Contivity 600 End Users to Contivity 100 Branch Office issues

[rdparker]

Hi all,

We have a remote site with a Contivity 100 tunneling back to a Contivity 600 that sits at the main office. The branch connection seems to be working fine, but the issue is that end users who vpn to the 600 cannot reach resources on the Contivity 100 branch site. I have already verified that the 600 is set to forward traffic from end users to branch offices on the System/Forwarding tab.

End users who are on the local network at the main office can reach the resources just fine, but anyone on the vpn user subnet cannot. If they do a tracert, it resolves to the Contivity 100 and stops there,,,like it doesn't know how to get back.

I have checked both the 600 and the 100 and the subnets are defined on both ends. Anyone seen any similar issues or have suggestions? I noticed the Nortel website no longer has configuration documents available.

 

[VPNSteve]

Give us a little more information here. What are the actual subnets involved? For example, the clients tunneling in get an ip address in the 192.168.1.0 subnet with a 24 bit mask.

Also, what do the routing tables look like?

Finally, I checked the Nortel website, and I can find all their tech tips and configuration guides. Here's a link to the Technical Documentation for the Contivity 5000 - there are 10 pages. The Tech Tips and Configuration Guides that are listed are, for the most part, platform independent. So if you went to the page for the 4600 you'd find the same Tech Tips and Configuration Guides. I'm not talking about the platform-specific documents like "Installing the Contivity 5000".

 

[VPNSteve]

Of course, I should actually give you the link I mentioned...

http://www130.nortelnetworks.com/cg...?cscat=DOCUMENTATION&resetFilter=1&poid=12325

 

[rdparker]

Sure. Here's some more detail.

On the Instant Internet 100: (Branch Office)

ipsec vpn remote 10.0.0.0/8
ipsec vpn remote 172.29.0.0/16
ipsec vpn remote 192.100.1.0/24
ipsec vpn remote 192.100.2.0/24
ipsec vpn remote 192.7.1.0/24
ipsec vpn remote 192.168.0.0/16
ipsec vpn local 172.20.0.0/22
ipsec vpn local 172.21.0.0/16

On the Contivity 600: (Main Office)

Local Networks
IP Address IP Mask Cost Enabled
10.0.0.0 255.0.0.0 10 TRUE
172.19.0.0 255.255.0.0 10 TRUE
172.20.0.0 255.255.0.0 10 TRUE
172.21.0.0 255.255.0.0 10 TRUE
172.23.0.0 255.255.0.0 10 TRUE
172.29.0.0 255.255.0.0 10 TRUE
192.100.1.0 255.255.255.0 10 TRUE
192.100.2.0 255.255.255.0 10 TRUE
192.168.0.0 255.255.0.0 10 TRUE
192.7.1.0 255.255.255.0 10 TRUE

Remote Networks Select IP Address IP Mask Cost Enabled
172.20.0.0 255.255.252.0
172.21.0.0 255.255.0.0

The user IP address pool for remote users is 172.29.14.0/24

Like I said before, clients on the 10.0.0.0 network can reach the ip address of 172.20.1.12 at the branch site, but someone who is vpn'd in (so they have a 172.29.14.x address) cannot reach 172.20.1.12.

Thanks for the additional set of eyes!

 

[VPNSteve]

I think I see your problem. Take a look at your local and remote networks on the 600. You've got the network 172.20.0.0/16 defined as local, and 172.20.0.0/22 defined as remote. It's defined as 172.20.0.0/22 (local) on the 100.

Get rid of the 172.20.0.0/16 defined as local on the 600.

 

[rdparker]

Thanks VPNSteve, but that didn't work either. Whether or not that 172.20.0.0/16 subnet is configured on the 600, it does not affect either the 10.0.0.0 or the 172.29.14.0 subnet. They still act the same. 10.users can reach 172.20.1.12, but 172.29.14. users cannot.

I took the subnet out of the local networks list on the 600 and restarted the tunnel just to make sure, but to no avail.

Any other suggestions?

 

[VPNSteve]

If you'd like I can set this up and test it, but you'd need to send me the LDAPs (I don't need the configs) from both boxes and a detailed network topology.