In this post I’ll provide an example of how to configure a Nortel VPN Router. We’ll configure the remote office VPN router for a tunnel with 3DES/SHA1 encryption and DH2 using pre-shared keys, routing all traffic to the main office across the tunnel (no split tunneling). You should start by connecting up to the local console port on the VPN router (the diskless 1100,1050,1010 require a special RJ45 -> DB9 console cable). Log into the VPN router with the default username of “admin” and the default password of “setup” and reset it to factory defaults. You’ll find the option under “R” for “Reset System to Factory Defaults”.
Welcome to the Contivity Secure IP Services Gateway Copyright (c) 1999-2004 Nortel Networks, Inc. Version: V05_00.136 Creation date: Aug 20 2004, 15:50:15 Date: 07/23/1980 Unit Serial Number: 11221 Please enter the administrator's user name: admin Please enter the administrator's password: Main Menu: System is currently in NORMAL mode. 1) Interfaces 2) Administrator 3) Default Private Route Menu 4) Default Public Route Menu 5) Create A User Control Tunnel(IPsec) Profile 6) Restricted Management Mode FALSE 7) Allow HTTP Management TRUE 8) Firewall Options 9) Shutdown B) System Boot Options P) Configure Serial Port C) Controlled Crash L) Command Line Interface R) Reset System to Factory Defaults E) Exit, Save and Invoke Changes Please select a menu choice (1 - 9,B,P,C,L,R,E):
The first step will be to configure the IP addressing for the private LAN and public WAN interfaces. Using the serial console select “L) Command Line Interface” from the menu options.
CES>
Upon entering the CLI environment the prompt will be changed to “CES>”. You must now enter privileged mode using the “enable” command entering the default admin password of “setup”.
CES>enable Password: *********
Let’s take care of the easy stuff first. I’m currently working in the Eastern time zone;
CES#clock timezone est CES#clock set 15:22:30 12 JANUARY 2005
You can discern from the syntax above that #clock set <hh:mm:ss> <day> <month> <year>
Now you must enter configuration mode using the commands listed below. We’ll reset the admin password before anything else.
CES#configure terminal Enter configuration commands, one per line. End with Ctrl/z. CES(config)# CES(config)#adminname admin password <standard password>
We’ll configure the private LAN IP Address. In the example below I’m using 10.2.203.1 as the LAN address of the branch office VPN router.
CES(config)#interface FastEthernet 0/1 CES(config-if)#ip address 10.2.203.1 255.255.255.0 CES(config-if)#exit
Next we’ll configure the MANAGEMENT IP Address. The LAN address and management IP address must be on the same subnet.
CES(config)#ip address 10.2.203.10 Management address set to 10.2.203.10 successfully ! Next, make sure Mgt addr and private LAN addr are on same subnet CES(config)#
You should use the IP addressing that’s been assigned to the equipment your configuring in place of the IP addressing used above. Next we’ll assign the public WAN IP Address provided by the Internet Service Provider (ISP) which in this case happens to be Verizon DSL;
CES(config)#interface FastEthernet 1/1 CES(config-if)#ip address 70.256.1.10 255.255.255.0 %Warning: The IP address type is changed from DHCP dynamic to static CES(config-if)#exit CES(config)#ip default-network 70.256.1.1 public CES(config)#ip name-server 151.197.0.38 151.197.0.39 199.45.32.43
NOTE: FastEthernet 0/1 is the PRIVATE LAN while FastEthernet 1/1 is the PUBLIC WAN
Let’s disable those services we won’t be using and enable those we will be using;
CES(config)#no tunnel protocol pptp public CES(config)#no tunnel protocol pptp private CES(config)#no tunnel protocol l2tp public CES(config)#no tunnel protocol l2tp private CES(config)#ipsec encryption 3des-sha1 CES(config)#ipsec encryption aes256-sha1 CES(config)#no ipsec encryption aes128-sha1 CES(config)#no ipsec encryption des40-md5 CES(config)#no ipsec encryption des40-sha1 CES(config)#no ipsec encryption des56-md5 CES(config)#no ipsec encryption des56-sha1 CES(config)#no ipsec encryption hmac-md5 CES(config)#no ipsec encryption hmac-sha1
Let’s configure the “Base” default Branch Office Group with the standard settings.
