Nortel VPN Router Configuration Guide

Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this topic.

In this post I’ll provide an example of how to configure a Nortel VPN Router. We’ll configure the remote office VPN router for a tunnel with 3DES/SHA1 encryption and DH2 using pre-shared keys, routing all traffic to the main office across the tunnel (no split tunneling). You should start by connecting up to the local console port on the VPN router (the diskless 1100,1050,1010 require a special RJ45 -> DB9 console cable). Log into the VPN router with the default username of “admin” and the default password of “setup” and reset it to factory defaults. You’ll find the option under “R” for “Reset System to Factory Defaults”.

Welcome to the Contivity Secure IP Services Gateway
Copyright (c) 1999-2004 Nortel Networks, Inc.

Version:                 V05_00.136
Creation date:           Aug 20 2004, 15:50:15

Date:                    07/23/1980
Unit Serial Number:      11221

Please enter the administrator's user name: admin

Please enter the administrator's password:

Main Menu:  System is currently in NORMAL mode.
1) Interfaces
2) Administrator
3) Default Private Route Menu
4) Default Public Route Menu
5) Create A User Control Tunnel(IPsec) Profile
6) Restricted Management Mode       FALSE
7) Allow HTTP Management            TRUE
8) Firewall Options
9) Shutdown
B) System Boot Options
P) Configure Serial Port
C) Controlled Crash
L) Command Line Interface
R) Reset System to Factory Defaults
E) Exit, Save and Invoke Changes

Please select a menu choice (1 - 9,B,P,C,L,R,E):

The first step will be to configure the IP addressing for the private LAN and public WAN interfaces. Using the serial console select “L) Command Line Interface” from the menu options.

CES>

Upon entering the CLI environment the prompt will be changed to “CES>”. You must now enter privileged mode using the “enable” command entering the default admin password of “setup”.

CES>enable
Password: *********

Let’s take care of the easy stuff first. I’m currently working in the Eastern time zone;

CES#clock timezone est
CES#clock set 15:22:30 12 JANUARY 2005

You can discern from the syntax above that #clock set <hh:mm:ss> <day> <month> <year>
Now you must enter configuration mode using the commands listed below. We’ll reset the admin password before anything else.

CES#configure terminal
Enter configuration commands, one per line.  End with Ctrl/z.
CES(config)#
CES(config)#adminname admin password <standard password>

We’ll configure the private LAN IP Address. In the example below I’m using 10.2.203.1 as the LAN address of the branch office VPN router.

CES(config)#interface FastEthernet 0/1
CES(config-if)#ip address 10.2.203.1 255.255.255.0
CES(config-if)#exit

Next we’ll configure the MANAGEMENT IP Address. The LAN address and management IP address must be on the same subnet.

CES(config)#ip address 10.2.203.10
Management address set to 10.2.203.10 successfully !
Next, make sure Mgt addr and private LAN addr are on same subnet
CES(config)#

You should use the IP addressing that’s been assigned to the equipment your configuring in place of the IP addressing used above. Next we’ll assign the public WAN IP Address provided by the Internet Service Provider (ISP) which in this case happens to be Verizon DSL;

CES(config)#interface FastEthernet 1/1
CES(config-if)#ip address 70.256.1.10 255.255.255.0
%Warning: The IP address type is changed from DHCP dynamic to static
CES(config-if)#exit
CES(config)#ip default-network 70.256.1.1 public
CES(config)#ip name-server 151.197.0.38 151.197.0.39 199.45.32.43

NOTE: FastEthernet 0/1 is the PRIVATE LAN while FastEthernet 1/1 is the PUBLIC WAN
Let’s disable those services we won’t be using and enable those we will be using;

CES(config)#no tunnel protocol pptp public
CES(config)#no tunnel protocol pptp private
CES(config)#no tunnel protocol l2tp public
CES(config)#no tunnel protocol l2tp private
CES(config)#ipsec encryption 3des-sha1
CES(config)#ipsec encryption aes256-sha1
CES(config)#no ipsec encryption aes128-sha1
CES(config)#no ipsec encryption des40-md5
CES(config)#no ipsec encryption des40-sha1
CES(config)#no ipsec encryption des56-md5
CES(config)#no ipsec encryption des56-sha1
CES(config)#no ipsec encryption hmac-md5
CES(config)#no ipsec encryption hmac-sha1

Let’s configure the “Base” default Branch Office Group with the standard settings.

CES(config)#bo-group ipsec /Base
CES(config-bo_group/ipsec)#encryption 3des-sha1
CES(config-bo_group/ipsec)#encryption ike 3des-group2
CES(config-bo_group/ipsec)#antireplay enable
CES(config-bo_group/ipsec)#no compress
CES(config-bo_group/ipsec)#initial-contact enable
CES(config-bo_group/ipsec)#exit

Let’s add a designator for the local network (to be used later – replace with your IP network)

CES(config)#network add LocalNetwork ip 10.2.203.0 mask 255.255.255.0

Let’s add a sub group for our IPsec tunnel configuration;

CES(config)#bo-group add /Base/AcmeHealth
CES(config)#bo-conn add Acme-1 /Base/AcmeHealth
CES(config)#bo-conn Acme-1 /Base/AcmeHealth
CES(config/bo_conn)#conn-type peer2peer
CES(config/bo_conn)#local-endpoint 70.256.1.10
CES(config/bo_conn)#remote-endpoint 192.1.1.124
CES(config/bo_conn)#tunnel-type ipsec
CES(config/bo_conn)#ipsec authentication text-pre-shared-key password987
CES(config/bo_conn)#routing type static
CES(config/bo_conn)#state enable
CES(config/bo_conn)#routing static
CES(config/bo_conn/routing_static)#local-network LocalNetwork
CES(config/bo_conn/routing_static)#remote-network 0.0.0.0 mask 0.0.0.0 state enable cost 1
CES(config/bo_conn/routing_static)#exit

Let’s setup the DHCP relay agent forwarding our DHCP/BOOTP requests to 10.2.16.40;

CES(config)#no service dhcp enable
CES(config)#ip default-network 70.20.130.1 public
CES(config)#ip dhcp-relay 10.2.203.1
CES(config)#ip dhcp-relay 10.2.203.1 enable
CES(config)#ip helper-address 10.2.203.1 server 1 10.2.16.40
CES(config)#ip forward-protocol dhcp-relay

Since we’re routing everything over the IPSec tunnel (the remote-network was 0.0.0.0 with a mask of 0.0.0.0) we need to change the default route preference.

CES(config)#ip default-route-preference private private

That’s the short approach to using the CLI interface to configure the Nortel VPN Router. There is a somewhat old and slow web interface that you can also use to configure the VPN router. You only need to point a web browser to the mangement IP address.

Cheers!

Update: Wednesday December 10, 2008
Here’s the pinout for the special RJ45 to DB9 serial cable used to access the diskless VPN routers;

Cheers!

3DES, DH2, IKE, IPSEC, ROUTER, VPN

This entry was posted on September 19, 2008, 11:00 pm and is filed under Nortel, VPNRouter. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

TWITTER

A copy of "CISSP All-in-One Exam Guide, Fifth Edition (Hardcover)" arrived today. Let's find out how much I really know and need to learn! 2 days ago
I'm a do it yourself type of person, however, soldering iron and thermal fuses don't mix... http://bit.ly/aVz7Iz 1 week ago
We can't be all work and no play. I'm downloading Battlefield Bad Company 2 right now via Steam, highly recommended if you enjoy FPS. #BFBC2 1 week ago
Spent some time today working with a Cisco 4400 Wireless LAN Controller and AP1252s, also converted some AP1252s to autonomous (fat) APs. 1 week ago
As if two 24+ inch snow storms weren't enough in the Philadelphia area there's another on the way... only 12 inches expected, jeez Thanks! 2 weeks ago
More updates...

