hop is my BO ISP 66.66.66.66. So the tunnel is built and the tunnel source address is 65.65.65.65 with destination is 66.66.66.66.
So now the second routing comes, the Contivity will say, how do I goto 66.66.66.66? Then I can have static route to say goto 65.65.65.65.
On traffic return back to MO, the when Contivity decrypt the tunnel, then it says how do I goto 10.1.1.x to MO LAN? Then there will need a route in contivity to point it to use the inside interface towards the firewall.
So i wonder if all I have is just one static route 10.2.1.x for BO LAN in MO’s Convitiy, then how does 0.0.0.0/0 and 0.0.0.0/32 to route me correctly? I mean I don’t know what these two quad zero means in Contivity and what public/private default routes mean.
I know in Cisco 0.0.0.0/0 means default route in general so I don’t know the concept of a private and a public default route.
Can you please help to clarify?
thanks,
Joyce
Reply Quote
#38 written by Michael McNamara 2 years ago
Hi Joyce,
That’s quite a long post you have there… I’ll try to give you a quick explanation that hopefully makes sense. In case I miss the point I’ll quote directly from the Nortel manual.
Here’s an excerpt from the manual;
When Public is enabled, all packets that do not go across a tunnel to defined remote networks continue to transmit out of the public interface using the public default Nortel VPN Router (0.0.0.0/32 in the forwarding table). Any packets going to defined remote networks go across the branch office tunnel and cannot have any remote network equal to 0.0.0.0/
0.0.0.0 (default route). For example, if you want to get to the DNS server on the public network, select private-to-public for the routing decision.
When Private is enabled, all packets transmit over your branch office tunnel and not out the public interface because the branch office tunnel has a 0.0.0.0/0.0.0.0 remote network (statically defined or received by RIP). For example, if you want to reach the DNS servers on the corporate side of the branch office tunnel, select private-to-private for the routing decision.
You only need to modify the default-route preference if you wish to route 0.0.0.0/0 across a tunnel interface. What do I mean by that? In our corporate network we don’t want our branch office locations to have direct Internet access without going through our central firewall and content filtering solutions. So all traffic from the branch office is routed across the tunnel interface back to the main office so it can then be filtered and sent back out to the Internet if necessary. While this solution can incur performance penalties it provides maximum control over all branch office traffic.
You actually don’t need to manually create any routes other than defining the default routes in the GUI or CLI interfaces. When you define the IP networks/hosts within the tunnel configuration the Nortel VPN router will automatically add a route to the routing table. You are correct in your assumptions concerning the public and private interfaces. The public default-route points to your ISP while the private default-route points to your internal IP backbone. You must have a public default route, you can manually create static routes for your private network if your not comfortable with the thought of 2 default routes.
Here’s a link to the Nortel VPN Router Configuration Routing Release 7.0
Thanks for the comment, hopefully I’ve provided some help.
Reply Quote
#39 written by Joyce 2 years ago
Hi Mike,
Thanks for your help and the link for the manual. I will read more on it. I have no experience with Contivity and need to understand an existing MO Contivity routing where I see 0.0.0.0/0 and 0.0.0.0/32 in the routing table and I don’t understand it.
Can you please tell me what 0.0.0.0/0 and 0.0.0.0/32 means?
Reading above, is it 0.0.0.0/0 represent default route for traffic going either to private interface? Will private interface refer to tunnel and the interface facing LAN? That means in MO Contivity perspective, for traffic going to inside LAN, this default route will use? What about traffic to BO LAN via tunnel? this default route will use too? If so then it won’t make sense because inside LAN in on inside interface while going thru tunnel is on the outside interface?
So is 0.0.0.0/32 represent default route going to ISP for non-tunnel internet traffic?
Show the Full Route Table
.
Seq P Ip Address/NetMask Weight Cost NextHop NextHopInterface CId
— — —————— —— —- ——- —————- —
8 S 0.0.0.0/0 1 1 10.167.1.1 10.167.1.2 1
9 S 0.0.0.0/32 1 1 166.66.1.1 166.66.1.2 33
So in my MO, I have the following: LAN connecting to Layer 3 switches which connects to the Firewall inside interface. Then from Firewall there are 2 additional interfaces, one is public interface to ISP router, another firewall interface is to Convitiy secure inside interface. So Contivity has this inside secure interface facing firewall and a outside interface facing ISP router.
10.167.1.1 is the Firewall interface facing Convity inside interface 10.167.1.2. Contivity outside interface is 166.66.1.2 facing the ISP router 166.66.1.1. Firewall has an outside interface 166.66.1.3 and an inside interface facing LAN at 10.1.1.1.
My question is when MO route traffic to BO LAN via inside tunnel, I will have a static route pointing BO LAN subnet to use BO ISP tunnel interface as next hop. So which default route will it use to know how to reach BO ISP address? I mean 0.0.0.0/0 or 0.0.0.0/32?
My BO will not do split tunneling. My BO will route all traffic inside tunnel to reach to MO and then decrypt at MO Convity.
thanks again,
Joyce
Reply Quote
#40 written by Michael McNamara 2 years ago
Hi Joyce,
You are correct in that 0.0.0.0/32 would be used for communicating with the ISP while 0.0.0.0/0 would be use to tunnel all traffic across to the MO. How does the Nortel VPN Router (Contivity) make it’s routing decision? I personally can’t say for sure having never spent that much time testing the product. However, I believe it makes decisions based on the IP source/destination and the interface where the traffic is received.
You might find some additional information if you Google for “New Oak”, the company that Nortel (formerly Bay Networks) acquired which they then released as the Nortel Contivity Extranet Gateway.
Thanks again for the comments!