CES(config)#bo-group ipsec /Base CES(config-bo_group/ipsec)#encryption 3des-sha1 CES(config-bo_group/ipsec)#encryption ike 3des-group2 CES(config-bo_group/ipsec)#antireplay enable CES(config-bo_group/ipsec)#no compress CES(config-bo_group/ipsec)#initial-contact enable CES(config-bo_group/ipsec)#exit
Let’s add a designator for the local network (to be used later – replace with your IP network)
CES(config)#network add LocalNetwork ip 10.2.203.0 mask 255.255.255.0
Let’s add a sub group for our IPsec tunnel configuration;
CES(config)#bo-group add /Base/AcmeHealth CES(config)#bo-conn add Acme-1 /Base/AcmeHealth CES(config)#bo-conn Acme-1 /Base/AcmeHealth CES(config/bo_conn)#conn-type peer2peer CES(config/bo_conn)#local-endpoint 70.256.1.10 CES(config/bo_conn)#remote-endpoint 192.1.1.124 CES(config/bo_conn)#tunnel-type ipsec CES(config/bo_conn)#ipsec authentication text-pre-shared-key password987 CES(config/bo_conn)#routing type static CES(config/bo_conn)#state enable CES(config/bo_conn)#routing static CES(config/bo_conn/routing_static)#local-network LocalNetwork CES(config/bo_conn/routing_static)#remote-network 0.0.0.0 mask 0.0.0.0 state enable cost 1 CES(config/bo_conn/routing_static)#exit
Let’s setup the DHCP relay agent forwarding our DHCP/BOOTP requests to 10.2.16.40;
CES(config)#no service dhcp enable CES(config)#ip default-network 70.20.130.1 public CES(config)#ip dhcp-relay 10.2.203.1 CES(config)#ip dhcp-relay 10.2.203.1 enable CES(config)#ip helper-address 10.2.203.1 server 1 10.2.16.40 CES(config)#ip forward-protocol dhcp-relay
Since we’re routing everything over the IPSec tunnel (the remote-network was 0.0.0.0 with a mask of 0.0.0.0) we need to change the default route preference.
CES(config)#ip default-route-preference private private
That’s the short approach to using the CLI interface to configure the Nortel VPN Router. There is a somewhat old and slow web interface that you can also use to configure the VPN router. You only need to point a web browser to the mangement IP address.
Cheers!
Update: Wednesday December 10, 2008
Here’s the pinout for the special RJ45 to DB9 serial cable used to access the diskless VPN routers;
Cheers!
Actually, the web interface in version 7.0x code is much improved than the Java-based user interface on 6.x and older.
However, they could make me happy if they’d get rid of the little musical interlude when accessing the 7.0x web interface and Java device manager.
Hi Curtis,
The new web interface is definitely much cleaner but it’s still rather slow for my liking. Nortel’s Java Device Manager plays the same little musical interlude, which you can disable. I haven’t seen a place to disable the one you’re referring to just yet.
Thanks for the comment!
This is good sample configuration though i haven’t tested it yet. :)
Thanks a lot.
regards,
randy
Hi there!
Does anyone of you know how to reset admin password on Nortel Conectivity VPN 1050? this has not been used for long time now I want it to reconfigure but noluck cause I forgot the admin password…:(
Sory for my bad english
where i can find pinouts for this “special RJ45 -> DB9 console cable”
I try cisco console cable and Straight through cable they not work
Help please
Hi Emil,
I found the pinout on page 44 of the “Nortel VPN Router Installation — VPN Router 1010/1050/1100”. I’ve updated the article above with a graphic of the pinout.
Good Luck!
Hi Benny,
Here’s an excerpt from the Nortel documentation.
Diskless VPN Routers (1010, 1050, 1100)
1. Restart the router and push the button (pinhole) marked REC on the back panel during the memory test. Note it is not necessary to hold it. This will put the router into Recovery mode.
2. Once the startup is complete, open a web browser and direct it to the management IP address to open the GUI.
3. Once there, select the radio button marked Restore original factory settings and click on the Restore button.
4. When the message “Successful Factory Restore” appears at the top of the screen perform a restart. It is now at Factory Default. The administrator userid will be returned to admin, with the password returned to setup. As the management IP address is no longer present, the console must be used to enter both the management and private interface IP addresses.
Good Luck!
Dear sir ,
Kindly , I work as Telecom network engineer and i haven’t experince with nortel and all our system from nortel and i am a new joiner so i would like to send me the troubleshoting of 1750 VPN connection and confoguration also 1100 router and i shall contact with you again in case of i desire to know some information related to nortel products, thanx for caring and efforts.
