[NPR Man]

Hello,

I am a consultant working with a company that uses Nortel Contivity client. I am having many problems using this VPN client.

My normal setup which has worked with several VPN clients including Nortel, is 8 PCs including 1 SBS and 1 W2k3 server are all attached to a switch. On the SBS, I have dual NICs, one for internal and one for external in between them is the Basic firewall and NAT. Usually I also have an Edimax dual WAN router on the external NIC with Cable on one WAN and DSL on the other. This configuration has served me well, the bandwidth aggregation is great and if one or the other of my ISPs went down over the last 3 years, I never noticed.

Anyhow I am never able to connect with the Nortel client to this particular VPN site. I always get "Remote Host not Responding". By the way this is a client PC on the network, not the server I am trying to connect with. If I connect the DSL directly to this client PC, the VPN works (not a good situation though). If I connect the client PC to the router and ofcourse the WANs are connected as normal. The VPN works this way also.
However the combination does not work (double NAT'ing???). The final configuration I tried is the SBS external NIC to the DSL and the internal setup the regular way. This does not work. Everyone on the network has internet, my Cisco and MS VPNs work, but not this Nortel. So I think I have narrowed it down to the SBS, and I need to know what it would take to get this working properly.

I was told by their tech support that UDP port 500 should be allowed as well as Protocol 50 and 51. I do not know how to enable protocols 50, 51 or otherwise, but I switch off the firewall and it still does not work. The final recommendation is to set up a static NAT, somehing else I am not familiar with.

So, if there is any ideas on either how to follow ther requests or any other clues as to what the problem is, I would very much appreciate it.

Thanks!

[Advertisements]

did you upgrade the firmware/os on the firewall? Why do you assume it is working properly if the setup has worked for you before?

[gerryf]

did you upgrade the firmware/os on the firewall? Why do you assume it is working properly if the setup has worked for you before?

[NPR Man]

My entire network is patched by Windows Software Update Services (WSUS), the admin console leads me to believe that the server in question is patched with all the latest updates.

The other VPNs are CURRENTLY working, so the setup is OK for those particular VPNs. I am not assuming that the setup is correct, it obviously is not.

Just looking for ideas.

[gerryf]

No, I mean the actual firewall device--why do you assume it is working properly. Perhaps I am misreading you....I am thinking you have a hardware firewall and I wonder if it is possible if the real issue here is just a malfunctioning piece of hardware...when you bypass that, it seems to work, no?

[NPR Man]

I see what you are saying. Actually the hardware firewall works fine without the SBS in the way.

When I eliminate SBS AND HW FW it also works.

So two workarounds. However for my sanity, it is difficult to flip-flop configurations and since the culprit, by process of elimination, is the SBS, I am looking to figure out how to properly configure its software based firewall for this VPN. Honestly I do not think it is the SW based FW as I can shut it off and still it won't work. I am pretty sure the answer lies in the dynamic NAT and I have heard terms such as NAT-Transversal. However the site claims their version of Nortel does not support NAT-T and suggest I go with a static NAT.

I am a victim of MS wizards, I got the thing working, but have no understanding.

[gerryf]

OK, so I misread you then....

How are your clients obtaining ip information? Static or dynamic? Obviously it is partially working since you have Internet on the pcs. How are the IPs assigned to your SBS servers two NICs?

Is the Nortel Contivity client installed on the servers? Can you access the SBS server (the first in the line from the router?

[NPR Man]

All clients receive thier IP assignments through DHCP server on the SBS. I have certain non PC devices that have reservations: an AP, a network Printer and a "Smart Switch".

The two NICs on the SBS are static IP on two different subnets 192.168.16.x and 192.168.1.x

I tried three different machines with the Contivity client, all where clients of SBS. I did not try on the SBS machine itself because my policy is to leave it alone. It is my PDC, Exchange, SQl Server etc....

I am not try to establish a point to point VPN if that is what your getting at?

[gerryf]

No, just want to isolate where the break may be occuring--on the int NIC or ext NIC of the multihomed SBS server

[NPR Man]

No, just want to isolate where the break may be occuring--on the int NIC or ext NIC of the multihomed SBS server

So you want me to install the client on the SBS server? What steps should I take after that.

By the way, I may not have come across that way, but I really do appreciate the help.

[gerryf]

see if you can connect to the sbs server...if you can, you know the issue is on the interior network interface; if not, we will focus on the exterior nic

[NPR Man]

see if you can connect to the sbs server...if you can, you know the issue is on the interior network interface; if not, we will focus on the exterior nic

You understand I am not trying to use SBS VPN solution. I am trying to connect to a remote system from behind the SBS with a Nortel client...

[gerryf]

Yes, this is just a temporary setup to determine where the disconnect is occuring. I know you think it is on the SBS Server, but what we do not know is what interface the block is occuring.

Think of the SBS server as a 10 foot hallway with two doors- each door represents a NIC (on door leads to the outside, the other to the inside). At the moment, I do not care what is in the hallway (the SBS server functioning)--I just want to know if either or neither of the doors are locked

If you install the Nortel Contivity client on the server, and can talk to it,l then we know the block is on the interior NIC interface

If you cannot talk to the SBS server at all once the Nortel Contivity client. is installed, we know it is on the EXTERIOR interface

[NPR Man]

Well that was prett much a disater. The SBS is hosed. Well not totally, I was able to bring the internal network back to life after uninstalling Nortel and reconfiguring the NICs that got hosed. Now it refuses to make a connect to the internet.

I am making a backup now and will probably reinstall.....