CISCO NORTEL compatibility 5

[jurki]

Hi everybody,

Does someone could answer this question:

Are there compatibility issues connecting CISCO 3000 series VPN and Nortel Contivity VPN?

or more generally, are there compatibility issues between vpn from different manufacturers?

Thanks in advance for your help!

 

[Crutcher]

Yes, there is compatablitiy issues. You will probably get error message to the effect of "cannot create socket 10048" from the nortel VPN. Even if the Cisco VPN software is not running it still wont be able to create the socket. I dont know of a way it is possible to have both clients on one PC.

Hope this helps,
Joe Crutcher
A+, Net+

 

[robyno]

Not only are they not compatible but Cisco, Nortel and Symantic Enterprise when installed together can really mess up your network settings and cause windows to fail. They need to deal with the compatibility issues it is ridiculous. So many of us in business need access to multiplke networks.

 

[vhp4315]

I have another question along the same line - does anyone know of compatibility issues between Cisco IOS and Nortel lan2lan VPN connections?

Thanks.

 

[netmanrick]

The ONLY way that I have had Cisco and Nortel VPNs' coexist is to disable the services for the installed vpn before installing another client.
This also means you will have to manually start the cient services before you attempt to use the client.

Rick Harris
SC Dept of Public Safety-DMV
Network Operations

 

[vhp4315]

Thanks - I am talking about the concentrators/routers, but the client issue is also good to know.

Do you know if the industry standard configuration options of ISAKMP/ESP 3des, DH, etc., can negotiate a site to site tunnel between Cisco and Nortel devices? There are no clients being used.

Thanks again.

 

[tbissett]

As far as site-to-site VPNs go, I have connected PIX to Nortel and VPN3000 to Nortel with only minor issues during the config. Most modifications need to be made on the Cisco end simply because Cisco (in my opinion) offers greater flexibility in configuring site-to-sites. Nortel doesn't let you get into the IKE proposals, etc. so much.

 

[pwambach]

With regard to the client software. Version 4.0.1 of Cisco is now completly compatible with Nortel VPN client software. The older version's of cisco would uninstall Nortell during its own install.

 

[vhp4315]

Thanks for the input everyone - got a site up yesterday with a Cisco 7204 router and a Nortel Contivity 2600 - NO issues...

Since they are both using acceptable industry standards for the ISAKMP and IPSEC parameters there was no issue.

 

[CPUSmith]

Can you tell us what the configurations settings were for each side?

 

[hyildirim]

I successfully established VPN between CISCO PIX and Contivity (site-to-site). The only problem i am still experiencing is to keep the VPN alive. It only works if the VPN is initiated from the Contivity side. Once i ping or generate any kind of traffic from the Contivity side (network behind Contivity), it re-establishes VPN and adds it to the connected subnets. Contivity is pretty up to date where PIX has pretty old firmware. Has anybody experienced such issue?

 

[rcasta]

vhp4315,

Could you please post your Cisco 7204 router and a Nortel Contivity 2600 site-to-site tunnel configurations?

Thank you !!!

 

[vhp4315]

Unfortunately I can't post the nortel side - it's on the customer side and I can't get it and I'm not too familiar with that vendor/product line. I do know that he had to disable the vendor ID fields on his end...

Here is a config that should work for a router should you have the right info to plugin...

CRYPTO IKE POLICIES TO MATCH DIFFERENT REMOTE ENDS w/ DIFFERENT POLICIES
crypto isakmp policy 5000
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 5001
encr 3des
hash md5
authentication pre-share
!
crypto isakmp policy 5010
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxxx address <peer address>
!
crypto map headendmap 10 ipsec-isakmp
set peer <peer address>
set transform-set vpnheadend
match address cryptoacl1
!
ip access-list extended cryptoacl1
permit ip <local network> <wildcard mask> <remote network> <wildcard mask>
deny ip any any

 

[rcasta]

Thank you !

By the way, perhaps I am out of line when asking this question. But since this tunnel-Cisco router and Contivity- will be used as a backup of a T1 link, can the Contivity speak OSPF with a Cisco router? This way, whenever the T1 link goes off, the remote node, which is a Cisco router, may set up the tunnel against the Contivity. And the routers that reside with this vpn concentrator may then know that now the Contivity is their way to remote node networks. Does it add up?

Cheers,