Dear sir,
Kindly , i have nortel CS 1000 (IP Telephony) when the tephone conected to PC the link get speed 100 Mbp/s and when i conect the cable direct to PC without phone its get 1Gbp in case of all pc’s connect to phone and get the 1Gbp/s because our link speed is 1 gbp/s , what is the problem in this case and how i troubleshot .. i use Telephone manger to monitor and mangement the systems.
Muhamad M.Shaker
Hi Muhamad,
Your welcome to review the information I have concerning the Nortel VPN Router. If you are looking for the manuals I would suggest you create an account on Nortel’s website and download the specific manuals you’re looking for.
Your second post is off topic with respect to VPN routers although I’ll answer your question. What model of Nortel phone are you using? The i2002/i2004 phones only support 100Mbps, you need to use the 1120e/1140e/1150e models if you want 1Gbps.
Good Luck!
Good Day Sir,
Kindly , i use 1120E,1140E,1150E and all of them is working fine with 1gbp/s but i have problem with some phones when connected the pc through this phone it give 100mbp/s in case of all phone work as 1gbp/s. what is the problem and how i am able to troubleshot.
Hi Muhamad,
This really isn’t on topic for a VPN router post but I’m happy to reply. I can’t really provide you the magic bullet answer. What firmware version are you running your IP phones? Is it the latest and greatest? If not I would advise you to upgrade. What has your voice reseller said about the problem, I assuming the phones are all configured for autonegotiation on the PC ports. I haven’t observed any autonegotiation issues myself with any of the aforementioned phones.
Good Luck!
Hi Michael,
how r u today,
i would like to tell me fourm site inquries about nortel voice and nortel product .. please
Thanks and regards.
Muhamad M.Shaker
Hi Muhamad,
If you look at the right sidebar under “Links” you’ll see two Tek-Tips forums that I believe you’ll find helpful.
In case you can’t find them;
Tek-Tips Nortel Networking Forum
Tek-Tips Nortel Succession Forum
Good Luck!
Hi!
I have BO tunnel 1010! And I want direct 0.0.0.0 on BO side to tunnel! But i can’t
ip default-route-preference private ?
private Defines that private routes will be preferred as default routes
public Defines that public routes will be preferred as default routes
sh running-config profile bo-conn
bo-conn add “CO-Ochak” “/Base/C-Ok” conn-type peer2peer
bo-conn “CO-Ochak” “/Base/C-Ok”
state enable
filter “permit all”
local-endpoint 212.26..x.y
remote-endpoint 212.26.x.y
routing type static
routing static
local-network “LAN”
remote-network 0.0.0.0 mask 0.0.0.0 state enable cost 1
exit
tunnel-type ipsec
ipsec authentication etext-pre-shared-key “a”
no mtu enable
mtu 1788
exit
Hi Duzers,
I’m going to assume that you have the tunnel configured properly on both sides. In general the default configuration will not route 0.0.0.0 across the tunnel even if you have the networks setup properly. You need to issue the following command;
CES(config)#ip default-route-preference private
That command will instruct the CES to route traffic that matches the default route across the private tunnel interface as oppose to the public interface. You will still need a public “default route” and public IP address for the CES to communicate properly with the MO (Main Office).
If you’re having issues try just setting up a Class C network in the tunnel configuration and testing that. Once you know that works you can go back to troubleshooting the default route issues.
Thanks for the comment!
HAI,
We have installed new broadband connection. DSL router itself doing natting function. We have a nortel contivity 1010 box. We need to connect it to the DSL router. Could you suggest us how to proceed.
Thanks
Ibrahim.
Hi Ibrahim,
You should probably download the documentation and read it over… setting up a VPN for the first time is not a trivial matter and can be quite complicated depending on your configuration.
Cheers!
Tunnel properly up. And i cant issue following command
CES(config)#ip default-route-preference private
because my CES tell me
ip default-route-preference private enter
result
ip default-route-preference private
^
% Incomplete command. See ‘^’ marker.
ip default-route-preference private ?
private Defines that private routes will be preferred as default routes
public Defines that public routes will be preferred as default routes
We’re missing another “private” on the end of that command;
CES(config)#ip default-route-preference private private
Give that a try.
Good Luck!
Doesnt work :(
I cant ping MO net from BO!
Help me please!
I dont want to deploy dynamic routing or set my MO nets manually
Unfortunately all my Nortel VPN Routers are now running OSPF and are dual-homed to two Internet Service Providers so I don’t have an example to immediately look at. So you’ve built the network as 0.0.0.0/0.0.0.0 and that tunnel is up and packets are going in and out. When you dump your routing table does it have a destination of 0.0.0.0 pointing to the tunnel interface?
