This single client supports the following operating systems (in both 32-bit and 64-bit versions);

• Windows XP
• Windows Vista
• Windows 7
• Windows 8

Resolved Issues

• wi01041435 – Traffic to overlapping network of Split net and Local net got blocked.
• wi01031645 – AVC SwapAdapter feature does not reprioritize the VPN Adapter binding order for SSL tunnel types.
• wi01011920 – AVC may Orphan NetBT NameList registry entries if ungracefully terminated.
• wi01047768 – NVR interoperability – banner issues with specific IP address pool for Windows 7 users
• wi01043584 – Installing AVC over same version in silent mode causes error
• wi01058523 – AVC 10.06.104 IPSec Tunnels might drop during server initiated rekey
• wi01049421 – Unsigned EAC Miniport Driver Blocked by Windows XP OS. A new binder.exe utility has been included in the installation directory (default: %ProgramFiles%\Avaya\Avaya VPN Client) on Windows XP systems to assist with remediating this issue.
• wi01056647 – AVC may crash when connecting through an unstable wireless access point
• wi01059319 – Sometimes WINS Servers may not take effect in Windows XP
• wi01068400 – Dial-up not working properly on 32 bit platforms
• wi01028196 – AVC fails to properly identify Windows XP x64 operating system which may result in improper client operation
• wi00951988 – Unsupported Installation Change is not disabled properly.

Activation of VPN Adapter Failed

wi00928966 – Users who upgrade from a v10.05 or earlier release to v10.06 on Windows XP may receive the following error dialogue when attempting to establish an IPSec VPN tunnel – “Activation of VPN Adapter Failed”. This issue occurs when the AVC filter driver is not upgraded correctly during software installation.
As a precautionary measure, rebooting the machine before an upgrade installation is highly recommended. If the problem does occur, the workaround would be to uninstall and then reinstall the client. Please note, uninstall will remove all profiles and configurations. If users want to carry them over to the following reinstallation, they can use the Import/Export feature to export them before uninstall and import them back after reinstallation. For more details about the Import/Export feature please see Section 7 of this document.)

You should refer to the release notes for all the details, including the interoperability issues.

AVC32-10.06.200.exe (32-bit Windows XP, Windows Vista, Windows 7, Windows 8)
MD5: 006e21051924d92634b62600c071418b
AVC64-10.06.200.exe (64-bit Windows XP, Windows Vista, Windows 7, Windows 8)
MD5: 34c860667260ce196139521196fca946

Cheers!

• Windows XP
• Windows Vista
• Windows 7

This release appears to be primarily geared around the Avaya re-branding effort so I wouldn’t advise that you rush out and upgrade right away.

“Nortel VPN Client” is been rebranded as “Avaya VPN Client”
With the transition from Nortel to Avaya, the product “Nortel VPN Client” has been renamed as “Avaya VPN Client”. Some preliminary rebranding was done in earlier releases. In this release, remaining components have been completed, including installer, install path, driver names and etc.

Here are the few “resolved” issues;

• wi00883754 Unsupported Change/Repair options appear in Programs and Features
• wi00872243 Long message gets trimmed in the app launch wait dialog.
• wi00877055 During upgrade install, previously installed PLAP component may fail to show up.

You should refer to the release notes for all the details.

AVC32-10.05.012.exe (MD5SUM HASH – e0d516cdf9a813df3243f59612f81340)

AVC64-10.05.012.exe (MD5SUM HASH – 57f490235bdd0dce0226e374d871f908)

Cheers!
Update: September 20, 2011

Avaya has release v10.05.100 which can be found here, I’m going to close comments on this post.

• Windows XP
• Windows Vista
• Windows 7

The following issues have been identified and resolved according the the release notes;

• wi00875648 – Certificates with UTF-8 encoded issuer name can’t be selected.
• wi00875671 – Sometimes users might get “Unhandled exception” error when trying to select a certificate or display its details.
• wi00875676 – Pre-application launch command line not saved properly.