Reply Quote
#41 written by Joyce 2 years ago
Hi Mike,
Thanks again. The part I am trying to figure out is that I have both 0.0.0.0/0 and 0.0.0.0/32 in my MO Contivity. I don’t have access to BO to see the config there. So just purely looking at MO Convity perspective and seeing those two quad zeros, how would you determine which quad zero is for which purpose? I mean if we just look at MO perspecitve, there is an inside interface facing the firewall, and in turns the LAN of MO. then there is an outside interface on MO Convity facing local ISP router where the tunnel is built.
Question 1: So now, when I have traffic coming from LAN thru firewall, reach the inside interface on Convity and want to reach BO LAN, it will be encrypted in tunnel going over local ISP to BO ISP for the tunnel. So when the convitity needs to figure how to reach the BO ISP address, which default route will it use? /0 or /32? or another static?
Question 2: Now the traffic returns from BO coming into MO convtivity and being decrypted, it wants to reach MO LAN subnet, so which default route will it use to reach MO LAN from MO Convitivty? /0 or /32?
thanks again Mike.
Joyce
Reply Quote
#42 written by Mihir Joshi 2 years ago
Hi Mike,
I have contivity configured with BO tunnel. Remote end I am using Nortel Secure Router as VPN router. Earlier I have single router only but now customer has precured one more link with another Nortel Secure Rouer. Now I want to crate the BO tunnel with that router which should be get established while my existing router/linl goes off. Is it possible to do with same Contivity at central side as my remote network is remain same.
Regards,
Mihir
Reply Quote
#43 written by Michael McNamara 2 years ago
You can use the same physical (VPN) routers, the issue you’ll run into is how to dynamically redistribute those routes across your network. As I mentioned in some previous comments I believe you’ll need the Advanced License on the Nortel VPN Router to run OSPF to provide active/active fault tolerance between the multiple tunnels (links).
Good Luck!
Reply Quote
#44 written by duzer 2 years ago
Hi Michael!
I have same problem with my NVR 2700 at the MO and 1010/1100 at the BOs.
2700 have 2×100 mbps NIC
Internet connection at the MO is 100mbps. At the BOs somewhere 2mbps, somewhere 1mbps etc.
And I build VPN between MO and BOs somewhere IPsec somewhere L2TP.
I have the following roblem :
Speed on WAN NIC 2700 (where terminated VPN) doesnt lift greater then 1mbps but when I activate NAT on WAN 2700 and try download file from internet I get truly speed 100 mbps.
Filters on all interfaces “permit all”
Any suggestions?
Reply Quote
#45 written by Michael McNamara 2 years ago
Hi Duzer,
I believe I understand the scenario… but let me just ask to be sure… you only get 1Mbps performance over a 100Mbps link? What’s the speed of the far end branch office? You mentioned in your post that it could be 1Mbps or 2Mbps… so wouldn’t it be in line to only expect 1Mbps of performance across a VPN tunnel to a site that only has a 1 Mbps Internet connection?
While I have three NVR 1700s that each have a 100Mbps connection to a switch, the actual uplink to the ISP is only 50Mbps.
You could try a test and connect an 1010/1100 to the same local network as the 2700. You could then build a VPN tunnel between the two VPN routers and test the bandwidth performance between the two over a true 100Mbps LAN.
Good Luck!
Reply Quote
#46 written by duzer 2 years ago
Thanks for reply.
I said about speed on BOs in sum (BO#1 has ISP speed 1 Mbps, BO#2 has ISP speed 2Mbps, BO#3 has ISP speed 512Kbps…) .All these BOs terminated on MO (2700 WAN) and speed on WAN interface not rise up then 1Mbps , although MO has ISP speed 100Mbps . Speed on BOs diveded 1Mbps on MO(MO 1Mps = BO#1 speed 200Kbps although ISP speed 1Mbps + BO#2 speed 400Kbps although ISP speed 2Mbps + so on ). BOs not use all their throughput but when i setup NAT i got speed claimed ISP.
I try connect 1010 localy with LAN interface 2700 and got the same result. On LAN 100Mbps speed i have 40Kbps downstream speed. By the way speed on LAN although has threshold at 1.4Mbps :(
Reply Quote
#47 written by Michael McNamara 2 years ago
Hi Duzer,
I’m assuming that this isn’t a new installation and that you’ve inherited this router. It sounds to me like someone was playing around with the configuration. I have two 1700 and one 1740 and all three of them can reach upwards of 6Mbps moving traffic across IPSec tunnels. You might want to look over your configuration with a fine tooth comb… the hardware should be able to provide much more than what you are reporting.
Your symptoms don’t suggest these but you might want to look at them anyway, MTU and NIC duplex settings.
Good Luck!
Reply Quote
#48 written by duzer 2 years ago
I see! I’ll try examine config 2700 more closely. Thank you for your time Michael.
Reply Quote
- #49 written by Michael McNamara 2 years ago
  Hi Duzer,
  Out of the box (default configuration) there shouldn’t be anything present to “throttle” the connection speeds. I’m guessing by your description that someone has setup the branch office tunnels to limit traffic, which is possible.
  What are you using to determine your throughput/bandwidth?
  If you are using MRTG to graph the interface you need to modify the MaxBytes paramater within the MRTG configuration file. The Nortel VPN Router will report all VPN tunnels as 56Kbps interfaces.
  Cheers!
  Reply Quote
#50 written by duzers 2 years ago
Hi Michael !
I get statistic by caci.
I found bad configurations string
Statistic at LAN interface
IP QoS Forced Drops 269875
Reason – not properly configured QoS :/
Reply Quote
#51 written by Alexey 2 years ago
Hello.
I’am from russia and sorry for my bad english.
I try to use contivity 1010 vpn router but it doesn’t work. i save all files that was on CF and try to use m0n0wall (m0n0wall.com) with this router. But it doesn’t work to. Now i want to move back Nortel Firmware. I copy files that i save early on CF and try to load router. It write a message “Disk error”.