#1 by Curtis on September 22, 2008 - 11:04 am

Actually, the web interface in version 7.0x code is much improved than the Java-based user interface on 6.x and older.

However, they could make me happy if they’d get rid of the little musical interlude when accessing the 7.0x web interface and Java device manager.

Reply Quote

#2 by Michael McNamara on September 22, 2008 - 8:12 pm

Hi Curtis,

The new web interface is definitely much cleaner but it’s still rather slow for my liking. Nortel’s Java Device Manager plays the same little musical interlude, which you can disable. I haven’t seen a place to disable the one you’re referring to just yet.

Thanks for the comment!

#3 by Linksys on October 1, 2008 - 3:31 pm

I liked your guide, Michael! Simple, clean, truncated — just the way any developer likes to organize his work.

Thank you for the useful information!

#4 by Michael McNamara on October 5, 2008 - 11:52 am

#5 by considerthis on October 8, 2008 - 10:17 pm

This is a well written summary. I think you may have saved me many hours of grief. I’m going to try this out tomorrow. Thank you very very much!

#6 by Michael McNamara on October 9, 2008 - 12:37 am

Thanks for the comment and good luck!

#7 by Randy Banaria on November 24, 2008 - 10:57 am

This is good sample configuration though i haven’t tested it yet. :)

Thanks a lot.

regards,

randy

#8 by Benny on December 1, 2008 - 11:30 am

Hi there!

Does anyone of you know how to reset admin password on Nortel Conectivity VPN 1050? this has not been used for long time now I want it to reconfigure but noluck cause I forgot the admin password…:(

#9 by Emil on December 4, 2008 - 12:16 pm

Sory for my bad english

where i can find pinouts for this “special RJ45 -> DB9 console cable”
I try cisco console cable and Straight through cable they not work
Help please

#10 by Michael McNamara on December 11, 2008 - 12:28 am

Hi Emil,

I found the pinout on page 44 of the “Nortel VPN Router Installation — VPN Router 1010/1050/1100″. I’ve updated the article above with a graphic of the pinout.

Good Luck!

#11 by Michael McNamara on December 11, 2008 - 12:35 am

Hi Benny,

Here’s an excerpt from the Nortel documentation.

Diskless VPN Routers (1010, 1050, 1100)
1. Restart the router and push the button (pinhole) marked REC on the back panel during the memory test. Note it is not necessary to hold it. This will put the router into Recovery mode.
2. Once the startup is complete, open a web browser and direct it to the management IP address to open the GUI.
3. Once there, select the radio button marked Restore original factory settings and click on the Restore button.
4. When the message “Successful Factory Restore” appears at the top of the screen perform a restart. It is now at Factory Default. The administrator userid will be returned to admin, with the password returned to setup. As the management IP address is no longer present, the console must be used to enter both the management and private interface IP addresses.

#12 by Muhamad M.Shaker on January 11, 2009 - 9:18 am

Dear sir ,

Kindly , I work as Telecom network engineer and i haven’t experince with nortel and all our system from nortel and i am a new joiner so i would like to send me the troubleshoting of 1750 VPN connection and confoguration also 1100 router and i shall contact with you again in case of i desire to know some information related to nortel products, thanx for caring and efforts.

#13 by Muhamad M.Shaker on January 11, 2009 - 9:54 am

Kindly , i have nortel CS 1000 (IP Telephony) when the tephone conected to PC the link get speed 100 Mbp/s and when i conect the cable direct to PC without phone its get 1Gbp in case of all pc’s connect to phone and get the 1Gbp/s because our link speed is 1 gbp/s , what is the problem in this case and how i troubleshot .. i use Telephone manger to monitor and mangement the systems.

Muhamad M.Shaker

#14 by Michael McNamara on January 11, 2009 - 11:56 am

Hi Muhamad,

Your welcome to review the information I have concerning the Nortel VPN Router. If you are looking for the manuals I would suggest you create an account on Nortel’s website and download the specific manuals you’re looking for.

Your second post is off topic with respect to VPN routers although I’ll answer your question. What model of Nortel phone are you using? The i2002/i2004 phones only support 100Mbps, you need to use the 1120e/1140e/1150e models if you want 1Gbps.

#15 by Muhamad M.Shaker on January 12, 2009 - 1:01 am

Good Day Sir,

Kindly , i use 1120E,1140E,1150E and all of them is working fine with 1gbp/s but i have problem with some phones when connected the pc through this phone it give 100mbp/s in case of all phone work as 1gbp/s. what is the problem and how i am able to troubleshot.

#16 by Michael McNamara on January 12, 2009 - 7:47 pm

This really isn’t on topic for a VPN router post but I’m happy to reply. I can’t really provide you the magic bullet answer. What firmware version are you running your IP phones? Is it the latest and greatest? If not I would advise you to upgrade. What has your voice reseller said about the problem, I assuming the phones are all configured for autonegotiation on the PC ports. I haven’t observed any autonegotiation issues myself with any of the aforementioned phones.

#17 by Muhamad M.Shaker on January 22, 2009 - 5:24 am

Hi Michael,
how r u today,
i would like to tell me fourm site inquries about nortel voice and nortel product .. please

Thanks and regards.
Muhamad M.Shaker

#18 by Michael McNamara on January 22, 2009 - 1:53 pm

If you look at the right sidebar under “Links” you’ll see two Tek-Tips forums that I believe you’ll find helpful.

In case you can’t find them;
Tek-Tips Nortel Networking Forum
Tek-Tips Nortel Succession Forum

#19 by duzers on January 27, 2009 - 11:14 am

Hi!
I have BO tunnel 1010! And I want direct 0.0.0.0 on BO side to tunnel! But i can’t

ip default-route-preference private ?
private Defines that private routes will be preferred as default routes
public Defines that public routes will be preferred as default routes
sh running-config profile bo-conn
bo-conn add “CO-Ochak” “/Base/C-Ok” conn-type peer2peer
bo-conn “CO-Ochak” “/Base/C-Ok”
state enable
filter “permit all”
local-endpoint 212.26..x.y
remote-endpoint 212.26.x.y
routing type static
routing static
local-network “LAN”
remote-network 0.0.0.0 mask 0.0.0.0 state enable cost 1
exit
tunnel-type ipsec
ipsec authentication etext-pre-shared-key “a”
no mtu enable
mtu 1788
exit

#20 by Michael McNamara on January 27, 2009 - 9:01 pm

Hi Duzers,

I’m going to assume that you have the tunnel configured properly on both sides. In general the default configuration will not route 0.0.0.0 across the tunnel even if you have the networks setup properly. You need to issue the following command;

CES(config)#ip default-route-preference private

That command will instruct the CES to route traffic that matches the default route across the private tunnel interface as oppose to the public interface. You will still need a public “default route” and public IP address for the CES to communicate properly with the MO (Main Office).

If you’re having issues try just setting up a Class C network in the tunnel configuration and testing that. Once you know that works you can go back to troubleshooting the default route issues.

#21 by duzers on January 28, 2009 - 4:35 am

Tunnel properly up. And i cant issue following command
CES(config)#ip default-route-preference private
because my CES tell me
ip default-route-preference private enter
result
ip default-route-preference private
^
% Incomplete command. See ‘^’ marker.
ip default-route-preference private ?
private Defines that private routes will be preferred as default routes
public Defines that public routes will be preferred as default routes

#22 by Michael McNamara on January 29, 2009 - 1:06 am

We’re missing another “private” on the end of that command;

Give that a try.

