Contivity 221 routers and VPN 1

[riteeh]

Hello,

I have 4 remote sites, each running a Contivity 221 router. My main site is running a Contivity 1010. Each 221 has a nailed up tunnel to the 1010 for remote IP phones, etc. The 1010 is configured as a responder since the 221 routers are on DSL/cable and IPs change from time to time. The 221 routers are running the latest firmware version.

My problem is at least once a week one of my branch office tunnels goes offline and never comes back until the 221 is power cycled. In the event log on the 1010 it will log off due to re-keying and then never reconnect. All the routers eventually hang and require this. One location does this every week.

When the router 'hangs' sometimes internet is accessible, yet the VPN is down (and the router is not retrying to build the tunnel). Other times the tunnel is up and the internet is down. Normally when in this state if I try and login to the 221 router it is very very painfully slow. Other times I cannot even ping it.

Has anyone had these issues with their 221 routers? My old Linksys was more reliable...

 

[riteeh]

I should also mention sometimes the remote 221 will reconnect to the 1010 and 0 packets / 0 kbytes will move between the tunnel. When this happens I have to manually disconnect the tunnel in the 1010 and if I'm lucky that fixes it. Other times the 1010 will show 2 remote connections with the above symptoms even though there should never be more than 1.

 

[nsantin]

We have the same setup. Try removing the nailed-up property. I found that it had issues with tunnels to the 1010

 

[riteeh]

Hello nsantin,

Thanks for the suggestion.

I'll try that and see if things improve. I presume the tunnels are rebuilt once torn down, providing the IP phones attempt to reconnect to S1. Hopefully this solves my problems as constantly resetting routers gets old rather fast.

Regards

 

[nsantin]

providing the IP phones attempt to reconnect to S1

Sounds like your running a BCM. We have the exact same setup.

 

[norteldude78]

Turn off compression, pfs and vendor ID on the 1010. I have seen that do the trick.

peace

 

[riteeh]

nsantin,
You are correct, this is a BCM 50. I have remote IP phones at 4 locations and the 5th has another BCM 50. I've already done what you suggested and I have noticed things are much more reliable since. Thanks for your input.

norteldude78,
Thanks for the suggestions. I'll change these settings as well.

Finally this equipment is starting to run smoothly and reliably.

 

[wildasIwanabe]

Hi Gentech,

I have a contivity 221 and 1010 as well. I managed to setup a peer to peer tunnel with no problems at all. But like yourself, my 221 is sitting on a dynamic DSL link. I set the 1010 as a responder but I cannot get the 221 and 1010 to see each other.

I've tried setting the negotiation mode on the 221 to both Aggressive and Main but both don't work.

Can you please give me some ideas on how to set the tunnel up with a dynamic IP.

thanks,
Wild.

 

[riteeh]

Hello Wild,

Sorry for the delay in responding. I didn't have thread notification turned on. I am in the exact same boat as you are.

What I did was I opened a free account at dynamicdns.org. Dynamicdns.org allows you to have 5 free dynamic hosts before you have to pay for service. It's only $10 a year above that. The 221 routers can be configured to update a dynamic dns account automatically. First thing you need to do is setup a dynamic dns host in your account with dynamicdns.org. Log in and go to System » DDNS. From there you need to provide your DDNS username, password, and the hostname you signed up for (example: testing.dyndns.ws). Also check the "Active" and "DDNS Server Auto Detect IP Address" boxes.

In your 1010 specify the hostname that you signed up for, and that should get you up and running.

- gentech

 

[riteeh]

Also for the VPN connection my tunnel config on the 221 looks like this:

- Aggressive mode selected
- I'm using pre shared key authentication
- IP policy: local 10.10.2.0/ 255.255.255.0 | remote 10.10.1.0/ 255.255.255.0
- Local ID type: email (you can use and option here)
- content: anything@whateveryouwant.com (because I'm using email)
- Peer ID type: IP
My IP address: 0.0.0.0
Secure gateway address: IP or hostname of your 1010



Contivity 1010:

- Tunnel type: IPSec
- Connection type: responder
- Initiator ID: anything@whateveryouwant.com (must match value on 221)
- shared key (must match that of the 221 of course)
- IP config: static

- Local network: (create one)
IP Address IP Mask Cost Enabled
10.10.1.0 255.255.255.0 10 TRUE

- Remote network:
IP Address IP Mask Cost Enabled
10.10.2.0 255.255.255.0 10 TRUE

 

[wildasIwanabe]

Hi Gentech,

YOU'RE THE MAN!!! Thanks for your help, it worked great.

Wild

 

[spydummy]

hi gentech

can i know how to specfic the hostname in the Contivity 1010 that you mentioned? Thanks in advance.

 

[riteeh]

Hello,

Not sure what you mean. Can you clarify your question a little?

Thanks

 

[spydummy]

hi gentech,

i actually have a branch office between contivity 110 and 251. the 251 has a dynamic public ip address. i created a ddns account in the dynamicdns.org which you mentioned previously on this thread.

i managed to bring up the branch office successfully but due to the dynamic public ip address, the link will be down after a day and i need to re-input the new ip address although the ddns in the dynamicdns.org does updated the latest ip address.

i noticed that you mentioned that you need to configure the ddns information in the contivity 1100 in order for the ddns to work. can i know where do i need to configure in the Conitivty? Thanks in advance.

 

[riteeh]

Hello,

In the Contivity 1010/1100 set Connection type to responder. Once you have done this you will not need to input an IP address on the 221/251 thus solving your dynamic IP problem. The 221/251 will be the only device capable of building the tunnel however as the 1010/1100 is in responder mode.