Sorry I can’t help more.
Hi,
I have one query on Nortel VPN router functionality on Tunnel Redundancy using Static route
We can have tunnel redundancy if we configured OSPF as routing protocol on tunnel parameter.
Local Side is Nortel 600 & Remote location is Nortel 2700
Configured 2 tunnel with remote site (RS) 1 & 2 for same remote network
Tunnel 1 (Terminated to RS 1 with static cost 10)
Tunnel 2 (Terminated to RS 2 with static cost 20)
I have tried the same using Static route, but it fails and I checked the routing table and found the routing update is still available for tunnel 1 due to this update traffic is not able to flow through Tunnel 2
If you have any suggestion kindly provide the same to fix this issue
Regards,
Ganesh
Hi Ganesh,
Here’s the problem you need to confront with static routing – how to update the route depending on which path is available. The issue here is that the Nortel VPN Router will always have an entry in the routing table regardless of the state the actual tunnel is in (up/down). The routing table entry needs to be there so traffic makes it to the VPN router and the router can then bring up the actual tunnel. If you had redundant physical connections (multiple ISPs) then I believe you might be able to do something with static routes to provide redundancy.
I’m doing exactly what you are trying to-do with OSPF routing. I’ve adjusted the OSPF costing on one of the tunnels so that traffic will only traverse the primary tunnel unless it goes down. I have two main office VPN Router 1700s connected to my network at different geographic locations using two different Internet Service Providers. I run OSPF between the two on my core backbone.
You’ll need the Advanced Routing License for the Nortel VPN Routers to enable OSPF functionality.
Cheers!
Hi!
(MO)172.16.16.209/20— 172.16.19.44/20(Router)192.168.40.1—192.168.40.3(Contivity 1010 BO)—192.168.41.1(LAN)
What i must write for route 0.0.0.0 on BO to MO work properly!
I have following routing table on BO:
CES#sh ip route
Protocol IP Address Mask Cost Next Hop Interface
————————————————————————
STATIC 0.0.0.0 0.0.0.0 [11] 172.16.16.209 192.168.40.3
STATIC 0.0.0.0 255.255.255.255 [1] 192.168.40.1 192.168.40.3
DIRECT_N 192.168.40.0 255.255.255.0 [0] 192.168.40.3 192.168.40.3
DIRECT_H 192.168.40.3 255.255.255.255 [0] 127.0.0.1 127.0.0.1
MGMT 192.168.41.2 255.255.255.255 [0] 127.0.0.1 127.0.0.1
I did
CES(config)#ip default-route-preference private private
but
CES#sh branch-office sessions
Summary:
Current Sessions:
Branch Office: 0
When i write assume net that is on MO
CES(config/bo_conn/routing_static)#remote-network 192.168.1.1 mask 255.255.255.0
Tunnel is on and i can ping remote net MO from BO LAN
CES#sh branch-office sessions
Summary:
Current Sessions:
Branch Office: 1
Where is my fault?
Hi Michael, Do you know how to do a password recovery without reseting the factory default in a contivity 1750?
Thanks.
Hi Frank,
I don’t believe it’s possible but please don’t take my word as gospel. I’ll ask around and let you know but I’m thinking it’s not possible without using some extraordinary means (extracting the physical hard disk and then mounting the disk/filesystem with another computer – perhaps Linux – and coping the necessary files to an alternate location so you could restore the configuration after you factory reset the VPN router itself)
You can refer to the Nortel VPN Router Recovery Floppy post for a link that will show you how factory reset the switch.
Good Luck!
Hi Duzers,
I’m not sure I follow your IP addressing scheme. You understand that whatever IP networks you setup in the BO must be setup in the MO? I’m very suspicious of your configuration and I’m not sure you understand exactly what your doing. If you change the IP networks/hosts in the tunnel on the BO side you need to make the same change on the MO side. The IP networks/hosts need to match or the tunnel won’t come up.
In the article I describe how to configure a BO (Branch Office) Nortel VPN router. How did you setup the MO (Main Office)?
