Comments on: Nortel VPN Router Configuration Guide

By: Michael McNamara

Michael McNamara — Thu, 08 Mar 2012 04:26:26 +0000

In reply to Mike. Hi Mike, That's an interesting problem and I have some additional questions. Unfortunately it's a little off topic for this post and since there are 50+ people subscribed to this thread I want to keep the discussion on-topic. If you post your question/problem on the discussion forums I'll be sure to reply as will a few others probably. Cheers!

By: Mike

Mike — Thu, 08 Mar 2012 02:17:34 +0000

Hi Mike, i have kind of a weird thing going on with my contivity 600, i thought you would be the man to ask. I can log in with my VPN client from my home PC and connect to my VPN with no problem. The thing is that once i log in to my VPN network (122.225.x.x), i am unable to ping anything outside of the 122.225.x.x network range UNLESS i ping the gateway of the router (122.225.x.254). Then everytime after i do that, i can ping everything within my 122.x.x.x network. Any thoughts? Thank you sir!!

By: Michael McNamara

Michael McNamara — Fri, 13 Jan 2012 03:59:54 +0000

In reply to Thomas.

Hi Thomas,

Unfortunately I believe that hardware has already been EoL by Avaya.

http://support.avaya.com/css/P8/documents/100120822

Sorry.

By: Thomas

Thomas — Thu, 12 Jan 2012 08:00:42 +0000

HI MICHAEL,

I need two “Advanced routing licenses” for Nortel 1750, please helpme leting me know what part number it is, and who could be able to provide it.
Now, if some one from the forum is able to provide these, please letme know to tbravot AT yahoo.com

Regards

Editor: updated to remove the email address and save the SPAM.

By: Michael McNamara

Michael McNamara — Fri, 02 Dec 2011 16:23:29 +0000

In reply to David Fletcher.

Hi David,

Sorry for the late response… what’s the route for the tunnel you are working with?

It’s not a default route is it? 0.0.0.0?

Cheers!

By: David Fletcher

David Fletcher — Mon, 28 Nov 2011 20:52:10 +0000

Even setting the cost to the max value of 200 on the static still does not force it to take preferance. Here are 2 sh ip routes. There first is with the static tunnel disabled and the second is with it enabled. Once I enable it it replaces the RIP default route and brings the first tunnel down. Any more suggestions I could try?

CES#sh ip route
Protocol IP Address      Mask            Cost Next Hop        Interface
------------------------------------------------------------------------
RIP      0.0.0.0         0.0.0.0         [13] 66.162.203.82   68.153.238.18
STATIC   0.0.0.0         255.255.255.255 [10] 68.153.238.17   68.153.238.18
DIRECT_N 10.39.0.0       255.255.248.0   [0]  10.39.0.3       10.39.0.3
DIRECT_H 10.39.0.2       255.255.255.255 [0]  127.0.0.1       127.0.0.1
DIRECT_H 10.39.0.3       255.255.255.255 [0]  127.0.0.1       127.0.0.1
STATIC   66.162.203.80   255.255.255.252 [10] 68.153.238.17   68.153.238.18
STATIC   66.162.203.82   255.255.255.255 [10] 68.153.238.17   68.153.238.18
DIRECT_N 68.153.238.16   255.255.255.248 [0]  68.153.238.18   68.153.238.18
DIRECT_H 68.153.238.18   255.255.255.255 [0]  127.0.0.1       127.0.0.1
Total route(s) 9
CES#
CES#
CES#
CES#sh ip route
Protocol IP Address      Mask            Cost Next Hop        Interface
------------------------------------------------------------------------
STATIC   0.0.0.0         0.0.0.0         [200] 97.75.157.210   68.153.238.18
STATIC   0.0.0.0         255.255.255.255 [10] 68.153.238.17   68.153.238.18
DIRECT_N 10.39.0.0       255.255.248.0   [0]  10.39.0.3       10.39.0.3
DIRECT_H 10.39.0.2       255.255.255.255 [0]  127.0.0.1       127.0.0.1
DIRECT_H 10.39.0.3       255.255.255.255 [0]  127.0.0.1       127.0.0.1
STATIC   66.162.203.80   255.255.255.252 [10] 68.153.238.17   68.153.238.18
STATIC   66.162.203.82   255.255.255.255 [10] 68.153.238.17   68.153.238.18
DIRECT_N 68.153.238.16   255.255.255.248 [0]  68.153.238.18   68.153.238.18
DIRECT_H 68.153.238.18   255.255.255.255 [0]  127.0.0.1       127.0.0.1
Total route(s) 9
CES#

Thanks so much!