#23 by duzers on January 29, 2009 - 3:58 am

Doesnt work :(
I cant ping MO net from BO!
Help me please!
I dont want to deploy dynamic routing or set my MO nets manually

#24 by Michael McNamara on January 30, 2009 - 12:36 am

Unfortunately all my Nortel VPN Routers are now running OSPF and are dual-homed to two Internet Service Providers so I don’t have an example to immediately look at. So you’ve built the network as 0.0.0.0/0.0.0.0 and that tunnel is up and packets are going in and out. When you dump your routing table does it have a destination of 0.0.0.0 pointing to the tunnel interface?

Sorry I can’t help more.

#25 by Ganesh Kumar on January 30, 2009 - 3:41 am

Hi,

I have one query on Nortel VPN router functionality on Tunnel Redundancy using Static route

We can have tunnel redundancy if we configured OSPF as routing protocol on tunnel parameter.

Local Side is Nortel 600 & Remote location is Nortel 2700

Configured 2 tunnel with remote site (RS) 1 & 2 for same remote network
Tunnel 1 (Terminated to RS 1 with static cost 10)
Tunnel 2 (Terminated to RS 2 with static cost 20)

I have tried the same using Static route, but it fails and I checked the routing table and found the routing update is still available for tunnel 1 due to this update traffic is not able to flow through Tunnel 2

If you have any suggestion kindly provide the same to fix this issue

Regards,
Ganesh

#26 by Michael McNamara on January 31, 2009 - 1:48 pm

Hi Ganesh,

Here’s the problem you need to confront with static routing – how to update the route depending on which path is available. The issue here is that the Nortel VPN Router will always have an entry in the routing table regardless of the state the actual tunnel is in (up/down). The routing table entry needs to be there so traffic makes it to the VPN router and the router can then bring up the actual tunnel. If you had redundant physical connections (multiple ISPs) then I believe you might be able to do something with static routes to provide redundancy.

I’m doing exactly what you are trying to-do with OSPF routing. I’ve adjusted the OSPF costing on one of the tunnels so that traffic will only traverse the primary tunnel unless it goes down. I have two main office VPN Router 1700s connected to my network at different geographic locations using two different Internet Service Providers. I run OSPF between the two on my core backbone.

You’ll need the Advanced Routing License for the Nortel VPN Routers to enable OSPF functionality.

#27 by duzers on February 5, 2009 - 12:03 pm

Hi!

(MO)172.16.16.209/20— 172.16.19.44/20(Router)192.168.40.1—192.168.40.3(Contivity 1010 BO)—192.168.41.1(LAN)

What i must write for route 0.0.0.0 on BO to MO work properly!

I have following routing table on BO:

CES#sh ip route
Protocol IP Address Mask Cost Next Hop Interface
————————————————————————
STATIC 0.0.0.0 0.0.0.0 [11] 172.16.16.209 192.168.40.3
STATIC 0.0.0.0 255.255.255.255 [1] 192.168.40.1 192.168.40.3
DIRECT_N 192.168.40.0 255.255.255.0 [0] 192.168.40.3 192.168.40.3
DIRECT_H 192.168.40.3 255.255.255.255 [0] 127.0.0.1 127.0.0.1
MGMT 192.168.41.2 255.255.255.255 [0] 127.0.0.1 127.0.0.1

I did
CES(config)#ip default-route-preference private private
but
CES#sh branch-office sessions

Summary:
Current Sessions:
Branch Office: 0

When i write assume net that is on MO
CES(config/bo_conn/routing_static)#remote-network 192.168.1.1 mask 255.255.255.0

Tunnel is on and i can ping remote net MO from BO LAN

CES#sh branch-office sessions

Summary:
Current Sessions:
Branch Office: 1

Where is my fault?

#28 by Frank on February 5, 2009 - 12:31 pm

Hi Michael, Do you know how to do a password recovery without reseting the factory default in a contivity 1750?

Thanks.

#29 by Michael McNamara on February 5, 2009 - 7:04 pm

Hi Frank,

I don’t believe it’s possible but please don’t take my word as gospel. I’ll ask around and let you know but I’m thinking it’s not possible without using some extraordinary means (extracting the physical hard disk and then mounting the disk/filesystem with another computer – perhaps Linux – and coping the necessary files to an alternate location so you could restore the configuration after you factory reset the VPN router itself)

You can refer to the Nortel VPN Router Recovery Floppy post for a link that will show you how factory reset the switch.

#30 by Michael McNamara on February 5, 2009 - 8:08 pm

I’m not sure I follow your IP addressing scheme. You understand that whatever IP networks you setup in the BO must be setup in the MO? I’m very suspicious of your configuration and I’m not sure you understand exactly what your doing. If you change the IP networks/hosts in the tunnel on the BO side you need to make the same change on the MO side. The IP networks/hosts need to match or the tunnel won’t come up.

In the article I describe how to configure a BO (Branch Office) Nortel VPN router. How did you setup the MO (Main Office)?

On the Main Office you’d need to setup a matching tunnel. The endpoints would be reversed from the Branch Office and the IP networks would be reversed. Here’s a quick example which would match the example from my original post above;

CES(config)#network add DefaultNetwork ip 0.0.0.0 mask 0.0.0.0
…
…
CES(config/bo_conn)#conn-type peer2peer
CES(config/bo_conn)#local-endpoint 192.1.1.124
CES(config/bo_conn)#remote-endpoint 70.256.1.10
CES(config/bo_conn)#tunnel-type ipsec
CES(config/bo_conn)#ipsec authentication text-pre-shared-key password987
CES(config/bo_conn)#routing type static
CES(config/bo_conn)#state enable
CES(config/bo_conn)#routing static
CES(config/bo_conn/routing_static)#local-network DefaultNetwork
CES(config/bo_conn/routing_static)#remote-network 10.2.203.0 mask 255.255.255.0 state enable cost 1
CES(config/bo_conn/routing_static)#exit

If the tunnel doesn’t come up you’ve got other problems that you’ll need to fix. I would suggest you examine the logs for an idea of where you might start troubleshooting.

CES# show logging event

#31 by Ganesh Kumar on February 6, 2009 - 2:41 am

You are recommending us to with Advance routing, it is not feasible to use Static route for Tunnel redundancy.

#32 by duzers on February 6, 2009 - 6:15 am

Thanks for your support!
I did what i want to do!
Ive just had experience with Cisco routers but not Nortel
At first time Nortel router very confuse me
Thanks a lot for your helping

#33 by Michael McNamara on February 7, 2009 - 4:20 pm

The issue here is using static routing to provide redundancy. There are a number of different vendors, Nortel included, where you can provide redundancy with static routes if you are using interfaces where the router can detect a link failure such as a serial link and then remove the static route from the routing table. There’s also the question of what side (Main Office / Branch Office) has the redundant Internet connection. When you throw Virtual Private Networking into the mix you really have a stew of problems. I’m only familiar with the Nortel VPN router but it will always advertise a route to a tunnel even if the tunnel isn’t up and/or available. In that case you need OSPF to provide a mean of decided which tunnel to use and then feed that information back into the backbone routing table.

I believe the only way to accomplish redundancy from the Main Office side is to use OSPF. In this case you’d have two Internet links into different locations for redundancy at the Main Office side. You could load-balance traffic across the two tunnels or you could set the OSPF costs such that one tunnel would be the primary and the second would be the standby.

#34 by Dan on February 12, 2009 - 1:43 pm

I’m having this on a NVR1750:
—–
Boot Image Version: V07_00
Creation date: Oct 19 2006, 13:08:04

auto-booting…

done.

Performing Check Disk on [/ide0/] …
Copyright (c) 1993-1996 RST Software Industries Ltd. All rights reserved
ver: 2.6 FCS

Disk Check In Progress …

total disk space (bytes) : 2,146,631,680
bytes in each allocation unit : 32,768
total allocation units on disk : 65,510
bad allocation units : 0
available bytes on disk : 2,145,746,944
available clusters on disk : 65,483
maximum available contiguous chain (bytes) : 2,145,746,944
available space fragmentation (%) : 0
clusters allocated : 27
Done Checking Disk.