I try to download firmware from nortel.com… it is imposible they want strange information about me and my company…
Can you give me firmware for this router, please.
I have serial port cable for Concole RJ-45 port.
I try three version of m0n0wall (1.235,1.315,1.316). Was bootable only 1.235, but it doesnt work after setting up netwirk interfaces.
Reply Quote
- #52 written by Michael McNamara 2 years ago
  Hi Alexey,
  I really don’t have any experience “hacking” the hardware of the 1010 model (or any model for that matter). The Nortel software is covered by export restrictions since it has 128-bit encryption built into it, this is probably the strange information you are speaking about when you tried to download the software.
  Sorry I can’t be of more help. Good Luck!
  Reply Quote
#53 written by Alexey 2 years ago
Oops. I forget. My router model is Contivity 1010
Reply Quote
#54 written by Alexey 2 years ago
damn Contivity it doesnt work properly with any distrib of m0n0wall and pfSense. Please, help me to get Nortel Firmware for this router :-(
Reply Quote
#55 written by Dan Garcia 2 years ago
Wonder what is the official position about the site owner about using the forum for sharing Nortel Software.
Reply Quote
#56 written by duzers 2 years ago
Hi!
Alexey write me duzers(at)rambler.ru
Reply Quote
#57 written by Valentin Neacsu 2 years ago
Hi,
I managed to configure the SSL part of the router so HTTPS works, but I can’t get SSH working no matter what I try.
valentin@valentin-laptop:~$ ssh -v admin@192.168.21.2
OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.21.2 [192.168.21.2] port 22.
debug1: connect to address 192.168.21.2 port 22: Connection refused
ssh: connect to host 192.168.21.2 port 22: Connection refused
SSH is opened for both private and public. Any advice is welcomed.
Thanks.
Reply Quote
- #58 written by Michael McNamara 2 years ago
  Hi Valentin,
  Have you enabled the SSH server? Within the web GUI under Servers -> SSH, select “SSH Service Enabled”.
  You also need to have SSH enabled on the specific interface under Services -> Available.
  Good Luck!
  Reply Quote
#59 written by Alexey 2 years ago
Hi Michael McNamara!
It’s not a “hacking”.
If you open the case of Contivity you can unplug CF and make it image useing cardreader and any kind of unix system (dd).
Thanks for answer. I try to find another way of reanimation this damn router. Or Duzerz will help me. I wrote the letter to him.
Reply Quote
- #60 written by Michael McNamara 2 years ago
  Hi Alexey,
  Using the term “hacking” I meant the process of actually opening up the router and messing around with the file system, etc. It wasn’t meant in a derogatory way… I have “hacked” away at a Symbol WS5000 Wireless LAN switch that also uses a CF (Compact Flash) card as an IDE device.
  Thanks for the comment!
  Reply Quote
- #61 written by Urri 1 year ago
  Hi Alexey!
  Have you any CF image from 1xxx device? I have problems with CF on my Contivity 1100.
  Reply Quote
#62 written by Valentin Neacsu 2 years ago
Hi Michael,
I have enabled the SSH server and permitted it on both the public and private interfaces. It refuses SSH connections on both interfaces. Is there anything else i can try?
Thanks,
Valentin
Reply Quote
- #63 written by Michael McNamara 2 years ago
  Hmm… you’re using the correct IP address? You should be trying to connect to the management IP interface, not the routing IP interface. It would be the same IP address that you use to establish an HTTPS/SSL session to the web GUI.
  I will assume that you are using the correct IP address. Are you using the default “deny all” filter on the public and private interfaces or are you running a custom filter? Are you running the firewall on either interface? Assuming that you’ve rebooted the router and it’s not a code issue I would guess that something is blocking traffic to tcp/22. Try using the default “deny all” filters on the private interface and/or the “allow all” filter on the private interface.
  I tried this last night on a VPN 1700 with V07_05.400 software and it just worked on the first shot.
  Cheers!
  Reply Quote
#64 written by Valentin Neacsu 2 years ago
Michael,
I am using the correct IP address, the same one that is used for HTTP management. Both interfaces are using a “permit all” filter. The firewall is enabled for the public interface, with rules doing port mapping and port forwarding. I have rebooted the router several times, but I haven’t tried upgrading the software version (1750 V07_05.300 build date Sep 10 2007, 10:31:42).
Thanks,
Valentin
Reply Quote
#65 written by Valentin Neacsu 2 years ago
Hi Michael,
I have managed to get SSH working on the 1750, but I have a couple of 1010′s that don’t have SSH in the Servers menu. Is there anything I can do about it?
Thanks,
Valentin
Reply Quote
- #66 written by Michael McNamara 2 years ago
  Hi Valentin,
  If it’s not in the menus it might not be available in the specific version of software you have installed on the router. I have a 1010 here that is running V07_05.400 (128-bit) and it has the SSH server option available as a means of managing the VPN router.
  Sorry I can’t be of more help!
  Reply Quote
#67 written by Valentin Neacsu 2 years ago
BTW, is there any reason why a 1750 wouldn’t accept more than one simultaneous PPTP sessions?
Reply Quote
- #68 written by Michael McNamara 2 years ago
  Hi Valentin,
  I believe it’s a configurable option with respect to the number of concurrent logins a user can have. Check under Profiles -> Group -> “Your Group” -> Connectivity -> Number of Logins. I’m not sure if it applies with an enduser/branch using PPTP but it definitely applies for IPSec endusers using the Nortel VPN client.
  Cheers!
  Reply Quote
#69 written by Valentin Neacsu 2 years ago
Hi Michael,
I had 50 logins configured with 2 or 3 simultaneous PPTP clients not being able to connect. The parent group had 5 logins and I changed that to 50 aswell, but it didn’t have any effect. Any other idea that I can try out?