In the past I attempted to host the client files and I quickly ate through my 40 GB/monthly quota on my host. I’m going to attempt to-do this again however I will most likely change the URL from time to time to guarantee that people aren’t hot-linking to it.

• NVC32-10.04.109.exe (MD5SUM – 9f100688562386a60766d6837a2116de)
• NVC64-10.04.109.exe (MD5SUM – 32ad85f400315581343a2bb20233fc13)

I may also restrict access to only ARIN based IP addresses, again I’ll have to see how things go the second time around.

Cheers!

Updated Saturday May 7, 2011

I’ve added MD5 hashes for both the files.

Updated Tuesday September 20, 2011

Avaya has release version 10.05.100 which can be found here, I’m going to close comments on this post.

• Windows XP
• Windows Vista
• Windows 7

The new client is now rebranded as the Avaya VPN Client, although the installation routine still bears the name “Nortel VPN Client” in the title bar and the desktop icon created by the installation gets the label “Nortel VPN Client”. The new client also supports a (completely) quiet installation;

Previously, when users install the client, they need to acknowledge UAC prompts before the installation can continue. If they do not want the UAC prompts to show up, they would have to manually install Avaya certificate to the Trusted Publisher store, or check on the “Always trust software from Avaya Inc.” during earlier installation NVC. In this release, a new option is introduced that the procedure can be automated. To use it, users will need to pass in “TrustAvaya=TRUE” (the “TRUE” must be in uppercase) to the installer at command line (in administrative context). For example,

C:\NVC32-10.04.108.exe /S /v”/qn TrustAvaya=TRUE”

or

C:\msiexec /i “Nortel VPN Client.msi” /qn TrustAvaya=TRUE

There are quite a few bugs resolved in this release including the following;

• wi00568576 Wireless users are disconnected intermittently. IPSec users which are behind a wireless cable modem are disconnected intermittently. Users are able to authenticate successfully, but after some time they get disconnected and the client pops up the message “VPN tunnel is disconnected due to routing table change”. This is because the operating system changes the metric of wireless interface according to various parameters when Automatic Metric option is enabled. This is the default configuration for network interfaces in Windows. This causes the client to consider that the routing tabled has been hacked and disconnects the tunnel.
• wi00595275 Screen Saver policy enforced at user level only. End user machine’s screen saver settings can be enabled at user level or group level (via Active Directory group policy). When the VPN client enforces the screen saver policy (pushed from server), it only checks the user level setting.
• wi00595280 Unable to ping the local interface after a tunnel is disconnected. The issue occurs on Windows Vista/7 with mandatory tunneling only.
• wi00666178 Inaccurate message when the QOTD banner message is not received. If the quote-of-the-day banner message gets lost (due to networking issue), the tunneling attempt failed with error message of “User did not acknowledge the banner”, which may confuse users. The message has been reworded as “The banner message from the VPN Router was not received, or the user didn’t acknowledge the banner. Please contact your Network Administrator or Helpdesk for assistance.”
• wi00823633 On Windows XP the client fails to start if only Microsoft .NET 4.0 is available. On machines that have only .NET Framework v4.0 but no v3.5 or earlier versions available, the client fails to start.
• wi00840078 Local IP address is unreachable on Windows 7. On Windows 7/Vista, when a tunnel is up (in mandatory tunneling mode), the local host IP address is not accessible.
• wi00595473 Preconfigured profiles were not displayed in some cases.
• wi00841234 NVC GUI takes very long time to launch up when using IPSec profiles having saved passwords.
• wi00827126 Certificate based SSL tunneling fails when EACA (NHA/TG) is enabled. When Avaya EAC Agent (formerly Nortel Health Agent or TunnelGuard) is enabled, certificate-based SSL tunneling attempt will fail with error of “Banner fetching failed.”
• wi00830401 On Windows 7/Vista the DNS settings for the VPN connection is not used if the connection is through a mobile broadband card connection. It’s an issue with the operating system’s DNS resolution. Please use Microsoft’s workaround described here: http://support.microsoft.com/default.aspx?scid=kb;en-us;311218
• wi00841109 Occasionally tunneling attempts may fail with error of “Activating VPN adapter failed” error is displayed.
• wi00841089 Sometimes the log clear function doesn’t work. The log shows there are query errors.