Cannot open “/ide0/system/bin/vxWorks”.

Error loading /ide0/: errno = 0×380003.
Attaching to floppy disk device… dosFsDevInit failed on [/fd0/system/bin/floppyos.i86].
usrFdConfig failed.

Error loading file: errno = 0×380001.
Error during dosFsDevInit[0,0]: d0006
usrIdeConfig /ide0/ failed.

Error loading /ide0/: errno = 0xd0006.
Can’t load boot file!!

Task tBoot Crashed in $Id: rebootLib.c 1.1 1997/09/16 13:38:51 JLawrence SafetySave $ at line 86. ( 0×18edb)

[Nortel Networks Boot]:
——-

Floppy boot doesnt allow me to restore the system (i got some sort of access denied error when i try to write to the disk), and i’m trying to boot the system from FTP (looks like it’s possible)
but i don’t know the commands and parameters to change the boot device from this menu to ftp, even if i see many parameters that suggest it can be possible.
Any sugestions?

Thanks,

Dan.-

#35 by Dan on February 12, 2009 - 2:32 pm

This is the error i get when i try to upload the software to the vpn router after a drive format:

02/12/2009 13:14:08 0 FTP Restore [13] Beginning to Restore from host 192.168.1.3
02/12/2009 13:14:16 0 FTP Restore [11] Starting to restore files from host 192.168.1.3
02/12/2009 13:14:16 0 FTP Restore [13] Error Creating file: /ide0/system/V07_00.062.tar.gz. Error: S_dosFsLib_ILLEGAL_NAME
02/12/2009 13:15:16 0 FTP Restore [11] Restore error = 000000a3.

#36 by Michael McNamara on February 12, 2009 - 6:08 pm

Hi Dan,

How did this problem come about? Did you replace the hard drive with one you purchased on your own?

I’m guessing the format option completes successfully? I’m not really sure what to make of this, unless the drive is formatted (FAT16/FAT32) in such a way that the VPN router doesn’t understand. What filesystem does the Nortel VPN router use? Sorry I can’t be of more help, perhaps someone else will chime in.

#37 by Dan on February 12, 2009 - 10:41 pm

OK. Here is all what happened in very short steps.
1) New VPN Router 1750
2) Upgrade a Version 8
3) Something went wrong and had a intermitent Noise comming out of the VPN Router 1750
4) Factory Default de NVR1750
5) Noise still there
6) Boot with Recovery Disk
7) Format HD sucessfully
8) Unable to restore an image
9) Dan is dead

I guess in the end i just need the correct procedure to install the image to a formatted hard disk OR someone kind enough to provide an image of a 1750 so i can take the HD out, and d/l the image to that one (if that could even work, of course)

#38 by Michael McNamara on February 12, 2009 - 11:11 pm

Hmm… it was sounding bad but still running fine? Does it still sound bad now?

What version of software did you use to make the recovery/boot diskette?

I’m wondering if they changed the filesystem format in the new release, although I doubt it. The recovery diskette might not know how to deal with compressed (optimized) archives. I would try un-compress (tar zxvf -filename-) the archive and then try having the VPN router download the software.

#39 by Joyce Vong on February 13, 2009 - 6:07 pm

Hi Mike,

I am new to Contivity. I have a dumb question. What is 0.0.0.0/0 and 0.0.0.0/32 represent? I have a hard time to understand which is public default route and which is private default route and which is public interface and which is private interface. So if I am in MO where I have the outside interface facing internet and where the tunnel is built. And I have an inside interface where I am facing a firewall where in turn will face the LAN.

so is inside interface = private interface?
Is outside interface = public interface?
virtual tunnel interface is what?
What is public default route mean? which interface?
what is private default route mean? which interface?

So there are 3 routing I need. Forget about the NAT that kind of stuff, just pure routing. Say MO LAN is 10.1.1.0/24. Say BO LAN is 10.2.1.0/24. So MO ISP public address is 65.65.65.65 and BO ISP address is 66.66.66.66.

So when MO LAN wants to talk to BO LAN. So the packet has 10.2.1.x as destination and go thru the firewall and hit the Contivity inside interface. So now here is the first routing,

Convitiy will need to know how to reach 10.2.1.x, so let’s say we put a static route saying for 10.2.1.x, the next hop is my BO ISP 66.66.66.66. So the tunnel is built and the tunnel source address is 65.65.65.65 with destination is 66.66.66.66.

So now the second routing comes, the Contivity will say, how do I goto 66.66.66.66? Then I can have static route to say goto 65.65.65.65.

On traffic return back to MO, the when Contivity decrypt the tunnel, then it says how do I goto 10.1.1.x to MO LAN? Then there will need a route in contivity to point it to use the inside interface towards the firewall.

So i wonder if all I have is just one static route 10.2.1.x for BO LAN in MO’s Convitiy, then how does 0.0.0.0/0 and 0.0.0.0/32 to route me correctly? I mean I don’t know what these two quad zero means in Contivity and what public/private default routes mean.

I know in Cisco 0.0.0.0/0 means default route in general so I don’t know the concept of a private and a public default route.

Can you please help to clarify?

thanks,
Joyce

#40 by Michael McNamara on February 13, 2009 - 6:52 pm

Hi Joyce,

That’s quite a long post you have there… I’ll try to give you a quick explanation that hopefully makes sense. In case I miss the point I’ll quote directly from the Nortel manual.

Here’s an excerpt from the manual;

When Public is enabled, all packets that do not go across a tunnel to defined remote networks continue to transmit out of the public interface using the public default Nortel VPN Router (0.0.0.0/32 in the forwarding table). Any packets going to defined remote networks go across the branch office tunnel and cannot have any remote network equal to 0.0.0.0/
0.0.0.0 (default route). For example, if you want to get to the DNS server on the public network, select private-to-public for the routing decision.

When Private is enabled, all packets transmit over your branch office tunnel and not out the public interface because the branch office tunnel has a 0.0.0.0/0.0.0.0 remote network (statically defined or received by RIP). For example, if you want to reach the DNS servers on the corporate side of the branch office tunnel, select private-to-private for the routing decision.

You only need to modify the default-route preference if you wish to route 0.0.0.0/0 across a tunnel interface. What do I mean by that? In our corporate network we don’t want our branch office locations to have direct Internet access without going through our central firewall and content filtering solutions. So all traffic from the branch office is routed across the tunnel interface back to the main office so it can then be filtered and sent back out to the Internet if necessary. While this solution can incur performance penalties it provides maximum control over all branch office traffic.

You actually don’t need to manually create any routes other than defining the default routes in the GUI or CLI interfaces. When you define the IP networks/hosts within the tunnel configuration the Nortel VPN router will automatically add a route to the routing table. You are correct in your assumptions concerning the public and private interfaces. The public default-route points to your ISP while the private default-route points to your internal IP backbone. You must have a public default route, you can manually create static routes for your private network if your not comfortable with the thought of 2 default routes.

Here’s a link to the Nortel VPN Router Configuration Routing Release 7.0

Thanks for the comment, hopefully I’ve provided some help.

#41 by Joyce on February 13, 2009 - 11:51 pm

Thanks for your help and the link for the manual. I will read more on it. I have no experience with Contivity and need to understand an existing MO Contivity routing where I see 0.0.0.0/0 and 0.0.0.0/32 in the routing table and I don’t understand it.

Can you please tell me what 0.0.0.0/0 and 0.0.0.0/32 means?