On the Main Office you’d need to setup a matching tunnel. The endpoints would be reversed from the Branch Office and the IP networks would be reversed. Here’s a quick example which would match the example from my original post above;
CES(config)#network add DefaultNetwork ip 0.0.0.0 mask 0.0.0.0
…
…
CES(config/bo_conn)#conn-type peer2peer
CES(config/bo_conn)#local-endpoint 192.1.1.124
CES(config/bo_conn)#remote-endpoint 70.256.1.10
CES(config/bo_conn)#tunnel-type ipsec
CES(config/bo_conn)#ipsec authentication text-pre-shared-key password987
CES(config/bo_conn)#routing type static
CES(config/bo_conn)#state enable
CES(config/bo_conn)#routing static
CES(config/bo_conn/routing_static)#local-network DefaultNetwork
CES(config/bo_conn/routing_static)#remote-network 10.2.203.0 mask 255.255.255.0 state enable cost 1
CES(config/bo_conn/routing_static)#exit
If the tunnel doesn’t come up you’ve got other problems that you’ll need to fix. I would suggest you examine the logs for an idea of where you might start troubleshooting.
CES# show logging event
Good Luck!
Hi,
You are recommending us to with Advance routing, it is not feasible to use Static route for Tunnel redundancy.
Regards,
Ganesh
Thanks for your support!
I did what i want to do!
Ive just had experience with Cisco routers but not Nortel
At first time Nortel router very confuse me
Thanks a lot for your helping
Hi Ganesh,
The issue here is using static routing to provide redundancy. There are a number of different vendors, Nortel included, where you can provide redundancy with static routes if you are using interfaces where the router can detect a link failure such as a serial link and then remove the static route from the routing table. There’s also the question of what side (Main Office / Branch Office) has the redundant Internet connection. When you throw Virtual Private Networking into the mix you really have a stew of problems. I’m only familiar with the Nortel VPN router but it will always advertise a route to a tunnel even if the tunnel isn’t up and/or available. In that case you need OSPF to provide a mean of decided which tunnel to use and then feed that information back into the backbone routing table.
I believe the only way to accomplish redundancy from the Main Office side is to use OSPF. In this case you’d have two Internet links into different locations for redundancy at the Main Office side. You could load-balance traffic across the two tunnels or you could set the OSPF costs such that one tunnel would be the primary and the second would be the standby.
Cheers!
I’m having this on a NVR1750:
—–
Boot Image Version: V07_00
Creation date: Oct 19 2006, 13:08:04
auto-booting…
done.
Performing Check Disk on [/ide0/] …
Copyright (c) 1993-1996 RST Software Industries Ltd. All rights reserved
ver: 2.6 FCS
Disk Check In Progress …
total disk space (bytes) : 2,146,631,680
bytes in each allocation unit : 32,768
total allocation units on disk : 65,510
bad allocation units : 0
available bytes on disk : 2,145,746,944
available clusters on disk : 65,483
maximum available contiguous chain (bytes) : 2,145,746,944
available space fragmentation (%) : 0
clusters allocated : 27
Done Checking Disk.
Cannot open “/ide0/system/bin/vxWorks”.
Error loading /ide0/: errno = 0x380003.
Attaching to floppy disk device… dosFsDevInit failed on [/fd0/system/bin/floppyos.i86].
usrFdConfig failed.
Error loading file: errno = 0x380001.
Error during dosFsDevInit[0,0]: d0006
usrIdeConfig /ide0/ failed.
Error loading /ide0/: errno = 0xd0006.
Can’t load boot file!!
Task tBoot Crashed in $Id: rebootLib.c 1.1 1997/09/16 13:38:51 JLawrence SafetySave $ at line 86. ( 0x18edb)
[Nortel Networks Boot]:
——-
Floppy boot doesnt allow me to restore the system (i got some sort of access denied error when i try to write to the disk), and i’m trying to boot the system from FTP (looks like it’s possible)
but i don’t know the commands and parameters to change the boot device from this menu to ftp, even if i see many parameters that suggest it can be possible.
Any sugestions?
Thanks,
Dan.-
This is the error i get when i try to upload the software to the vpn router after a drive format:
02/12/2009 13:14:08 0 FTP Restore [13] Beginning to Restore from host 192.168.1.3
02/12/2009 13:14:16 0 FTP Restore [11] Starting to restore files from host 192.168.1.3
02/12/2009 13:14:16 0 FTP Restore [13] Error Creating file: /ide0/system/V07_00.062.tar.gz. Error: S_dosFsLib_ILLEGAL_NAME
02/12/2009 13:15:16 0 FTP Restore [11] Restore error = 000000a3.
Hi Dan,
How did this problem come about? Did you replace the hard drive with one you purchased on your own?
I’m guessing the format option completes successfully? I’m not really sure what to make of this, unless the drive is formatted (FAT16/FAT32) in such a way that the VPN router doesn’t understand. What filesystem does the Nortel VPN router use? Sorry I can’t be of more help, perhaps someone else will chime in.
Thanks for the comment!