A number of readers posted comments to the previous software release, Nortel VPN Client Release 10.04.016, around the first issue above where users were getting disconnected with the following message; VPN tunnel is disconnected due to routing table change. If you don’t feel like upgrading the client you can implement a workaround provided by a reader.

You can find the complete release notes right here.

You can find the client software on the Avaya support website.

I’m going to make the AVC software available here unless I’m contacted by Avaya.

NVC64-10.04.108.exe (64bit)
NVC32-10.04.108.exe (32bit)

Cheers!

Updated Sunday April 10, 2011

I can no longer host the Avaya VPN client software do to the enormous bandwidth utilization on my host. In addition there are just too many people abusing my gesture. I had a single IP address from China download the client software so many times that it consumed 10GB of bandwidth.

• Windows 7: Home Basic, Home Premium, Professional, Enterprise and Ultimate
• Vista: Home Basic, Home Premium, Business, Enterprise, and Ultimate
• XP: Home, Professional, and Tablet

There are quite a few resolved bugs in this release and quite a few known issues. I would advise everyone to read the release notes thoroughly before spending too much time troubleshooting.

You can find the actual NVC (Nortel VPN Client) on the Nortel/Avaya website and the release notes here.

Cheers!

Updated September 2, 2010
It would seem that this is a very popular post given the number of people searching for information regarding the Nortel VPN Client (NVC) and Microsoft Windows 7. I’ve uploaded the complete documentation archive containing the installation instructions and troubleshooting instructions. In addition if you are looking for the new NVC you can download it directly from Nortel here. While the client software isn’t “licensed” it is restricted by US export laws because of it’s 128-bit (and greater) encryption capabilities.
Updated Friday December 17, 2010

I’ve added links to the 32-bit and 64-bit clients in the comments below.

Updated Sunday April 10, 2011

I can no longer host the Avaya VPN client software do to the enormous bandwidth utilization on my host. In addition there are just too many people abusing my gesture. I had a single IP address from China download the client software so many times that it consumed 10GB of bandwidth.

Updated Saturday May 7, 2011

Avaya has released v10.04.109 of their VPN client software which is available in this post.

One typical problem that some users might encounter when using the Nortel VPN client is the “Checking for banner text” message. During the initial stage of connecting the Nortel VPN client will display the “Checking for banner text” message and then either become unresponsive or report to the user that the connection was lost.

Let me paraphrase from the Nortel documentation:

A common reason for the banner message to stop responding is a firewall or router, placed somewhere along the path from the remote computer to the gateway, which blocks ESP or Authentication Header (AH) traffic. The firewall can be a personal firewall installed on the remote computer, a firewall or router at the Internet Service Provider (ISP), or a corporate firewall. In this situation, IPsec Internet Security and Key Management Protocol (ISAKMP) traffic that negotiates the tunnel establishment goes through the tunnel, but the ESP- or AH-encapsulated traffic inside the tunnel does not get through. When the banner text is retrieved through the established tunnel, the banner message or other traffic secured by the ESP or AH never reaches the client and the Nortel VPN Client continues to wait for a response from the gateway until a timeout period is reached. To resolve this issue, ensure the following traffic is allowed to pass through the firewalls along the path:

UDP protocol (17) port 500, both inbound and outbound
ESP protocol (50), both inbound and outbound
AH protocol (51), both inbound and outbound

The same scenario occurs as in the previous section if Network Address Translation Transversal (NAT-T) is configured and the firewall blocks the UDP port selected for NAT-T along the path. To resolve this issue, you’ll need to ensure the port that is being utilized can pass through the firewalls on a personal, corporate, or ISP level. You’ll need to contact whomever is managing the VPN router to determine which UDP port you might need to open.

Cheers!

Welcome to the Contivity Secure IP Services Gateway
Copyright (c) 1999-2004 Nortel Networks, Inc.