Reading above, is it 0.0.0.0/0 represent default route for traffic going either to private interface? Will private interface refer to tunnel and the interface facing LAN? That means in MO Contivity perspective, for traffic going to inside LAN, this default route will use? What about traffic to BO LAN via tunnel? this default route will use too? If so then it won’t make sense because inside LAN in on inside interface while going thru tunnel is on the outside interface?

So is 0.0.0.0/32 represent default route going to ISP for non-tunnel internet traffic?

Show the Full Route Table
.

Seq P Ip Address/NetMask Weight Cost NextHop NextHopInterface CId
— — —————— —— —- ——- —————- —
8 S 0.0.0.0/0 1 1 10.167.1.1 10.167.1.2 1
9 S 0.0.0.0/32 1 1 166.66.1.1 166.66.1.2 33

So in my MO, I have the following: LAN connecting to Layer 3 switches which connects to the Firewall inside interface. Then from Firewall there are 2 additional interfaces, one is public interface to ISP router, another firewall interface is to Convitiy secure inside interface. So Contivity has this inside secure interface facing firewall and a outside interface facing ISP router.

10.167.1.1 is the Firewall interface facing Convity inside interface 10.167.1.2. Contivity outside interface is 166.66.1.2 facing the ISP router 166.66.1.1. Firewall has an outside interface 166.66.1.3 and an inside interface facing LAN at 10.1.1.1.

My question is when MO route traffic to BO LAN via inside tunnel, I will have a static route pointing BO LAN subnet to use BO ISP tunnel interface as next hop. So which default route will it use to know how to reach BO ISP address? I mean 0.0.0.0/0 or 0.0.0.0/32?

My BO will not do split tunneling. My BO will route all traffic inside tunnel to reach to MO and then decrypt at MO Convity.

thanks again,
Joyce

#42 by Michael McNamara on February 16, 2009 - 6:15 pm

You are correct in that 0.0.0.0/32 would be used for communicating with the ISP while 0.0.0.0/0 would be use to tunnel all traffic across to the MO. How does the Nortel VPN Router (Contivity) make it’s routing decision? I personally can’t say for sure having never spent that much time testing the product. However, I believe it makes decisions based on the IP source/destination and the interface where the traffic is received.

You might find some additional information if you Google for “New Oak”, the company that Nortel (formerly Bay Networks) acquired which they then released as the Nortel Contivity Extranet Gateway.

Thanks again for the comments!

#43 by Joyce on February 16, 2009 - 5:36 pm

Thanks again. The part I am trying to figure out is that I have both 0.0.0.0/0 and 0.0.0.0/32 in my MO Contivity. I don’t have access to BO to see the config there. So just purely looking at MO Convity perspective and seeing those two quad zeros, how would you determine which quad zero is for which purpose? I mean if we just look at MO perspecitve, there is an inside interface facing the firewall, and in turns the LAN of MO. then there is an outside interface on MO Convity facing local ISP router where the tunnel is built.

Question 1: So now, when I have traffic coming from LAN thru firewall, reach the inside interface on Convity and want to reach BO LAN, it will be encrypted in tunnel going over local ISP to BO ISP for the tunnel. So when the convitity needs to figure how to reach the BO ISP address, which default route will it use? /0 or /32? or another static?

Question 2: Now the traffic returns from BO coming into MO convtivity and being decrypted, it wants to reach MO LAN subnet, so which default route will it use to reach MO LAN from MO Convitivty? /0 or /32?

thanks again Mike.

Joyce

#44 by Mihir Joshi on March 30, 2009 - 9:20 am

I have contivity configured with BO tunnel. Remote end I am using Nortel Secure Router as VPN router. Earlier I have single router only but now customer has precured one more link with another Nortel Secure Rouer. Now I want to crate the BO tunnel with that router which should be get established while my existing router/linl goes off. Is it possible to do with same Contivity at central side as my remote network is remain same.

Regards,
Mihir

#45 by Michael McNamara on March 30, 2009 - 5:28 pm

You can use the same physical (VPN) routers, the issue you’ll run into is how to dynamically redistribute those routes across your network. As I mentioned in some previous comments I believe you’ll need the Advanced License on the Nortel VPN Router to run OSPF to provide active/active fault tolerance between the multiple tunnels (links).

#46 by duzer on April 16, 2009 - 4:01 am

Hi Michael!
I have same problem with my NVR 2700 at the MO and 1010/1100 at the BOs.
2700 have 2×100 mbps NIC
Internet connection at the MO is 100mbps. At the BOs somewhere 2mbps, somewhere 1mbps etc.
And I build VPN between MO and BOs somewhere IPsec somewhere L2TP.
I have the following roblem :
Speed on WAN NIC 2700 (where terminated VPN) doesnt lift greater then 1mbps but when I activate NAT on WAN 2700 and try download file from internet I get truly speed 100 mbps.
Filters on all interfaces “permit all”

Any suggestions?

#47 by Michael McNamara on April 16, 2009 - 10:45 pm

Hi Duzer,

I believe I understand the scenario… but let me just ask to be sure… you only get 1Mbps performance over a 100Mbps link? What’s the speed of the far end branch office? You mentioned in your post that it could be 1Mbps or 2Mbps… so wouldn’t it be in line to only expect 1Mbps of performance across a VPN tunnel to a site that only has a 1 Mbps Internet connection?

While I have three NVR 1700s that each have a 100Mbps connection to a switch, the actual uplink to the ISP is only 50Mbps.

You could try a test and connect an 1010/1100 to the same local network as the 2700. You could then build a VPN tunnel between the two VPN routers and test the bandwidth performance between the two over a true 100Mbps LAN.

#48 by duzer on April 17, 2009 - 8:49 am

Thanks for reply.
I said about speed on BOs in sum (BO#1 has ISP speed 1 Mbps, BO#2 has ISP speed 2Mbps, BO#3 has ISP speed 512Kbps…) .All these BOs terminated on MO (2700 WAN) and speed on WAN interface not rise up then 1Mbps , although MO has ISP speed 100Mbps . Speed on BOs diveded 1Mbps on MO(MO 1Mps = BO#1 speed 200Kbps although ISP speed 1Mbps + BO#2 speed 400Kbps although ISP speed 2Mbps + so on ). BOs not use all their throughput but when i setup NAT i got speed claimed ISP.
I try connect 1010 localy with LAN interface 2700 and got the same result. On LAN 100Mbps speed i have 40Kbps downstream speed. By the way speed on LAN although has threshold at 1.4Mbps :(

#49 by Michael McNamara on April 18, 2009 - 11:16 pm

I’m assuming that this isn’t a new installation and that you’ve inherited this router. It sounds to me like someone was playing around with the configuration. I have two 1700 and one 1740 and all three of them can reach upwards of 6Mbps moving traffic across IPSec tunnels. You might want to look over your configuration with a fine tooth comb… the hardware should be able to provide much more than what you are reporting.

Your symptoms don’t suggest these but you might want to look at them anyway, MTU and NIC duplex settings.

#50 by duzer on April 19, 2009 - 2:33 pm

I see! I’ll try examine config 2700 more closely. Thank you for your time Michael.

#51 by Michael McNamara on April 20, 2009 - 9:45 pm

Hi Duzer,

Out of the box (default configuration) there shouldn’t be anything present to “throttle” the connection speeds. I’m guessing by your description that someone has setup the branch office tunnels to limit traffic, which is possible.

What are you using to determine your throughput/bandwidth?

If you are using MRTG to graph the interface you need to modify the MaxBytes paramater within the MRTG configuration file. The Nortel VPN Router will report all VPN tunnels as 56Kbps interfaces.

Cheers!