Thanks,
Valentin
Reply Quote
#70 written by Mohammad Akram 2 years ago
Hi Micheal,
Iam facing a strange issue with Nortel VPN router 1100,Observed from LAN 0 interface statistics, IP Local system filter drops are increasing frequently
not sure why it is increasing,Can you please help me out,Please find the below details.
IP Packet Drops
IP Routing Filter Drops 0
IP Local System Filter Drops 14738
IP Local Interface Filter Drops 78
IP PAT Drops 0
IP Header Error Drops 0
IP QoS Random Drops 0
IP QoS Forced Drops 0
IP Zero Source Address Drops 99
IP Source Address Equals Destination Address Drops 0
IP Bad Packet Length Drops 0
IP Bad Header Length Drops 0
IP Bad Checksum Drops 0
IP Packet Too Short Drops 0
IP Bad Options Drops 0
IP No Buffer To Fragment Drops 0
IP Cannot Fragment Drops 12
IP Cannot Forward Drops 0
IP No Protocol Drops 0
IP No Route Drops 104
IP Bad Version Drops 0
IP 802.1Q Untagged Drops 0
IP 802.1Q Tagged Drops 0
TOTAL 15031
Thanks & Regards,
Akram
Reply Quote
- #71 written by Michael McNamara 2 years ago
  I seem to have missed quite a few posts here, my apologies Mohammad.
  Those stats are probably indicators of your interface filters dropping packets. Is this the public or private interface? If things are working fine you can probably ignore the statistic. If this is your public interface and you have the default “deny_all” filter applied to the interface you’re going to see a lot of dropped packets from all the script kiddies, virii, trojans, worms, port scanners, etc.
  If this is your private interface you could be dropping packets internally. Again you should look at the interface level and see what filter you have defined.
  Cheers!
  Reply Quote
#72 written by JC 2 years ago
That was very good write up…thumbs up! I have encountered an issue with a pair of Nortel 1010′s. The VPN switches are connected through 2 DSL lines, both DSL lines have a static IP address. The branch-to-branch tunnel is running properly, but when I connect to one of the 1010′s through the Contivity client, I am not able to ping anything at the remote end and vice versa. The end goal of this branch-to-branch tunnel is to pass a video stream; an encoder at one end, and a decoder at the other. These devices must be on the same subnet (ie, 192.168.1.x) in order to “see” each other and pair up, and they use port #5510.
Any tips/ideas on this? Thanks!
Reply Quote
#73 written by Michael McNamara 2 years ago
Hi JC,
I’ve started a few forums to help users post their own questions and issues;
http://forums.networkinfrastructure.info/nortel-vpn-routers/
In the meantime I’m somewhat confused when you talk about using the Contivity client. I’m assuming that you mean the Nortel VPN Client, the full IPSec VPN client that gets installed onto a Windows desktop. However, you also talk about two Nortel 1010 VPN Routers and building a point to point tunnel over two DSL lines. In any case your last statement, “devices must be on the same subnet” is probably going to be the most problematic. Your going to need to build a tunnel (IPSec, L2TP, etc) and then bridge across that tunnel as opposed to route across the tunnel.
Off the top of my head I’m not sure the 1010 VPN router can bridge across a tunnel connection.
Try to start a thread in the forums and I’ll try to research the topic for you.
Good Luck!
Reply Quote
#74 written by Yuri 2 years ago
Hi Mike,
I have a contivity 1010 at the main office and now I can connect with a vpn connection, the problem that I have is , when I connected from my home I can not navigate for internet.
Any idea?
Thanks
Yuri
Reply Quote
- #75 written by Michael McNamara 2 years ago
  Hi Yuri,
  This behavior depends on the configuration of your main office Nortel 1010 VPN (Contivity) router. The Nortel VPN (IPSec) Client will assign you an internal IP address when you connect to the main office. Is that IP address able to access the Internet from your office location? By default all traffic will be routed across the IPSec tunnel back to your Nortel 1010 VPN router and placed onto your internal network.
  Example; after making a VPN client connection I open a web browser and try to load http://www.google.com, the traffic will leave my desktop, travel over the IPSec tunnel to the Nortel 1010 VPN router, after it’s routed out the internal interface it will then try to reach the remote network through your coporate firewall or whatever appliance you have in your environment.
  If you only want traffic for your internal network to route across the IPSec tunnel you need to look into setting up Split-Tunneling within the Nortel 1010. That configuration would then route traffic for your internal network, say 10.10.0.0/16, across the IPSec tunnel while routing all remaining traffic out your regular LAN connection and ultimately to the Internet.
  I’ve started a few forums to help users post their own questions and issues;
  http://forums.networkinfrastructure.info/nortel-vpn-routers/
  If you make a post over there I’ll try to provide you some command line examples of how to set it up.
  Good Luck!
  Reply Quote
#76 written by Dan Garcia 2 years ago
Michael (or anyone who may help),
I have the following problem:
While configuring a VPN Router 1750:
CES#show version
Software Version: V07_05.300
MAC Address: 00-1C-EB-XX-XX-XX
BIOS Version: PO11
I configured 2 subinterfaces, on a vlan tagged environment:
CES#show interface Fastethernet 0/1
FastEthernet Interface 0/1 Configuration
Filter : permit all
IP Address : 10.156.248.10
Mac pause : Disabled
MTU : 1500
Public/Private : Private
Status : Enabled
802.1Q : Enabled
802.1Q Interface VLAN ID: 2
FastEthernet Interface 0/1 Configuration
Description : Telephony VLAN
Filter : permit all
IP Address : 172.16.200.1
Status : Enabled
Subinterface : 2
802.1Q Interface VLAN ID: 4
FastEthernet Interface 0/1 Configuration
Description : WIFI Lan
Filter : permit all
IP Address : 192.168.100.1
Status : Enabled
Subinterface : 1
802.1Q Interface VLAN ID: 3
The NVR1750 succesfully provides internet access to any of the vlans configured, which have they proper DHCP Server per vlan configured.