Version:                 V05_00.136
Creation date:           Aug 20 2004, 15:50:15

Date:                    07/23/1980
Unit Serial Number:      11221

Please enter the administrator's user name: admin

Please enter the administrator's password:

Main Menu:  System is currently in NORMAL mode.
1) Interfaces
2) Administrator
3) Default Private Route Menu
4) Default Public Route Menu
5) Create A User Control Tunnel(IPsec) Profile
6) Restricted Management Mode       FALSE
7) Allow HTTP Management            TRUE
8) Firewall Options
9) Shutdown
B) System Boot Options
P) Configure Serial Port
C) Controlled Crash
L) Command Line Interface
R) Reset System to Factory Defaults
E) Exit, Save and Invoke Changes

Please select a menu choice (1 - 9,B,P,C,L,R,E):

The first step will be to configure the IP addressing for the private LAN and public WAN interfaces. Using the serial console select “L) Command Line Interface” from the menu options.

CES>

Upon entering the CLI environment the prompt will be changed to “CES>”. You must now enter privileged mode using the “enable” command entering the default admin password of “setup”.

CES>enable
Password: *********

Let’s take care of the easy stuff first. I’m currently working in the Eastern time zone;

CES#clock timezone est
CES#clock set 15:22:30 12 JANUARY 2005

You can discern from the syntax above that #clock set <hh:mm:ss> <day> <month> <year>
Now you must enter configuration mode using the commands listed below. We’ll reset the admin password before anything else.

CES#configure terminal
Enter configuration commands, one per line.  End with Ctrl/z.
CES(config)#
CES(config)#adminname admin password <standard password>

We’ll configure the private LAN IP Address. In the example below I’m using 10.2.203.1 as the LAN address of the branch office VPN router.

CES(config)#interface FastEthernet 0/1
CES(config-if)#ip address 10.2.203.1 255.255.255.0
CES(config-if)#exit

Next we’ll configure the MANAGEMENT IP Address. The LAN address and management IP address must be on the same subnet.

CES(config)#ip address 10.2.203.10
Management address set to 10.2.203.10 successfully !
Next, make sure Mgt addr and private LAN addr are on same subnet
CES(config)#

You should use the IP addressing that’s been assigned to the equipment your configuring in place of the IP addressing used above.  Next we’ll assign the public WAN IP Address provided by the Internet Service Provider (ISP) which in this case happens to be Verizon DSL;

CES(config)#interface FastEthernet 1/1
CES(config-if)#ip address 70.256.1.10 255.255.255.0
%Warning: The IP address type is changed from DHCP dynamic to static
CES(config-if)#exit
CES(config)#ip default-network 70.256.1.1 public
CES(config)#ip name-server 151.197.0.38 151.197.0.39 199.45.32.43

NOTE: FastEthernet 0/1 is the PRIVATE LAN while FastEthernet 1/1 is the PUBLIC WAN
Let’s disable those services we won’t be using and enable those we will be using;

CES(config)#no tunnel protocol pptp public
CES(config)#no tunnel protocol pptp private
CES(config)#no tunnel protocol l2tp public
CES(config)#no tunnel protocol l2tp private
CES(config)#ipsec encryption 3des-sha1
CES(config)#ipsec encryption aes256-sha1
CES(config)#no ipsec encryption aes128-sha1
CES(config)#no ipsec encryption des40-md5
CES(config)#no ipsec encryption des40-sha1
CES(config)#no ipsec encryption des56-md5
CES(config)#no ipsec encryption des56-sha1
CES(config)#no ipsec encryption hmac-md5
CES(config)#no ipsec encryption hmac-sha1

Let’s configure the “Base” default Branch Office Group with the standard settings.