OK. Here is all what happened in very short steps.
1) New VPN Router 1750
2) Upgrade a Version 8
3) Something went wrong and had a intermitent Noise comming out of the VPN Router 1750
4) Factory Default de NVR1750
5) Noise still there
6) Boot with Recovery Disk
7) Format HD sucessfully
8) Unable to restore an image
9) Dan is dead
I guess in the end i just need the correct procedure to install the image to a formatted hard disk OR someone kind enough to provide an image of a 1750 so i can take the HD out, and d/l the image to that one (if that could even work, of course)
Hmm… it was sounding bad but still running fine? Does it still sound bad now?
What version of software did you use to make the recovery/boot diskette?
I’m wondering if they changed the filesystem format in the new release, although I doubt it. The recovery diskette might not know how to deal with compressed (optimized) archives. I would try un-compress (tar zxvf -filename-) the archive and then try having the VPN router download the software.
Good Luck!
Hi Mike,
I am new to Contivity. I have a dumb question. What is 0.0.0.0/0 and 0.0.0.0/32 represent? I have a hard time to understand which is public default route and which is private default route and which is public interface and which is private interface. So if I am in MO where I have the outside interface facing internet and where the tunnel is built. And I have an inside interface where I am facing a firewall where in turn will face the LAN.
so is inside interface = private interface?
Is outside interface = public interface?
virtual tunnel interface is what?
What is public default route mean? which interface?
what is private default route mean? which interface?
So there are 3 routing I need. Forget about the NAT that kind of stuff, just pure routing. Say MO LAN is 10.1.1.0/24. Say BO LAN is 10.2.1.0/24. So MO ISP public address is 65.65.65.65 and BO ISP address is 66.66.66.66.
So when MO LAN wants to talk to BO LAN. So the packet has 10.2.1.x as destination and go thru the firewall and hit the Contivity inside interface. So now here is the first routing,
Convitiy will need to know how to reach 10.2.1.x, so let’s say we put a static route saying for 10.2.1.x, the next hop is my BO ISP 66.66.66.66. So the tunnel is built and the tunnel source address is 65.65.65.65 with destination is 66.66.66.66.
So now the second routing comes, the Contivity will say, how do I goto 66.66.66.66? Then I can have static route to say goto 65.65.65.65.
On traffic return back to MO, the when Contivity decrypt the tunnel, then it says how do I goto 10.1.1.x to MO LAN? Then there will need a route in contivity to point it to use the inside interface towards the firewall.
So i wonder if all I have is just one static route 10.2.1.x for BO LAN in MO’s Convitiy, then how does 0.0.0.0/0 and 0.0.0.0/32 to route me correctly? I mean I don’t know what these two quad zero means in Contivity and what public/private default routes mean.
I know in Cisco 0.0.0.0/0 means default route in general so I don’t know the concept of a private and a public default route.
Can you please help to clarify?
thanks,
Joyce
Hi Joyce,
That’s quite a long post you have there… I’ll try to give you a quick explanation that hopefully makes sense. In case I miss the point I’ll quote directly from the Nortel manual.
Here’s an excerpt from the manual;
When Public is enabled, all packets that do not go across a tunnel to defined remote networks continue to transmit out of the public interface using the public default Nortel VPN Router (0.0.0.0/32 in the forwarding table). Any packets going to defined remote networks go across the branch office tunnel and cannot have any remote network equal to 0.0.0.0/
0.0.0.0 (default route). For example, if you want to get to the DNS server on the public network, select private-to-public for the routing decision.
When Private is enabled, all packets transmit over your branch office tunnel and not out the public interface because the branch office tunnel has a 0.0.0.0/0.0.0.0 remote network (statically defined or received by RIP). For example, if you want to reach the DNS servers on the corporate side of the branch office tunnel, select private-to-private for the routing decision.
You only need to modify the default-route preference if you wish to route 0.0.0.0/0 across a tunnel interface. What do I mean by that? In our corporate network we don’t want our branch office locations to have direct Internet access without going through our central firewall and content filtering solutions. So all traffic from the branch office is routed across the tunnel interface back to the main office so it can then be filtered and sent back out to the Internet if necessary. While this solution can incur performance penalties it provides maximum control over all branch office traffic.
You actually don’t need to manually create any routes other than defining the default routes in the GUI or CLI interfaces. When you define the IP networks/hosts within the tunnel configuration the Nortel VPN router will automatically add a route to the routing table. You are correct in your assumptions concerning the public and private interfaces. The public default-route points to your ISP while the private default-route points to your internal IP backbone. You must have a public default route, you can manually create static routes for your private network if your not comfortable with the thought of 2 default routes.
