contivity behind router

[eksantrik]

Hi all!

does anyone know how to configure a branch to branch VPN between two nortel contivity boxes, when those contivity boxes are actually connected to the internet over a router.
(and you have NAT on those routers)
What is the difference between a normal branch to branch contivity VPN connection configuration and the branch-to-branch VPN config. with routers (with NAT) connected to the contivity boxes?

thanks in advance

 

[neilchapman]

Is this a good picture of the first question?

Private Net 1 -- Contivity -- R1/NAT --- INTERNET -- R2/Nat --Contivity -- Private Net 2

Q2. Whose routers and w/what code?

 

[eksantrik]

yes thats right..
We have that issue with one side of the network; the other side has a public IP for its public interface...
unfortunately we dont have the same thing on the other side.
They have a temporary ADSL connection and then a router and then the contivity box... (a linksys router)
so that diagram that you have drawn is right...
What can I do to set up a tunnel those 2 contivities on different sites...
thanks for the help

 

[neilchapman]

Let me update the picture...

Private Net1--Contivity--R1/NAT---Internet--ADSL Modem--Lynksys router --Contivity --Private Net 2

Q1. What brand and model is R1?
Q2. Does R1 use a static IP address?
Q3. I'm assuming R2 is the Linksys (remote site). Does IP terminate on the ADSL modem or does it terminate on the Lynksys?
Q4. Does the remote site use a static IP address?

-nc

 

[eksantrik]

Q1) Cisco
Q2) Yes, they have a static IP address here
Q3) R2 is the linksys 9remote site) the connection goes to an adsl modem then the linksys router..they told us that this is a temporary solution fro internet access but we still need to figure out how we can build a tunnel.
Q4)i think they have a static ip address..We have been having a hard time to talk to someone in charge of the contivity box and the router. They dont want to give any access to those things for security reasons; actually the situation is kinda weird,
However, if you have an idea how to make it work with the dynamic address (on the remote site router), it would be better to know to learn how to do that one.

thanks in advance

 

[neilchapman]

It's pretty easy.

R1 (Cisco) site is the "responder". R2 (Linksys)site is "initiater".

Since the R2 site doesn't use static IP address you'll be setting up a asyncronous branch office tunnel. The "initiater" will bring up the tunnel since the "responder" doesn't know what IP address to use.

R2 Site
In the Manager
Profiles>Branch Office
In the Connections area click Add
Enter a Connection Name
Leave Control Tunnel Disabled
Leave the Tunnel Type at IPSEC
Change the Connection Type to Initiater
Click OK

In the Connection Configuration
Since this is an ABOT you don't need to define the local endpoint.
Add the IP address of the public interface of contivity at R1 site as the Remote Endpoint.
Enter an Initiater ID (you'll use this on the responder side as well)
Enter your Pre-Shared Key (you'll use this on the responder side as well)
Under IP Configuration select Static - Add the local and remote network traffic that can traverse the tunnel.
Back up at the top - Enable the connection.

R1 Site
Do the same thing except
1. this site is the "responder"
2. you have to identify the local endpoint
3. make sure you get the Initiator ID and the Key correct

Look at the logs to troubleshoot or send a note

If I missed something - Oops - you get what you pay for ;-)

Hope this helps!

 

[eksantrik]

I ahvent tried it yet but thanks anyway..I am going to let you know as soon as I try it..By the way, i have another question
i have a contivity 1100 here and I am trying to figure out how i can use all interfaces on that box..i have a port for public and 4 ports for the private side...
I only need 1 private interface but I am curious how i can use the rest..

thanks again...

 

[neilchapman]

Tell me a little about the organization you are working with and I'll give you some pertinent examples.