CES(config)#bo-group ipsec /Base
CES(config-bo_group/ipsec)#encryption 3des-sha1
CES(config-bo_group/ipsec)#encryption ike 3des-group2
CES(config-bo_group/ipsec)#antireplay enable
CES(config-bo_group/ipsec)#no compress
CES(config-bo_group/ipsec)#initial-contact enable
CES(config-bo_group/ipsec)#exit

Let’s add a designator for the local network (to be used later – replace with your IP network)

CES(config)#network add LocalNetwork ip 10.2.203.0 mask 255.255.255.0

Let’s add a sub group for our IPsec tunnel configuration;

CES(config)#bo-group add /Base/AcmeHealth
CES(config)#bo-conn add Acme-1 /Base/AcmeHealth
CES(config)#bo-conn Acme-1 /Base/AcmeHealth
CES(config/bo_conn)#conn-type peer2peer
CES(config/bo_conn)#local-endpoint 70.256.1.10
CES(config/bo_conn)#remote-endpoint 192.1.1.124
CES(config/bo_conn)#tunnel-type ipsec
CES(config/bo_conn)#ipsec authentication text-pre-shared-key password987
CES(config/bo_conn)#routing type static
CES(config/bo_conn)#state enable
CES(config/bo_conn)#routing static
CES(config/bo_conn/routing_static)#local-network LocalNetwork
CES(config/bo_conn/routing_static)#remote-network 0.0.0.0 mask 0.0.0.0 state enable cost 1
CES(config/bo_conn/routing_static)#exit

Let’s setup the DHCP relay agent forwarding our DHCP/BOOTP requests to 10.2.16.40;

CES(config)#no service dhcp enable
CES(config)#ip default-network 70.20.130.1 public
CES(config)#ip dhcp-relay 10.2.203.1
CES(config)#ip dhcp-relay 10.2.203.1 enable
CES(config)#ip helper-address 10.2.203.1 server 1 10.2.16.40
CES(config)#ip forward-protocol dhcp-relay

Since we’re routing everything over the IPSec tunnel (the remote-network was 0.0.0.0 with a mask of 0.0.0.0) we need to change the default route preference.

CES(config)#ip default-route-preference private private

That’s the short approach to using the CLI interface to configure the Nortel VPN Router. There is a somewhat old and slow web interface that you can also use to configure the VPN router. You only need to point a web browser to the mangement IP address.

Cheers!

Update: Wednesday December 10, 2008
Here’s the pinout for the special RJ45 to DB9 serial cable used to access the diskless VPN routers;

Cheers!

It was a challenge to understand all the different heartbeats, timeouts and protocols that were in play between the handset and the Nortel 2245 wireless gateway and ultimately the Nortel Succession Signaling Server. With any Nortel IP phone running a UNIStim protocol there is a watchdog timer on the phone that counts down from 200 seconds. The watchdog timer must be reset by a watchdog reset (heartbeat) message that gets sent out from the Nortel Succession Signaling Server. This watchdog reset gets sent every 30 seconds. If a handset, remember now any Nortel IP handset that is running a UNIStim protocol such as the i2002, i2004, 1120e, 1140e, 1150e, 2210, 2211, 6120 and 6140 misses too many of these heartbeats the phone will reset itself usually displaying the message “watchdog timeout” indicating that the watchdog timer has reached zero and the phone is attempting to recover from the problem by resetting itself. With the Nortel 2210, 2211, 6120 and 6140 you also have the SVP heartbeats and timeouts to worry about.

If you have some IP phones that are generating “watchdog timeout” message your probably loosing packets somewhere in your network. With that said I would advise anyone with such a problem to immediately contact their voice reseller and make sure their Succession Call Server and Signaling Server have the latest and greatest DEP (patches) list. Once that’s complete you’ll need to go about the task of isolating the possible locations where you could be dropping packets. If it’s a wired IP phone then the problem is much easier to troubleshoot and isolate. If it’s a wireless phone then you’ll have a few extra steps. You’ll obviously need to make sure that you have QoS (DiffServ) up and working within your environment and you’ll need to make sure that you have SVP support enabled on your wireless infrastructure. SpectraLink (recently acquired by Polycom) actually has a library of documents to help customers configure their wireless infrastructure properly to support the SpectraLink handsets.

Cheers!