By: Michael McNamara

Michael McNamara — Mon, 28 Nov 2011 20:45:29 +0000

In reply to David Fletcher. Hi David, You should be able to make the static route more costly.... so your RIP route will be preferred and then in it's absence the static route will take over. When you define the remote IP network in the branch office profile just set the COST to a value higher than your RIP route/tunnel. Cheers!

By: David Fletcher

David Fletcher — Mon, 28 Nov 2011 20:34:59 +0000

Anthony,

Here are the password recovery procedures.

Unplug the router for 30 seconds, and then restart it. Push in the button labeled “REC” located on the back panel of the router within the pinhole.
Open your internet browser and access the router’s user interface. Type “192.168.1.1” into the address bar.
Click the “Restore original factory settings” button, then click on the “Restore” button. Once the process is complete, you will receive a message stating “Successful Factory Restore.”
Restart the router again. The factory settings will have been restored to the router. The user ID will now be “admin” and the password will be set to “setup.”

David

By: David Fletcher

David Fletcher — Mon, 28 Nov 2011 20:22:22 +0000

This is the most helpful page I have found anywhere for setting up nortel VPN tunnels. I have one question. Is it possible to change route preferences (AD in cisco terminology). I’ve got 2 tunnels…one with RIP routing and one with static routing. RIP tunnel is the primary and the static is the backup but since its static it is taking priority. I’ve working on this off and on for over a month and any help would be greatly appreciated.

Thanks!!

By: Ray

Ray — Thu, 03 Nov 2011 18:06:12 +0000

In reply to Ray. Never mind, forgot that the options are available in both the defined pool and the main DHCP server config. All fixed.

By: Ray

Ray — Thu, 03 Nov 2011 10:57:47 +0000

I have a 1010 setup as a BO that I also need to operate as a DHCP server. I have the connection up and DHCP is handing out IP addresses, but I get no DNS resolution to MO. Outbound routing is set to Private Private, I have tried adding option 6 to the DHCP server pointing to DNS servers in the MO, but that didn’t work (they don’t even list when you look at a computer that picked up it settings from DHCP). Any help is greatly appreciated.

Thanks,

Ray

By: anthony benny

anthony benny — Tue, 27 Sep 2011 11:38:52 +0000

Hi Michael,
I have an issue with a nortel contivity 1100. For some strange reason ( which I can’t explain) I am unable to get into, I’ve tried all the passwords and even reset it which it says is booting from the recovery image but still unable to get into it. any ideas?

By: Michael McNamara

Michael McNamara — Mon, 26 Sep 2011 23:35:19 +0000

In reply to Rune Gøgsig.

Hi Rune,

You’ll need a support contract from Avaya to upgrade the NVR 1010. I also believe they have been discontinued so I’m not sure Avaya would even sell you a support contract. Your best bet would be to contact your Avaya sales engineer.

Good Luck!

By: Rune Gøgsig

Rune Gøgsig — Mon, 26 Sep 2011 09:42:56 +0000

Any one having a newer version of the software for conectivity 1010. My version is V04_80.124 ?
Or where i can download it.
rune AT goegsig dot dk

By: Michael McNamara

Michael McNamara — Fri, 03 Jun 2011 02:18:15 +0000

Hi Juan,

I would check and re-check your configuration. If you are using aggressive mode what are you using to authenticate the connection? Are you sure you have the same Initiator ID on both VPN routers? Have you enabled the Branch Profile on both VPN routers? (I believe it defaults to disabled). Are you sure you are using the same pre-shared key on both VPN routers?