Reply Quote

#52 by duzers on April 21, 2009 - 8:01 am

Hi Michael !
I get statistic by caci.
I found bad configurations string
Statistic at LAN interface
IP QoS Forced Drops 269875
Reason – not properly configured QoS :/

#53 by Alexey on May 5, 2009 - 3:59 am

Hello.
I’am from russia and sorry for my bad english.
I try to use contivity 1010 vpn router but it doesn’t work. i save all files that was on CF and try to use m0n0wall (m0n0wall.com) with this router. But it doesn’t work to. Now i want to move back Nortel Firmware. I copy files that i save early on CF and try to load router. It write a message “Disk error”.
I try to download firmware from nortel.com… it is imposible they want strange information about me and my company…
Can you give me firmware for this router, please.
I have serial port cable for Concole RJ-45 port.
I try three version of m0n0wall (1.235,1.315,1.316). Was bootable only 1.235, but it doesnt work after setting up netwirk interfaces.

#54 by Michael McNamara on May 7, 2009 - 2:48 pm

Hi Alexey,

I really don’t have any experience “hacking” the hardware of the 1010 model (or any model for that matter). The Nortel software is covered by export restrictions since it has 128-bit encryption built into it, this is probably the strange information you are speaking about when you tried to download the software.

Sorry I can’t be of more help. Good Luck!

Reply Quote

#55 by Alexey on May 5, 2009 - 4:06 am

Oops. I forget. My router model is Contivity 1010

#56 by Alexey on May 6, 2009 - 3:07 am

damn Contivity it doesnt work properly with any distrib of m0n0wall and pfSense. Please, help me to get Nortel Firmware for this router :-(

#57 by Dan Garcia on May 6, 2009 - 3:17 pm

Wonder what is the official position about the site owner about using the forum for sharing Nortel Software.

#58 by duzers on May 7, 2009 - 2:12 am

Hi!
Alexey write me duzers(at)rambler.ru

#59 by Valentin Neacsu on May 21, 2009 - 8:27 am

I managed to configure the SSL part of the router so HTTPS works, but I can’t get SSH working no matter what I try.

valentin@valentin-laptop:~$ ssh -v admin@192.168.21.2
OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.21.2 [192.168.21.2] port 22.
debug1: connect to address 192.168.21.2 port 22: Connection refused
ssh: connect to host 192.168.21.2 port 22: Connection refused

SSH is opened for both private and public. Any advice is welcomed.

#60 by Michael McNamara on May 26, 2009 - 9:13 pm

Hi Valentin,

Have you enabled the SSH server? Within the web GUI under Servers -> SSH, select “SSH Service Enabled”.

You also need to have SSH enabled on the specific interface under Services -> Available.

Good Luck!

Reply Quote

#61 by Alexey on May 26, 2009 - 1:23 am

Hi Michael McNamara!
It’s not a “hacking”.
If you open the case of Contivity you can unplug CF and make it image useing cardreader and any kind of unix system (dd).
Thanks for answer. I try to find another way of reanimation this damn router. Or Duzerz will help me. I wrote the letter to him.

#62 by Michael McNamara on May 26, 2009 - 9:05 pm

Hi Alexey,

Using the term “hacking” I meant the process of actually opening up the router and messing around with the file system, etc. It wasn’t meant in a derogatory way… I have “hacked” away at a Symbol WS5000 Wireless LAN switch that also uses a CF (Compact Flash) card as an IDE device.

Thanks for the comment!

Reply Quote

#63 by Valentin Neacsu on May 27, 2009 - 3:59 am

Hi Michael,

I have enabled the SSH server and permitted it on both the public and private interfaces. It refuses SSH connections on both interfaces. Is there anything else i can try?

Thanks,
Valentin

#64 by Michael McNamara on May 27, 2009 - 7:55 am

Hmm… you’re using the correct IP address? You should be trying to connect to the management IP interface, not the routing IP interface. It would be the same IP address that you use to establish an HTTPS/SSL session to the web GUI.

I will assume that you are using the correct IP address. Are you using the default “deny all” filter on the public and private interfaces or are you running a custom filter? Are you running the firewall on either interface? Assuming that you’ve rebooted the router and it’s not a code issue I would guess that something is blocking traffic to tcp/22. Try using the default “deny all” filters on the private interface and/or the “allow all” filter on the private interface.

I tried this last night on a VPN 1700 with V07_05.400 software and it just worked on the first shot.

Cheers!

Reply Quote

#65 by Valentin Neacsu on May 27, 2009 - 3:16 pm

Michael,

I am using the correct IP address, the same one that is used for HTTP management. Both interfaces are using a “permit all” filter. The firewall is enabled for the public interface, with rules doing port mapping and port forwarding. I have rebooted the router several times, but I haven’t tried upgrading the software version (1750 V07_05.300 build date Sep 10 2007, 10:31:42).

#66 by Valentin Neacsu on June 2, 2009 - 3:27 am

I have managed to get SSH working on the 1750, but I have a couple of 1010’s that don’t have SSH in the Servers menu. Is there anything I can do about it?

#67 by Michael McNamara on June 4, 2009 - 10:35 pm

Hi Valentin,

If it’s not in the menus it might not be available in the specific version of software you have installed on the router. I have a 1010 here that is running V07_05.400 (128-bit) and it has the SSH server option available as a means of managing the VPN router.

Sorry I can’t be of more help!

Reply Quote

#68 by Valentin Neacsu on June 2, 2009 - 3:30 am

BTW, is there any reason why a 1750 wouldn’t accept more than one simultaneous PPTP sessions?

#69 by Michael McNamara on June 4, 2009 - 10:39 pm

Hi Valentin,

I believe it’s a configurable option with respect to the number of concurrent logins a user can have. Check under Profiles -> Group -> “Your Group” -> Connectivity -> Number of Logins. I’m not sure if it applies with an enduser/branch using PPTP but it definitely applies for IPSec endusers using the Nortel VPN client.

Cheers!

Reply Quote

#70 by Valentin Neacsu on June 5, 2009 - 2:49 am

I had 50 logins configured with 2 or 3 simultaneous PPTP clients not being able to connect. The parent group had 5 logins and I changed that to 50 aswell, but it didn’t have any effect. Any other idea that I can try out?

#71 by Mohammad Akram on June 24, 2009 - 7:29 am

Hi Micheal,

Iam facing a strange issue with Nortel VPN router 1100,Observed from LAN 0 interface statistics, IP Local system filter drops are increasing frequently
not sure why it is increasing,Can you please help me out,Please find the below details.

IP Packet Drops
IP Routing Filter Drops 0
IP Local System Filter Drops 14738
IP Local Interface Filter Drops 78
IP PAT Drops 0
IP Header Error Drops 0
IP QoS Random Drops 0
IP QoS Forced Drops 0
IP Zero Source Address Drops 99
IP Source Address Equals Destination Address Drops 0
IP Bad Packet Length Drops 0
IP Bad Header Length Drops 0
IP Bad Checksum Drops 0
IP Packet Too Short Drops 0
IP Bad Options Drops 0
IP No Buffer To Fragment Drops 0
IP Cannot Fragment Drops 12
IP Cannot Forward Drops 0
IP No Protocol Drops 0
IP No Route Drops 104
IP Bad Version Drops 0
IP 802.1Q Untagged Drops 0
IP 802.1Q Tagged Drops 0
TOTAL 15031

Thanks & Regards,
Akram

#72 by Michael McNamara on September 7, 2009 - 10:31 pm

I seem to have missed quite a few posts here, my apologies Mohammad.

Those stats are probably indicators of your interface filters dropping packets. Is this the public or private interface? If things are working fine you can probably ignore the statistic. If this is your public interface and you have the default “deny_all” filter applied to the interface you’re going to see a lot of dropped packets from all the script kiddies, virii, trojans, worms, port scanners, etc.

If this is your private interface you could be dropping packets internally. Again you should look at the interface level and see what filter you have defined.

Cheers!