Now, i just found out, the NVR1750 is fwd packages between vlans, and i can’t stop that. I disabled pretty much any routing protocol, but Natting (since traffic needs to go out to the internet). I pretty much ran out of ideas, here. I need to stop inter-vlan traffic somehow. I got the following entries in the routing table:
CES#show ip route
Protocol IP Address Mask Cost Next Hop Interface
————————————————————————
STATIC 0.0.0.0 255.255.255.255 [10] xxx.xxx.xxx.185 xxx.xxx.xxx.187
DIRECT_N 10.156.248.0 255.255.255.0 [0] 10.156.248.10 10.156.248.10
DIRECT_H 10.156.248.10 255.255.255.255 [0] 127.0.0.1 127.0.0.1
MGMT 10.156.248.51 255.255.255.255 [0] 127.0.0.1 127.0.0.1
DIRECT_N 172.16.0.0 255.255.0.0 [0] 172.16.200.1 172.16.200.1
DIRECT_H 172.16.200.1 255.255.255.255 [0] 127.0.0.1 127.0.0.1
DIRECT_N xxx.xxx.xxx.184 255.255.255.248 [0] xxx.xxx.xxx.187 xxx.xxx.xxx.187
DIRECT_H xxx.xxx.xxx.187 255.255.255.255 [0] 127.0.0.1 127.0.0.1
DIRECT_N 192.168.100.0 255.255.255.0 [0] 192.168.100.1 192.168.100.1
DIRECT_H 192.168.100.1 255.255.255.255 [0] 127.0.0.1 127.0.0.1
As you see, i have some DIRECT_N(etwork) and DIRECT_H(ost) entries that i can’t get rid of it.
Anyone has an idea of how to solve this?
Thanks!
Dan.-
Reply Quote
- #77 written by Michael McNamara 2 years ago
  Hi Dan,
  I would guess (without trying it myself) that you’ll need to create some filter rules to prevent communication between the two interfaces. If you think about it the VPN router is acting just like a typical router, you need to create some filters to drop packets to the other networks.
  If you have trouble just let me know and I can try to write a few in the testlab.
  Cheers!
  Reply Quote
  - #78 written by Dan Garcia 2 years ago
    Michael,
    I guess help will be very welcome.
    I’m trying to set the interface filter, but the vpn router is acting very strange (either that, or i dont understand mucho about how this filters works).
    I have 2 sub-interfaces:
    Int: 10.156.251.0/24
    SubInt1: 192.168.100.0/24
    Subint2: 172.16.200.0/16
    I placed a filter restriction on the main interface to block icmp traffic going to the ip 192.168.100.50/32, and all the icmp trafic, from the 10.156.251.0 network (going anywhere, even the internet) was blocked. Same results when i set the filter either incoming or outgoing. Am I assuming the use of the interface filters wrong??
    Reply Quote
    - #79 written by Michael McNamara 2 years ago
      Hi Dan,
      It’s been a few years since I’ve had to play with the configuration of those VPN routers… I’m guessing that an interface filter is the right approach. Just as a side note I believe the IP masks in the interface filter are inverse masks similar to Cisco ACL masks. You may also need to build an allow all rule at the bottom of the filter rules.
      We use a lot of different filters on the actual VPN tunnel connections but we’ve never really had a need to use them on the interface level.
      I can’t make any promises but I’ll see what I can dig up in testing.
      Cheers!
      Reply Quote
      - #80 written by Dan Garcia 2 years ago
        Thanks for the tips about the CISCO – ACL Style.
        I’ll try again based on this info. I didn’t see any example of this nor in the pdfs about filtering and/or in a vpn router book released in 2004.
        Dan.-
        Reply Quote
      - #81 written by Dan Garcia 2 years ago
        Man, right on the money! Wonder why nortel adopted that cisco-minded-acl-way for the filters.
        Anyways, I’m happilly setting my inter-subinterface filters now :)
        I owe you a steak :)
        Reply Quote
#82 written by Dan Garcia 2 years ago
I just found this on the running config:
ip default-network 190.94.81.185 public 10 enable
! !!! RIP is currently disabled
! !!! In order to properly provision
! !!! RIP it will be temporarily enabled
! !!! When RIP provisioning is complete
! !!! RIP will be set back to disabled
router rip
timers basic 30
network 10.156.251.10 255.255.255.0
network 172.16.200.1 255.255.0.0
network 192.168.100.1 255.255.255.0
exit
Basically, the router is enabling RIP routing on its own!
Any ideas how finally kill that for good?
Thanks
Dan.-
Reply Quote
- #83 written by Michael McNamara 2 years ago
  Sorry I missed your post Dan.
  On the Nortel VPN Routers RIP is enabled by default. I believe your configuration above indicates that it is disabled because there’s no “rip enable” command present. You can check in the GUI and you can check using a packet sniffer to see if the VPN router is putting out any RIP packets.
  Good Luck!
  Reply Quote
#84 written by Valentin Neacsu 2 years ago
Hi Michael,
Can you please advise how I can make a Nortel VPN Router 1750 push a route to its PPTP clients, other than the default route?
I want it to push 192.168.0.0/16 but I am unable to find such a setting in the GUI.
Thanks,
Valentin
Reply Quote
- #85 written by Michael McNamara 2 years ago
  Hi Valentin,
  I’ve never used PPTP clients so I can’t really answer you definitively. With PPTP it might be a function of the client, I’m not exactly sure having only read about it and never actually set one up.
  I would probably advise you to use IPSec clients if at all possible, much easier and much more secure and PPTP clients have some known weaknesses.
  Sorry I can’t be of more help!