Correction: August 19, 2008
The watch dog interval is actually 200 seconds long and not 120 seconds as originally posted.

Update: August 24, 2008
It would seem that this article has generated a lot of interest including several inquiries by Nortel. So I thought I would try to add some additional explanation to help more clearly describe the problems and experiences I’ve had the Nortel 2211 and 2210 wireless handsets. I won’t rewrite the original because I don’t think there is anything wrong with it, other than perhaps missing some attention to the specific details.

The Motorola WS5100 v3.x and RFS7000 v1.1 was technically broken for anyone using the Nortel 2211/2210/6120/6140 wireless handsets. The phones would often reset while idle, because of a buffering issue on the Motorola AP300 access port. These problems have been resolved (as far as my testing indicates) in the Motorola WS5100 v3.2 and RFS7000 v1.2 software release. Through our troubleshooting of this problem we learned a great deal about the Spectralink Voice Priority protocol and the UNIStim protocol. In short the Nortel wireless handsets will go into PSP (Power Save Polling) for approximately 1.5 seconds, during that time the wireless handset turns off it’s radio to help save power and preserve the battery life. The problem occurs while the phone is idle because of the PSP mode, this is why no problems are ever reported while the phone is off-hook and actively being used. While the wireless handset is in PSP mode the wireless network is responsible for buffering any packets that are sent to the handset. The SVP protocol and UNIStim protocol can generate a lot of packets causing the wireless network to discard some packets while the phone is in PSP mode. These discarded packets can, depending entirely on the timing, cause the phone to either reset or the phone to be unregistered from the Succession Signaling server.

I’ve been asked by quite a few people what can be done to help alleviate any potential issues?

• The wireless infrastructure should be configured to support the SVP protocol
• QoS (DiffServ) should be set to “Trusted” on every Ethernet switch port that will be used to connect the different equipment (Succession Signaling Server, Succession Voice Gateway Media Card, 2245, wireless infrastructure)
• Design the wireless infrastructure so there is at least -60 dB of signal available and no more than 7 wireless handsets connected to a single access point/access port.

With all that said Nortel has literally just released v97.072 software for the Nortel 2211/2210 wireless handsets. While the release notes don’t seem to indicate any changes that are specific to “watchdog” issues it might be worth giving it a shot.

Cheers!

Update: Friday September 12, 2008
I’ve placed a copy of the Nortel document WLAN IP Telephony Installation and Commissioning (v3.3) on my website. This document should be a great help to many folks that are having issues with Nortel 22×0 and 61×0 wireless handsets.

It would seem there are a lot of folks out there looking for the recovery floppy disk that can be used to recover a defective installation of a Nortel VPN Router 1700, 2700 and 5000. I believe this disk will also work with previous models such as the Contivity 1500, 2500, 2600 and 4000 series.

It is my understanding that you will still need the Administrator password in order to perform any action. If someone could confirm this I will update this article. I haven’t yet documented a way of recovering a lost Administrator password.

You will need to use “dd” or rawrite to write the image to a 1.4MB floppy disk.

http://www.michaelfmcnamara.com/files/vpnboot.zip

I don’t think this will draw the ire of Nortel but you never know. Please let me know if your are successful in booting the VPN router.

Cheers!

Update: Wednesday August 5, 2009

I’ve uploaded a copy of the Technical Service Bulletin that advises you how to factory reset the VPN router with an unknown (lost) admin password. You can find it here; http://www.michaelfmcnamara.com/files/tt-0605401b.pdf

Cheers!

We’re currently using the Nortel VPN Router 1010, 1050 and 1100 models for mid-size to large offices but needed a more cost effective solution for home office environments such as remote call center agents and other professionals. It also doesn’t help that Nortel has manufacture discontinued the 1010, 1050 and 1100 models (the bulletin from Nortel can be viewed here). There are two approaches that we are currently looking at with respect to the remote call center agents; 1) hardware solution with VPN router and IP phone; 2) software solution with VPN client and IP softphone. In this post I’m going to discuss my impressions of the Nortel Business Secure Router 222.