Reply Quote

#73 by JC on July 15, 2009 - 8:04 pm

That was very good write up…thumbs up! I have encountered an issue with a pair of Nortel 1010’s. The VPN switches are connected through 2 DSL lines, both DSL lines have a static IP address. The branch-to-branch tunnel is running properly, but when I connect to one of the 1010’s through the Contivity client, I am not able to ping anything at the remote end and vice versa. The end goal of this branch-to-branch tunnel is to pass a video stream; an encoder at one end, and a decoder at the other. These devices must be on the same subnet (ie, 192.168.1.x) in order to “see” each other and pair up, and they use port #5510.

Any tips/ideas on this? Thanks!

#74 by Michael McNamara on July 17, 2009 - 4:57 pm

Hi JC,

I’ve started a few forums to help users post their own questions and issues;

http://forums.networkinfrastructure.info/nortel-vpn-routers/

In the meantime I’m somewhat confused when you talk about using the Contivity client. I’m assuming that you mean the Nortel VPN Client, the full IPSec VPN client that gets installed onto a Windows desktop. However, you also talk about two Nortel 1010 VPN Routers and building a point to point tunnel over two DSL lines. In any case your last statement, “devices must be on the same subnet” is probably going to be the most problematic. Your going to need to build a tunnel (IPSec, L2TP, etc) and then bridge across that tunnel as opposed to route across the tunnel.

Off the top of my head I’m not sure the 1010 VPN router can bridge across a tunnel connection.

Try to start a thread in the forums and I’ll try to research the topic for you.

#75 by Yuri on August 11, 2009 - 7:01 pm

Hi Mike,
I have a contivity 1010 at the main office and now I can connect with a vpn connection, the problem that I have is , when I connected from my home I can not navigate for internet.
Any idea?

Thanks

Yuri

#76 by Michael McNamara on August 11, 2009 - 7:13 pm

Hi Yuri,

This behavior depends on the configuration of your main office Nortel 1010 VPN (Contivity) router. The Nortel VPN (IPSec) Client will assign you an internal IP address when you connect to the main office. Is that IP address able to access the Internet from your office location? By default all traffic will be routed across the IPSec tunnel back to your Nortel 1010 VPN router and placed onto your internal network.

Example; after making a VPN client connection I open a web browser and try to load http://www.google.com, the traffic will leave my desktop, travel over the IPSec tunnel to the Nortel 1010 VPN router, after it’s routed out the internal interface it will then try to reach the remote network through your coporate firewall or whatever appliance you have in your environment.

If you only want traffic for your internal network to route across the IPSec tunnel you need to look into setting up Split-Tunneling within the Nortel 1010. That configuration would then route traffic for your internal network, say 10.10.0.0/16, across the IPSec tunnel while routing all remaining traffic out your regular LAN connection and ultimately to the Internet.

I’ve started a few forums to help users post their own questions and issues;
http://forums.networkinfrastructure.info/nortel-vpn-routers/

If you make a post over there I’ll try to provide you some command line examples of how to set it up.

Good Luck!

Reply Quote

#77 by Dan Garcia on August 13, 2009 - 11:13 am

Michael (or anyone who may help),
I have the following problem:
While configuring a VPN Router 1750:
CES#show version
Software Version: V07_05.300
MAC Address: 00-1C-EB-XX-XX-XX
BIOS Version: PO11

I configured 2 subinterfaces, on a vlan tagged environment:

CES#show interface Fastethernet 0/1
FastEthernet Interface 0/1 Configuration
Filter : permit all
IP Address : 10.156.248.10
Mac pause : Disabled
MTU : 1500
Public/Private : Private
Status : Enabled
802.1Q : Enabled
802.1Q Interface VLAN ID: 2

FastEthernet Interface 0/1 Configuration
Description : Telephony VLAN
Filter : permit all
IP Address : 172.16.200.1
Status : Enabled
Subinterface : 2
802.1Q Interface VLAN ID: 4

FastEthernet Interface 0/1 Configuration
Description : WIFI Lan
Filter : permit all
IP Address : 192.168.100.1
Status : Enabled
Subinterface : 1
802.1Q Interface VLAN ID: 3

The NVR1750 succesfully provides internet access to any of the vlans configured, which have they proper DHCP Server per vlan configured.

Now, i just found out, the NVR1750 is fwd packages between vlans, and i can’t stop that. I disabled pretty much any routing protocol, but Natting (since traffic needs to go out to the internet). I pretty much ran out of ideas, here. I need to stop inter-vlan traffic somehow. I got the following entries in the routing table:

CES#show ip route
Protocol IP Address Mask Cost Next Hop Interface
————————————————————————
STATIC 0.0.0.0 255.255.255.255 [10] xxx.xxx.xxx.185 xxx.xxx.xxx.187
DIRECT_N 10.156.248.0 255.255.255.0 [0] 10.156.248.10 10.156.248.10
DIRECT_H 10.156.248.10 255.255.255.255 [0] 127.0.0.1 127.0.0.1
MGMT 10.156.248.51 255.255.255.255 [0] 127.0.0.1 127.0.0.1
DIRECT_N 172.16.0.0 255.255.0.0 [0] 172.16.200.1 172.16.200.1
DIRECT_H 172.16.200.1 255.255.255.255 [0] 127.0.0.1 127.0.0.1
DIRECT_N xxx.xxx.xxx.184 255.255.255.248 [0] xxx.xxx.xxx.187 xxx.xxx.xxx.187
DIRECT_H xxx.xxx.xxx.187 255.255.255.255 [0] 127.0.0.1 127.0.0.1
DIRECT_N 192.168.100.0 255.255.255.0 [0] 192.168.100.1 192.168.100.1
DIRECT_H 192.168.100.1 255.255.255.255 [0] 127.0.0.1 127.0.0.1

As you see, i have some DIRECT_N(etwork) and DIRECT_H(ost) entries that i can’t get rid of it.

Anyone has an idea of how to solve this?

Thanks!

#78 by Michael McNamara on August 13, 2009 - 2:43 pm

Hi Dan,

I would guess (without trying it myself) that you’ll need to create some filter rules to prevent communication between the two interfaces. If you think about it the VPN router is acting just like a typical router, you need to create some filters to drop packets to the other networks.

If you have trouble just let me know and I can try to write a few in the testlab.

Cheers!

Reply Quote
- #79 by Dan Garcia on August 19, 2009 - 12:13 pm
  
  Michael,
  I guess help will be very welcome.
  I’m trying to set the interface filter, but the vpn router is acting very strange (either that, or i dont understand mucho about how this filters works).
  I have 2 sub-interfaces:
  Int: 10.156.251.0/24
  SubInt1: 192.168.100.0/24
  Subint2: 172.16.200.0/16
  
  I placed a filter restriction on the main interface to block icmp traffic going to the ip 192.168.100.50/32, and all the icmp trafic, from the 10.156.251.0 network (going anywhere, even the internet) was blocked. Same results when i set the filter either incoming or outgoing. Am I assuming the use of the interface filters wrong??
  
  Reply Quote
  - #80 by Michael McNamara on August 19, 2009 - 11:40 pm
    
    Hi Dan,
    
    It’s been a few years since I’ve had to play with the configuration of those VPN routers… I’m guessing that an interface filter is the right approach. Just as a side note I believe the IP masks in the interface filter are inverse masks similar to Cisco ACL masks. You may also need to build an allow all rule at the bottom of the filter rules.
    
    We use a lot of different filters on the actual VPN tunnel connections but we’ve never really had a need to use them on the interface level.
    
    I can’t make any promises but I’ll see what I can dig up in testing.
    
    Cheers!
    