  Reply Quote
#86 written by George Neman 2 years ago
Hi, Michael! Why are DHCP requests forwarded to 10.2.16.40 in your config? This ip address is missing here http://blog.michaelfmcnamara.com/2008/02/vpn-router-branch-office/. What additional commands need to be done to make 10.2.16.40 accept DHCP requests? Will it work if all IP addresses are assigned manually and no DHCP service enabled?
Reply Quote
- #87 written by Michael McNamara 2 years ago
  Hi George,
  I think you’ve just stumbled over a bug in WordPress for me… I’ll need to dig a little deeper on why your comment made today (9/6/09) appears before my last comment (8/20/09).
  Anyways let me answer your question. You can ignore the article that you referenced in your comment, it’s an older version of this artcile that I never cleaned up – but I will do so right after this response. I use a central IP Management plaform (Alcatel-Lucent VitalQIP) that integrates IP management with DHCP and DNS. I want all my branch office equipment to either have their static IP addresses registered in my central solution or I want them to get DHCP/BOOTP addresses from a few different centralized DHCP servers that then feed back into my IP management solution.
  To answer your question, that’s all you need assuming that your DHCP server is properly setup and ready to go.
  You can certainly statically assign the IP addressing, there’s nothing stopping you from doing it like that. In my environment that would be a management nightmare as devices usually move regularly which would require a technician/field engineer to visit the location to reconfigure the statically assigned devices.
  Hopefully that answers your question! If not please head over to the forums and post any follow-ups there!
  http://forums.networkinfrastructure.info/nortel-vpn-routers/
  Cheers!
  Reply Quote
  - #88 written by George Neman 2 years ago
    Thanks, good luck!
    Reply Quote
#89 written by JamesW 2 years ago
Hi,
The company I work for uses Nortel Contivity’s for third party VPN’s.
We regularly have requests to build a third party filter and often it is very time consuming.
I have the commands used via the CLI which helps to cut down on time, but what I’m really after is some sort of perl script, excel macro or alike that can be used to generate the config.
Ideally something where I enter server name (or IP), protocol required and then hey presto!
Have you seen a scripts that could do this?
Thanks.
James.
Reply Quote
- #90 written by Michael McNamara 2 years ago
  Hi James,
  I would agree that the filters within the Nortel VPN Router (Contivity) can be very painful. I don’t personally have any scripts but we do have a few well developed filter sets which are well documented and then use those to provision additional filters. We also have a set of “standard” filters that we apply to almost all of our environments. Just remember that the IP mask is an inverse mask similar to Cisco when you are defining IP ranges/addresses.
  Cheers!
  Reply Quote
#91 written by Opsimex 2 years ago
Michael,
Running a Nortel 1010 @ main office & BSR222 at my BOs – 222s connect to the 1010. Tunnels are up and running, everything is solid – EXCEPT I can’t pass traffic between remote subnets – branch office to branch office.
I have turned on items under System->Forwarding on the 1010.
Any ideas on where else to look?
Thanks.
Reply Quote
- #92 written by Michael McNamara 2 years ago
  Hi Opsimex,
  Why not post your question over on the forums?
  http://forums.networkinfrastructure.info/nortel-vpn-routers/
  I would start with some simple pings and traceroutes. Is the routing in place? Is there anything of interest in the logs?
  Good Luck!
  Reply Quote
  - #93 written by Opsimex 2 years ago
    Nah, it’s all going into the bit bucket as far as I can tell. I’ll try that forum.
    Thanks!
    Reply Quote
#94 written by satheesh 2 years ago
any one help me in ADVANCED ROUTING KEY/STATUS for contivity 1700 running in version V05_00.136
Reply Quote
#95 written by roudy 1 year ago
Hello Michael, ive accidentaly set the remote management console on a bsr 222, but didnt set a rule on the firewall to allow the access:(
I figure I may be able to do this via the coms port, but just wanted your advice before I do it. Ive configured a few routers via comms, but would the menu system be similar to above and could I alter them back to lan access.
I only ask as the site is quite a distance from my home, hence trying to allow the wan access in the first place.
Hope you can help
Reply Quote
- #96 written by Michael McNamara 1 year ago
  Hi Roudy,
  You can certainly configure the BSR222 via the serial console port. The menu will look a little different than you might be accustom to but it is usable.
  Here’s a phrase from the configuration manual;
  “The embedded web configurator is an all platform, web based utility that you can use to easily manage and configure the Business Secure Router. Most functions of the Business Secure Router are also software configurable via the SMT (System Management Terminal) interface. The SMT is a menu driven interface that you can access from a terminal emulator through the console port or over a Telnet connection.”
  You can also read more about the BSR222 on my blog.
  Good Luck!
  Reply Quote
#97 written by roudy 1 year ago
After spending hours searching the internet for a solution and even quickly going through the manual you linked to I was unable to find what i wanted.
However I spotted your website by chance and saw all of the kind help you gave others, so i thought I would give it a shot and post here.
you came back to me extremely fast and with exactly the info I needed. went to site, the interface was far easier then i expected, and now i can access from home.
All is sorted now, and I owe a great deal of thanks to you, mega cheers to you.
big cheers, and thank you for being so helpful.
Reply Quote
- #98 written by Michael McNamara 1 year ago
  I’m happy I was able to help roudy!
  Cheers!
  Reply Quote
#99 written by Richard 1 year ago
Mike,
HELP!!!
I am trying to port forward RDP on port 7779 with a bsr222 to a PC addressed 192.168.1.73 within my vpn scope.
the router is vpned into another bsr222 at a location 8 miles away.
I attempt to remote desktop by using external ip colon port#
this worked previously on my Fios router, but I cannot get it to work on the bsr222 router.
I setup as sua/nat within the router
port range start= 7779 end= 7779 server= 192.168.1.73
what am i missing?
Reply Quote
- #100 written by Michael McNamara 1 year ago
  Hi Richard,
  I can’t say that I’ve ever tried to setup a ‘port forward’ configuration with the BSR222.