Let me be honest up front and tell you that I’m no fan of the Nortel VPN 200 Series Router from which this product was born. I know from opening a Nortel VPN 221 Router that it appears as if Nortel has OEM the product from Zyxel. I’m not sure if that’s still the case but the GUI of the BSR 222 looks almost identical to the VPN 221.

“The Business Secure Router 222, specifically designed for the small to medium business (SMB), is a converged broadband access router that provides a secure connection to the Internet via digital subscriber line (DSL) or cable modem broadband services. The Business Secure Router 222 is an advanced, feature-rich router offered at an affordable price.”

We tested the BSR 222 and were very happy with the results. We provisioned multiple IPSec tunnels with Triple DES encryption to a Nortel VPN Router 1700 (V06_05.140) using Asymmetric Branch Office Tunnel (ABOT) in Aggressive mode. In our previous tests with the VPN 221 router we had all sorts of issues with the IPSec tunnels staying up in Aggressive mode. With the BSR 222 we had no such issues using the exact same profile on the VPN Router 1700 we used for the VPN 221.

We also tested connecting a Nortel i2002 over the BSR 222 and found the call quality to be excellent. While I could have paired a BES 50 with the BSR 222 to provide PoE I decided to just use a power supply on the i2002. The hardware solution seems to be a very reliable and stable solution as it probably should be. I would probably guess that a hardware solution such as this would probably cost around $800 (IP ISM, IP Phone, BSR 222). Please just remember that any VPN solution is only as stable as your broadband connection to the Internet.

The default username is “nnadmin” and the default password is “PlsChgMe!”. The default IP address is 192.168.1.1 and the router can be configured from a web browser by using the URL http://192.168.1.1.

In defense of the VPN 221 router it does support a feature called “Control Ping”. When this feature was configured it allowed the VPN 221 to determine if an IPSec tunnel had become disconnected from the far side. It did this by pinging an IP address that was within the tunnel network range. If the ping failed the router would essentially restart the tunnel by disconnecting it and reconnecting it. It would also keep the tunnel active on the far side preventing any keepalive issues from arising. When I configured this feature on the VPN 221 the tunnels seemed to work flawlessly. This same feature is available on the BSR 222 and it may be required if you find your tunnels bouncing up and down.

Cheers!

We needed to assign a temporary IP address from the serial interface and then use Internet Explorer to connect to the temporary IP address. We then selected the option to “Restore” the configuration from a backup. The backup needs to be an FTP site with the appropriate username and password.

The restore took about 30 minutes to complete and never really gave any indication that it was working other than the IE logo just swirling in the upper right hand corner of Internet Explorer. We were able to use Nortel’s Java Device Manager to confirm that there was a lot of data moving over the Ethernet switch port connecting the Nortel VPN Router so we knew it was probably working.

I should point out that the Nortel VPN Router 1010, 1050 and 1100 do not have floppy drives although they may support a PROM based recovery option which would need to be executed from the CLI (serial) interface while the router booted.

It also seems that Nortel will be manufacture discontinuing the Nortel VPN Router 600, 1010 and 1100 at the end of December 2008. You can find the announcement here.

Cheers!

Since that time Nortel has added a few lower end SOHO solutions, Nortel VPN Router 200 series, to the product line which I believe are OEM’d from ZyXEL. I’m not very fond of the 200 series and I would NOT recommend them to anyone. I am, however, very fond of the 1100 series as it runs the same software that the larger models run.

Thankfully they all share the same default username and password. Unfortunately they don’t all share the same software or configuration interface.

The default username is “admin”.
The default password is “setup”.

With the traditional Nortel (Contivity Switches) VPN routers there are two internal IP addresses assigned to the one physical internal interface. One IP address is for management and the other for routing traffic. The default management IP address for these models (Nortel VPN Router 1000 Series, 2000 Series, 4000 Series, 5000 Series) is;

http://192.168.1.2

The actual traffic interface is 192.168.1.1 and the default DHCP address range should be between 192.168.1.3 – 192.168.1.254.

Cheers!