Here’s a link to the Nortel VPN Router Configuration Routing Release 7.0
Thanks for the comment, hopefully I’ve provided some help.
Hi Mike,
Thanks for your help and the link for the manual. I will read more on it. I have no experience with Contivity and need to understand an existing MO Contivity routing where I see 0.0.0.0/0 and 0.0.0.0/32 in the routing table and I don’t understand it.
Can you please tell me what 0.0.0.0/0 and 0.0.0.0/32 means?
Reading above, is it 0.0.0.0/0 represent default route for traffic going either to private interface? Will private interface refer to tunnel and the interface facing LAN? That means in MO Contivity perspective, for traffic going to inside LAN, this default route will use? What about traffic to BO LAN via tunnel? this default route will use too? If so then it won’t make sense because inside LAN in on inside interface while going thru tunnel is on the outside interface?
So is 0.0.0.0/32 represent default route going to ISP for non-tunnel internet traffic?
Show the Full Route Table
.
Seq P Ip Address/NetMask Weight Cost NextHop NextHopInterface CId
— — —————— —— —- ——- —————- —
8 S 0.0.0.0/0 1 1 10.167.1.1 10.167.1.2 1
9 S 0.0.0.0/32 1 1 166.66.1.1 166.66.1.2 33
So in my MO, I have the following: LAN connecting to Layer 3 switches which connects to the Firewall inside interface. Then from Firewall there are 2 additional interfaces, one is public interface to ISP router, another firewall interface is to Convitiy secure inside interface. So Contivity has this inside secure interface facing firewall and a outside interface facing ISP router.
10.167.1.1 is the Firewall interface facing Convity inside interface 10.167.1.2. Contivity outside interface is 166.66.1.2 facing the ISP router 166.66.1.1. Firewall has an outside interface 166.66.1.3 and an inside interface facing LAN at 10.1.1.1.
My question is when MO route traffic to BO LAN via inside tunnel, I will have a static route pointing BO LAN subnet to use BO ISP tunnel interface as next hop. So which default route will it use to know how to reach BO ISP address? I mean 0.0.0.0/0 or 0.0.0.0/32?
My BO will not do split tunneling. My BO will route all traffic inside tunnel to reach to MO and then decrypt at MO Convity.
thanks again,
Joyce
Hi Joyce,
You are correct in that 0.0.0.0/32 would be used for communicating with the ISP while 0.0.0.0/0 would be use to tunnel all traffic across to the MO. How does the Nortel VPN Router (Contivity) make it’s routing decision? I personally can’t say for sure having never spent that much time testing the product. However, I believe it makes decisions based on the IP source/destination and the interface where the traffic is received.
You might find some additional information if you Google for “New Oak”, the company that Nortel (formerly Bay Networks) acquired which they then released as the Nortel Contivity Extranet Gateway.
Thanks again for the comments!
Hi Mike,
Thanks again. The part I am trying to figure out is that I have both 0.0.0.0/0 and 0.0.0.0/32 in my MO Contivity. I don’t have access to BO to see the config there. So just purely looking at MO Convity perspective and seeing those two quad zeros, how would you determine which quad zero is for which purpose? I mean if we just look at MO perspecitve, there is an inside interface facing the firewall, and in turns the LAN of MO. then there is an outside interface on MO Convity facing local ISP router where the tunnel is built.
Question 1: So now, when I have traffic coming from LAN thru firewall, reach the inside interface on Convity and want to reach BO LAN, it will be encrypted in tunnel going over local ISP to BO ISP for the tunnel. So when the convitity needs to figure how to reach the BO ISP address, which default route will it use? /0 or /32? or another static?
Question 2: Now the traffic returns from BO coming into MO convtivity and being decrypted, it wants to reach MO LAN subnet, so which default route will it use to reach MO LAN from MO Convitivty? /0 or /32?
thanks again Mike.
Joyce
Hi Mike,
I have contivity configured with BO tunnel. Remote end I am using Nortel Secure Router as VPN router. Earlier I have single router only but now customer has precured one more link with another Nortel Secure Rouer. Now I want to crate the BO tunnel with that router which should be get established while my existing router/linl goes off. Is it possible to do with same Contivity at central side as my remote network is remain same.
Regards,
Mihir
You can use the same physical (VPN) routers, the issue you’ll run into is how to dynamically redistribute those routes across your network. As I mentioned in some previous comments I believe you’ll need the Advanced License on the Nortel VPN Router to run OSPF to provide active/active fault tolerance between the multiple tunnels (links).