  In any case did you make the necessary firewall changes to allow your the traffic in from the WAN to the LAN? Sorry I can’t offer more help.
  Good Luck!
  Reply Quote
  - #101 written by Richard 1 year ago
    Mike, the firewall was off and continues to be off.
    Reply Quote
#102 written by Tim 1 year ago
Michael,
Is it possible to tell whether a software load is 56bit or 128 bit and if so which file indicates this….
Also !!! if I load a 56bit version onto a 1050 designed to be a 128bit box apart from the obvious will there be any problems?
Thanks again
Reply Quote
#103 written by redflowers 1 year ago
Hello sir
I am a communications engineer, I have a problem with the device
(vpn nortel 1100), the problem is after the push the button (pinhole) marked REC on the back panel and plugged in via consol cable entry through the
Hyper terminal I can not enter the password
I know the username is admin and password is setup
Please help me I’m in trouble and wants to help But all this can not log in
Regards
Reply Quote
#104 written by Devendra 1 year ago
I have to replace peer IP on VPN Router CES1600D
through GUI . what other entries need to replaced apart from peer ip. Head office has PIX for IPSec VPN
can you provide vpn configuration document for Nortel router CES1600D.
Reply Quote
- #105 written by Michael McNamara 1 year ago
  Hi Devendra,
  Assuming that the NVR (formerly Contivity Extranet Switch) has a default route to the Internet that includes the main office peer IP all you should need to-do is to change the remote IP address under the branch tunnel connection profile (Profiles -> Branch Office -> Group -> Connection).
  Good Luck!
  Reply Quote
#106 written by Luger 10 months ago
I need to know how to do a backup with the contivity 1010 via GUI. It is inherited and I am not familiar. Also, is there an admin guide I can find anywhere?
Reply Quote
- #107 written by Michael McNamara 10 months ago
  Hi Luger,
  You can find the manuals on the Avaya support website which is here – http://support.avaya.com/css/Products/P0815/Installation,%20Migrations,%20Upgrades%20&%20Configurations
  Within the Avaya VPN Router management GUI you should find Backup (or Auto Backup) under the Admin tab. From this point you can configure a FTP server to backup the entire system to although the FTP destination needs to be on the LAN side of the VPN router.
  Good Luck!
  Reply Quote
#108 written by Gerd 10 months ago
Michael,
I have a 1010 operating here with a block of 8 public IP’s, used for different purposes, mainly through NAT. I now had to an additional block of 8 IPs, naturally in a complete different range. These are not recognized by my current config; I assume I have to add them to the 1010s configuration but I have now idea how. Any help would be appreciated!
Thanks
Reply Quote
- #109 written by Michael McNamara 10 months ago
  Hi Gerd,
  You need to modify the FW/NAT table to utilize the new IP addresses. You’ll need to launch a Java based utility from the Contivity management interface.
  Good Luck!
  Reply Quote
#110 written by Juan Manuel 8 months ago
Hi Michael
I am trying to make a VPN between 2 Nortel contivity equipments, in my side the equipment is 1010 and it is connected to a DSL service through PPPoE.
I am getting the static public IP address direct to the device, the ISP device is working as a bridge.
in the other side they have a PUBLIC IP to make the connection and have other offices connected
We are setting up the VPN as initiator-responder with 3DES 1024 bits group 2 IPSEC, Preshared Key and No NAT.
unfortunately i have not been able to establish the connection I am receiving always the error:
FAILED LOGIN ATTEMPT
IPSEC 192.x.x.x. has no active sessions
IPSEC 192.x.x.x. has no active accounts
DELETING ISAKMP SA with 192.x.x.x.
any advise of what is wrong?
thanks in advance.
Juan
Reply Quote
#111 written by Michael McNamara 8 months ago
Hi Juan,
I would check and re-check your configuration. If you are using aggressive mode what are you using to authenticate the connection? Are you sure you have the same Initiator ID on both VPN routers? Have you enabled the Branch Profile on both VPN routers? (I believe it defaults to disabled). Are you sure you are using the same pre-shared key on both VPN routers?
Good Luck!
Reply Quote
#112 written by Rune Gøgsig 4 months ago
Any one having a newer version of the software for conectivity 1010. My version is V04_80.124 ?
Or where i can download it.
rune AT goegsig dot dk
Reply Quote
- #113 written by Michael McNamara 4 months ago
  Hi Rune,
  You’ll need a support contract from Avaya to upgrade the NVR 1010. I also believe they have been discontinued so I’m not sure Avaya would even sell you a support contract. Your best bet would be to contact your Avaya sales engineer.
  Good Luck!
  Reply Quote
#114 written by anthony benny 4 months ago
Hi Michael,
I have an issue with a nortel contivity 1100. For some strange reason ( which I can’t explain) I am unable to get into, I’ve tried all the passwords and even reset it which it says is booting from the recovery image but still unable to get into it. any ideas?
Reply Quote
#115 written by Ray 3 months ago
I have a 1010 setup as a BO that I also need to operate as a DHCP server. I have the connection up and DHCP is handing out IP addresses, but I get no DNS resolution to MO. Outbound routing is set to Private Private, I have tried adding option 6 to the DHCP server pointing to DNS servers in the MO, but that didn’t work (they don’t even list when you look at a computer that picked up it settings from DHCP). Any help is greatly appreciated.
Thanks,
Ray
Reply Quote
- #116 written by Ray 3 months ago
  Never mind, forgot that the options are available in both the defined pool and the main DHCP server config. All fixed.
  Reply Quote
#117 written by David Fletcher 2 months ago
This is the most helpful page I have found anywhere for setting up nortel VPN tunnels. I have one question. Is it possible to change route preferences (AD in cisco terminology). I’ve got 2 tunnels…one with RIP routing and one with static routing. RIP tunnel is the primary and the static is the backup but since its static it is taking priority. I’ve working on this off and on for over a month and any help would be greatly appreciated.