Good Luck!

By: Juan Manuel

Juan Manuel — Mon, 30 May 2011 22:55:55 +0000

Hi Michael

I am trying to make a VPN between 2 Nortel contivity equipments, in my side the equipment is 1010 and it is connected to a DSL service through PPPoE.
I am getting the static public IP address direct to the device, the ISP device is working as a bridge.

in the other side they have a PUBLIC IP to make the connection and have other offices connected

We are setting up the VPN as initiator-responder with 3DES 1024 bits group 2 IPSEC, Preshared Key and No NAT.

unfortunately i have not been able to establish the connection I am receiving always the error:

FAILED LOGIN ATTEMPT
IPSEC 192.x.x.x. has no active sessions
IPSEC 192.x.x.x. has no active accounts
DELETING ISAKMP SA with 192.x.x.x.

any advise of what is wrong?

thanks in advance.

Juan

By: Michael McNamara

Michael McNamara — Fri, 01 Apr 2011 22:28:51 +0000

In reply to Gerd.

Hi Gerd,

You need to modify the FW/NAT table to utilize the new IP addresses. You’ll need to launch a Java based utility from the Contivity management interface.

Good Luck!

By: Gerd

Gerd — Wed, 30 Mar 2011 12:57:42 +0000

Michael,

I have a 1010 operating here with a block of 8 public IP’s, used for different purposes, mainly through NAT. I now had to an additional block of 8 IPs, naturally in a complete different range. These are not recognized by my current config; I assume I have to add them to the 1010s configuration but I have now idea how. Any help would be appreciated!

Thanks

By: Michael McNamara

Michael McNamara — Sat, 19 Mar 2011 16:26:05 +0000

In reply to Luger.

Hi Luger,

You can find the manuals on the Avaya support website which is here – http://support.avaya.com/css/Products/P0815/Installation,%20Migrations,%20Upgrades%20&%20Configurations

Within the Avaya VPN Router management GUI you should find Backup (or Auto Backup) under the Admin tab. From this point you can configure a FTP server to backup the entire system to although the FTP destination needs to be on the LAN side of the VPN router.

Good Luck!

By: Luger

Luger — Fri, 18 Mar 2011 19:07:10 +0000

I need to know how to do a backup with the contivity 1010 via GUI. It is inherited and I am not familiar. Also, is there an admin guide I can find anywhere?

By: Michael McNamara

Michael McNamara — Sun, 06 Feb 2011 16:30:31 +0000

In reply to ibrahim. Hi Ibrahim, You should probably download the documentation and read it over... setting up a VPN for the first time is not a trivial matter and can be quite complicated depending on your configuration. Cheers!

By: ibrahim

ibrahim — Tue, 01 Feb 2011 13:13:17 +0000

In reply to Michael McNamara.

HAI,

We have installed new broadband connection. DSL router itself doing natting function. We have a nortel contivity 1010 box. We need to connect it to the DSL router. Could you suggest us how to proceed.

Thanks
Ibrahim.

By: Michael McNamara

Michael McNamara — Mon, 20 Dec 2010 01:58:38 +0000

In reply to Devendra. Hi Devendra, Assuming that the NVR (formerly Contivity Extranet Switch) has a default route to the Internet that includes the main office peer IP all you should need to-do is to change the remote IP address under the branch tunnel connection profile (Profiles -> Branch Office -> Group -> Connection). Good Luck!

By: Devendra

Devendra — Sun, 19 Dec 2010 22:06:30 +0000

I have to replace peer IP on VPN Router CES1600D
through GUI . what other entries need to replaced apart from peer ip. Head office has PIX for IPSec VPN
can you provide vpn configuration document for Nortel router CES1600D.

By: Urri

Urri — Fri, 03 Dec 2010 14:04:10 +0000

In reply to Alexey. Hi Alexey! Have you any CF image from 1xxx device? I have problems with CF on my Contivity 1100.