    Reply Quote
    - #81 by Dan Garcia on August 20, 2009 - 7:59 am
      
      Thanks for the tips about the CISCO – ACL Style.
      I’ll try again based on this info. I didn’t see any example of this nor in the pdfs about filtering and/or in a vpn router book released in 2004.
      
      Dan.-
      
      Quote
    - #82 by Dan Garcia on August 20, 2009 - 9:53 am
      
      Man, right on the money! Wonder why nortel adopted that cisco-minded-acl-way for the filters.
      Anyways, I’m happilly setting my inter-subinterface filters now :)
      I owe you a steak :)
      
      Quote

#83 by Dan Garcia on August 13, 2009 - 1:46 pm

I just found this on the running config:

ip default-network 190.94.81.185 public 10 enable
! !!! RIP is currently disabled
! !!! In order to properly provision
! !!! RIP it will be temporarily enabled
! !!! When RIP provisioning is complete
! !!! RIP will be set back to disabled
router rip
timers basic 30
network 10.156.251.10 255.255.255.0
network 172.16.200.1 255.255.0.0
network 192.168.100.1 255.255.255.0
exit

Basically, the router is enabling RIP routing on its own!
Any ideas how finally kill that for good?

#84 by Michael McNamara on September 7, 2009 - 10:26 pm

Sorry I missed your post Dan.

On the Nortel VPN Routers RIP is enabled by default. I believe your configuration above indicates that it is disabled because there’s no “rip enable” command present. You can check in the GUI and you can check using a packet sniffer to see if the VPN router is putting out any RIP packets.

Good Luck!

Reply Quote

#85 by Valentin Neacsu on September 2, 2009 - 3:58 am

Can you please advise how I can make a Nortel VPN Router 1750 push a route to its PPTP clients, other than the default route?

I want it to push 192.168.0.0/16 but I am unable to find such a setting in the GUI.

#86 by Michael McNamara on September 7, 2009 - 10:24 pm

Hi Valentin,

I’ve never used PPTP clients so I can’t really answer you definitively. With PPTP it might be a function of the client, I’m not exactly sure having only read about it and never actually set one up.

I would probably advise you to use IPSec clients if at all possible, much easier and much more secure and PPTP clients have some known weaknesses.

Sorry I can’t be of more help!

Reply Quote

#87 by George Neman on September 6, 2009 - 4:24 pm

Hi, Michael! Why are DHCP requests forwarded to 10.2.16.40 in your config? This ip address is missing here http://blog.michaelfmcnamara.com/2008/02/vpn-router-branch-office/. What additional commands need to be done to make 10.2.16.40 accept DHCP requests? Will it work if all IP addresses are assigned manually and no DHCP service enabled?

#88 by Michael McNamara on September 6, 2009 - 7:40 pm

Hi George,

I think you’ve just stumbled over a bug in WordPress for me… I’ll need to dig a little deeper on why your comment made today (9/6/09) appears before my last comment (8/20/09).

Anyways let me answer your question. You can ignore the article that you referenced in your comment, it’s an older version of this artcile that I never cleaned up – but I will do so right after this response. I use a central IP Management plaform (Alcatel-Lucent VitalQIP) that integrates IP management with DHCP and DNS. I want all my branch office equipment to either have their static IP addresses registered in my central solution or I want them to get DHCP/BOOTP addresses from a few different centralized DHCP servers that then feed back into my IP management solution.

To answer your question, that’s all you need assuming that your DHCP server is properly setup and ready to go.

You can certainly statically assign the IP addressing, there’s nothing stopping you from doing it like that. In my environment that would be a management nightmare as devices usually move regularly which would require a technician/field engineer to visit the location to reconfigure the statically assigned devices.

Hopefully that answers your question! If not please head over to the forums and post any follow-ups there!
http://forums.networkinfrastructure.info/nortel-vpn-routers/

Cheers!

Reply Quote
- #89 by George Neman on September 7, 2009 - 5:31 pm
  
  Thanks, good luck!
  
  Reply Quote

#90 by JamesW on October 22, 2009 - 3:18 am

The company I work for uses Nortel Contivity’s for third party VPN’s.

We regularly have requests to build a third party filter and often it is very time consuming.

I have the commands used via the CLI which helps to cut down on time, but what I’m really after is some sort of perl script, excel macro or alike that can be used to generate the config.

Ideally something where I enter server name (or IP), protocol required and then hey presto!

Have you seen a scripts that could do this?

James.

#91 by Michael McNamara on October 27, 2009 - 9:03 am

Hi James,

I would agree that the filters within the Nortel VPN Router (Contivity) can be very painful. I don’t personally have any scripts but we do have a few well developed filter sets which are well documented and then use those to provision additional filters. We also have a set of “standard” filters that we apply to almost all of our environments. Just remember that the IP mask is an inverse mask similar to Cisco when you are defining IP ranges/addresses.

Cheers!

Reply Quote

#92 by Opsimex on November 13, 2009 - 2:22 pm

Running a Nortel 1010 @ main office & BSR222 at my BOs – 222s connect to the 1010. Tunnels are up and running, everything is solid – EXCEPT I can’t pass traffic between remote subnets – branch office to branch office.

I have turned on items under System->Forwarding on the 1010.

Any ideas on where else to look?

#93 by Michael McNamara on November 13, 2009 - 3:32 pm

Hi Opsimex,

Why not post your question over on the forums?

http://forums.networkinfrastructure.info/nortel-vpn-routers/

I would start with some simple pings and traceroutes. Is the routing in place? Is there anything of interest in the logs?

Good Luck!

Reply Quote
- #94 by Opsimex on November 13, 2009 - 3:35 pm
  
  Nah, it’s all going into the bit bucket as far as I can tell. I’ll try that forum.
  
  Thanks!
  
  Reply Quote

#95 by satheesh on January 8, 2010 - 2:56 pm

any one help me in ADVANCED ROUTING KEY/STATUS for contivity 1700 running in version V05_00.136

#96 by roudy on February 9, 2010 - 5:26 pm

Hello Michael, ive accidentaly set the remote management console on a bsr 222, but didnt set a rule on the firewall to allow the access:(

I figure I may be able to do this via the coms port, but just wanted your advice before I do it. Ive configured a few routers via comms, but would the menu system be similar to above and could I alter them back to lan access.

I only ask as the site is quite a distance from my home, hence trying to allow the wan access in the first place.

Hope you can help

#97 by Michael McNamara on February 9, 2010 - 7:36 pm

Hi Roudy,

You can certainly configure the BSR222 via the serial console port. The menu will look a little different than you might be accustom to but it is usable.

Here’s a phrase from the configuration manual;

“The embedded web configurator is an all platform, web based utility that you can use to easily manage and configure the Business Secure Router. Most functions of the Business Secure Router are also software configurable via the SMT (System Management Terminal) interface. The SMT is a menu driven interface that you can access from a terminal emulator through the console port or over a Telnet connection.”

You can also read more about the BSR222 on my blog.

Good Luck!

Reply Quote

#98 by roudy on February 12, 2010 - 6:07 pm

After spending hours searching the internet for a solution and even quickly going through the manual you linked to I was unable to find what i wanted.

However I spotted your website by chance and saw all of the kind help you gave others, so i thought I would give it a shot and post here.

you came back to me extremely fast and with exactly the info I needed. went to site, the interface was far easier then i expected, and now i can access from home.

All is sorted now, and I owe a great deal of thanks to you, mega cheers to you.

big cheers, and thank you for being so helpful.

#99 by Michael McNamara on February 12, 2010 - 7:36 pm

I’m happy I was able to help roudy!

Cheers!

Reply Quote

#100 by Michael McNamara on August 20, 2009 - 6:38 pm

I’m happy I was able to help…

We accidentally stumbled over that a few years ago when we were writing filters for some of our VPN tunnels that connect to third party networks.

Michael McNamara