Thanks!!
Reply Quote
- #118 written by Michael McNamara 2 months ago
  Hi David,
  You should be able to make the static route more costly…. so your RIP route will be preferred and then in it’s absence the static route will take over.
  When you define the remote IP network in the branch office profile just set the COST to a value higher than your RIP route/tunnel.
  Cheers!
  Reply Quote
#119 written by David Fletcher 2 months ago
Anthony,
Here are the password recovery procedures.
Unplug the router for 30 seconds, and then restart it. Push in the button labeled “REC” located on the back panel of the router within the pinhole.
Open your internet browser and access the router’s user interface. Type “192.168.1.1″ into the address bar.
Click the “Restore original factory settings” button, then click on the “Restore” button. Once the process is complete, you will receive a message stating “Successful Factory Restore.”
Restart the router again. The factory settings will have been restored to the router. The user ID will now be “admin” and the password will be set to “setup.”
David
Reply Quote

#120 written by David Fletcher 2 months ago

Even setting the cost to the max value of 200 on the static still does not force it to take preferance. Here are 2 sh ip routes. There first is with the static tunnel disabled and the second is with it enabled. Once I enable it it replaces the RIP default route and brings the first tunnel down. Any more suggestions I could try?

CES#sh ip route
Protocol IP Address      Mask            Cost Next Hop        Interface
------------------------------------------------------------------------
RIP      0.0.0.0         0.0.0.0         [13] 66.162.203.82   68.153.238.18
STATIC   0.0.0.0         255.255.255.255 [10] 68.153.238.17   68.153.238.18
DIRECT_N 10.39.0.0       255.255.248.0   [0]  10.39.0.3       10.39.0.3
DIRECT_H 10.39.0.2       255.255.255.255 [0]  127.0.0.1       127.0.0.1
DIRECT_H 10.39.0.3       255.255.255.255 [0]  127.0.0.1       127.0.0.1
STATIC   66.162.203.80   255.255.255.252 [10] 68.153.238.17   68.153.238.18
STATIC   66.162.203.82   255.255.255.255 [10] 68.153.238.17   68.153.238.18
DIRECT_N 68.153.238.16   255.255.255.248 [0]  68.153.238.18   68.153.238.18
DIRECT_H 68.153.238.18   255.255.255.255 [0]  127.0.0.1       127.0.0.1
Total route(s) 9
CES#
CES#
CES#
CES#sh ip route
Protocol IP Address      Mask            Cost Next Hop        Interface
------------------------------------------------------------------------
STATIC   0.0.0.0         0.0.0.0         [200] 97.75.157.210   68.153.238.18
STATIC   0.0.0.0         255.255.255.255 [10] 68.153.238.17   68.153.238.18
DIRECT_N 10.39.0.0       255.255.248.0   [0]  10.39.0.3       10.39.0.3
DIRECT_H 10.39.0.2       255.255.255.255 [0]  127.0.0.1       127.0.0.1
DIRECT_H 10.39.0.3       255.255.255.255 [0]  127.0.0.1       127.0.0.1
STATIC   66.162.203.80   255.255.255.252 [10] 68.153.238.17   68.153.238.18
STATIC   66.162.203.82   255.255.255.255 [10] 68.153.238.17   68.153.238.18
DIRECT_N 68.153.238.16   255.255.255.248 [0]  68.153.238.18   68.153.238.18
DIRECT_H 68.153.238.18   255.255.255.255 [0]  127.0.0.1       127.0.0.1
Total route(s) 9
CES#

Thanks so much!

Reply Quote

#121 written by Michael McNamara 2 months ago
Hi David,
Sorry for the late response… what’s the route for the tunnel you are working with?
It’s not a default route is it? 0.0.0.0?
Cheers!
Reply Quote

#122 written by Thomas 3 weeks ago
HI MICHAEL,
I need two “Advanced routing licenses” for Nortel 1750, please helpme leting me know what part number it is, and who could be able to provide it.
Now, if some one from the forum is able to provide these, please letme know to tbravot AT yahoo.com
Regards
Editor: updated to remove the email address and save the SPAM.
Reply Quote
- #123 written by Michael McNamara 3 weeks ago
  Hi Thomas,
  Unfortunately I believe that hardware has already been EoL by Avaya.
  http://support.avaya.com/css/P8/documents/100120822
  Sorry.
  Reply Quote
#124 written by Michael McNamara 2 years ago
I’m happy I was able to help…
We accidentally stumbled over that a few years ago when we were writing filters for some of our VPN tunnels that connect to third party networks.
Cheers!
Reply Quote
Type your comment
You may use these HTML tags: <a> <abbr> <acronym> <b> <blockquote> <cite> <code> <del> <em> <i> <q> <strike> <strong>
Notify me of followup comments via e-mail. You can also subscribe without commenting.
Comment Feed for this Post

SPONSOR
Tweets
Michael McNamara 381 followers 565 tweets
- @CaptainHostile Hahaha... Unfortunately man day only comes once a year! Hope you enjoyed it! Now back to the beat down.11 hours ago
- @PaulALeroux That's probably a very good idea! ;)3 days ago
- Motorola Wireless LAN Switch – New Software Releases | Michael McNamara http://t.co/9QDqWpUn 3 days ago
- Any thoughts @MotoSolutions with AP300 adoption on WiNG 5.2.1 | Network Infrastructure Forums - http://t.co/9ghpD7sD 4 days ago
Blogroll
LICENSE
This blog licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
This license lets others remix, tweak, and build upon my work even for commercial purposes, as long as they credit me and license their new creations under the identical terms.
You must provide attribution in the derived work and you must include a link to the original content.

Nortel VPN Router Configuration Guide

SPONSOR

Tweets

Blogroll

LICENSE