Good Luck!
Hi Michael!
I have same problem with my NVR 2700 at the MO and 1010/1100 at the BOs.
2700 have 2×100 mbps NIC
Internet connection at the MO is 100mbps. At the BOs somewhere 2mbps, somewhere 1mbps etc.
And I build VPN between MO and BOs somewhere IPsec somewhere L2TP.
I have the following roblem :
Speed on WAN NIC 2700 (where terminated VPN) doesnt lift greater then 1mbps but when I activate NAT on WAN 2700 and try download file from internet I get truly speed 100 mbps.
Filters on all interfaces “permit all”
Any suggestions?
Hi Duzer,
I believe I understand the scenario… but let me just ask to be sure… you only get 1Mbps performance over a 100Mbps link? What’s the speed of the far end branch office? You mentioned in your post that it could be 1Mbps or 2Mbps… so wouldn’t it be in line to only expect 1Mbps of performance across a VPN tunnel to a site that only has a 1 Mbps Internet connection?
While I have three NVR 1700s that each have a 100Mbps connection to a switch, the actual uplink to the ISP is only 50Mbps.
You could try a test and connect an 1010/1100 to the same local network as the 2700. You could then build a VPN tunnel between the two VPN routers and test the bandwidth performance between the two over a true 100Mbps LAN.
Good Luck!
Thanks for reply.
I said about speed on BOs in sum (BO#1 has ISP speed 1 Mbps, BO#2 has ISP speed 2Mbps, BO#3 has ISP speed 512Kbps…) .All these BOs terminated on MO (2700 WAN) and speed on WAN interface not rise up then 1Mbps , although MO has ISP speed 100Mbps . Speed on BOs diveded 1Mbps on MO(MO 1Mps = BO#1 speed 200Kbps although ISP speed 1Mbps + BO#2 speed 400Kbps although ISP speed 2Mbps + so on ). BOs not use all their throughput but when i setup NAT i got speed claimed ISP.
I try connect 1010 localy with LAN interface 2700 and got the same result. On LAN 100Mbps speed i have 40Kbps downstream speed. By the way speed on LAN although has threshold at 1.4Mbps :(
Hi Duzer,
I’m assuming that this isn’t a new installation and that you’ve inherited this router. It sounds to me like someone was playing around with the configuration. I have two 1700 and one 1740 and all three of them can reach upwards of 6Mbps moving traffic across IPSec tunnels. You might want to look over your configuration with a fine tooth comb… the hardware should be able to provide much more than what you are reporting.
Your symptoms don’t suggest these but you might want to look at them anyway, MTU and NIC duplex settings.
Good Luck!
I see! I’ll try examine config 2700 more closely. Thank you for your time Michael.
Hi Duzer,
Out of the box (default configuration) there shouldn’t be anything present to “throttle” the connection speeds. I’m guessing by your description that someone has setup the branch office tunnels to limit traffic, which is possible.
What are you using to determine your throughput/bandwidth?
If you are using MRTG to graph the interface you need to modify the MaxBytes paramater within the MRTG configuration file. The Nortel VPN Router will report all VPN tunnels as 56Kbps interfaces.
Cheers!
Hi Michael !
I get statistic by caci.
I found bad configurations string
Statistic at LAN interface
IP QoS Forced Drops 269875
Reason – not properly configured QoS :/
Hello.
I’am from russia and sorry for my bad english.
I try to use contivity 1010 vpn router but it doesn’t work. i save all files that was on CF and try to use m0n0wall (m0n0wall.com) with this router. But it doesn’t work to. Now i want to move back Nortel Firmware. I copy files that i save early on CF and try to load router. It write a message “Disk error”.
I try to download firmware from nortel.com… it is imposible they want strange information about me and my company…
Can you give me firmware for this router, please.
I have serial port cable for Concole RJ-45 port.
I try three version of m0n0wall (1.235,1.315,1.316). Was bootable only 1.235, but it doesnt work after setting up netwirk interfaces.
Hi Alexey,
I really don’t have any experience “hacking” the hardware of the 1010 model (or any model for that matter). The Nortel software is covered by export restrictions since it has 128-bit encryption built into it, this is probably the strange information you are speaking about when you tried to download the software.
Sorry I can’t be of more help. Good Luck!
Oops. I forget. My router model is Contivity 1010
damn Contivity it doesnt work properly with any distrib of m0n0wall and pfSense. Please, help me to get Nortel Firmware for this router :-(