Help with BCM 400, contivity 1010, and I2004 2

[chrisrudeau]

hello all,
First of, what a nightmare we are having with this setup. We had first issued Netopia to everyone with an IPsec VPN setup and seemed to function but was based on Static IP's. Since most of our remote sales people have comcast cable at their houses with DHCP, this didnt work so well.

Here's what I'm looking to setup and seem to be having some trouble setting it up.

On the BCM we want to only use Lan 1 with a private IP address. I have a Contivity 1010 setup already on the network that has a public IP and a private IP.

The IP's phones in house are working fine, they are all on the private network. What I need to do is figure out how to setup up the contivity 1010 to forward all the ports from it's public IP to the BCM's IP. This way the I2004's at the sales people's homes can connect with out the need for VPN's.

Problem I'm having is how to setup the port forwarding on the 1010. I can't seem to figure it out, and also what all the ports I need to forward are.

Once this is working I am then going to start to setup a VPN tunnel for a remote office. There will be a contivity 1010 out there that will tunnel to our main 1010.

 

[chrisrudeau]

Actually just informed that we are also getting a whole bunch of norterl 1050's.

So we are going to implent the 1050's to all the remote sales homes.

But I'm still unsure of how to setup the VPN's. And what the best option to use is with most people having comcast service. Seems that their IP's change about every 5-7 days.

Anyone have an idea of what type of VPN we should use, and where I can get a good write up on how to set it up.

 

[nsantin]

Port Forwarding VOIP traffic on the BCM never seem to work properly, best solution is to connect to the LAN side via VPN. Probably not what you wanted to hear, but it's what you'll most likely need to end up doing.

 

[chrisrudeau]

I don't mind doing that. But what I need to find some sort of how to write up or something.

I have abou 8 nortel contivity 1050's, and 3 contivity 1010's. The 1010's have 30 user licenses on them.

We have our head quarters (with BCM400), a remote sales office, and then 6 remote sales people that work from home.

I need help setting up a 1010 here at the office as the main VPN router. From there I can figure out how to implent all the 1050's at the users houses. And do the same for the remote office.

I guess the first plan of configuration is what type of VPN do I want? PPTP or IPsec. Quality is more important then security. With some security in mind though.

Once I have the type, then I just need to find someone who can help me setup the 1010 configuration.

 

[biv343]

If you have a static IP address at the main site, you'll just need to build branch office tunnels between the sites. Use initiator-responder instead of peer to peer if you have dynamic IP's at the home office sites. Make sure you enable branch to branch forwarding on the main site unit.

Here's a quick, dirty mile high overview:

Main site - 192.168.1.0/255.255.255.0

Remote Site 1 - 192.168.2.0/255.255.255.0
Remote Site 2 - 192.168.3.0/255.255.255.0
Remote Site 3 - 192.168.4.0/255.255.255.0

On the main site, you'll define this as the responder end. Local network will be 192.168.1.0. Remote network for branch 1 will be 192.168.2.0, 192.168.3.0, and 192.168.4.0. This will allow phones at the home offices to call other home office phones.

At the remote sites, their LAN subnet will be the local network. Remote networks will be any subnets they need to communicate with that aren't at their site. Fir example, remote site 1 would have a local network of 192.168.2.0, and remote networks of 192.168.1.0, 192.168.3.0, 192.168.4.0. Build the home office sites as initiator. Pay attention to preshared keys and initator ID's. The initiator ID needs to be defined on the responder end.

Also, don't forget to turn on initial contact payload on the main site.

That should get you off and running. The branch office config docs that come with the Contivity units is pretty good in terms of getting you up and running.

 

[BlackCuervo]

Is your BCM400 working behind the Contivity?. I think you will need to do something like this:

1.- Set up a VPN between your Contivitys. This can be made using IPSec tunnels. Go to PROFILES>Branch Office and there you will do this. Take a look to the BCM 3.7 Programming Guide in the Section of "Creating a VPN between a BCM and a Contivity"...page 778 (more or less). This will be helpful.

2.- Your IP Phones at home will need to have an IP address from your private LAN (Private side of the Contivitys) and their Gateway will be the private IP address of that Contivity but their S1 will be the Private LAN from your BCM 400 at the headquarters. That Private LAN of your BCM has to be connected in the same network that the Contivity (At your headquarters) and it will act as the default gateway for your BCM. So, what you will be using are the private IP addresses, not the public. And forwarding ports wont be needed.

If you have the IP addresses designed for your project, or a diagram, maybe you can send me a copy and I will give you back some tips.

 

[chrisrudeau]

How do I send you a copy. Don't see how to get your email address.


That basic scheme, is this.

Sprint ADSL modem, we have 4 Static IP's. The ADSL modem is plugged into a 5 port 10/100 switch. Off this switch we have a Netopia R9100 which supplies our HQ Internet, and forwards over to our Exchange server and Terminal Server.

Right now, the Contivity is plugged into this switch and Lan1 is assigned a public address and Lan0 has a private IP address.

Our IP address in house are as follows,
192.168.2.3-10 are our servers
192.168.2.20-75 are DHCP address's for in house client pc's
192.168.2.135-253 are manual set IP's for inhouse I2004 phones
192.168.2.254 is Lan0 of the BCM400

Lan1 of the BCM400 is hooked right to the switch on the DSL modem. And the remote phones come up but there are some sound issues. But we want to do away with this connection anyway. So ignore this Lan1 connection.

So basically we have 2 free public IP's and couply contivity 1010's and 1050's. What setup do you think?

 

[BlackCuervo]

Hope I understood you well.

What you need to do is this:

1.- Create a VPN from your Contivity (@ HQ) to your Contivitys at the branch offices.

2.- Use the menu Profile-Networks & Profile-Branch Office to do this. When you configure the Group to which your VPN belongs, disable the Compression and the Vendor ID from IPSec parameters.

3.- These VPN will use one of your static Ip addresses as a local endpoint and the other will be the public address of your remote Contivity.

Example:

@ HeadQuarters

Public IP: 201.123.123.1 (This one is attached to the Contivity's LAN1) And the LAN0 has an IP address: 192.168.2.3 This is in the same network as your BCM's LAN 192.168.2.254 (This LAN interface is the IP Telephony published address, right?)

@ The branch office

Public IP: 201.124.123.1 (This one is attached to your Contivity's LAN1) and LAN0 has an address: 192.168.4.1
So your IP phones at that remote office are going to use IP addresses from this network and their Default Gateway has to be the Contivity's LAN0, but their Server will be the Private IP address (Published) from your BCM at headquarters.

In that BCM, you will need to have an static route like this one:
Destination IP address: 192.168.4.0
Destination mask: 255.255.255.0
Next Hop Router: 192.168.2.3 (HQ Contivity)

Your Contivitys will share the routes to their respective IP addresses once you program the Branch Office tunnels.

If you want to send me a diagram of your conections, you can do it to el_manalishi@hotmail.com and I will try to help you as much as I can.

Regards!

 

[chrisrudeau]

so far with BlackCuervo's help, I have the contivity 1010 at HQ all configured. And the IPSec VPN appears to be ready.

No the problem I have is that all the home users are using either DSL or Cable. Attached to their modems are wireless routers. Pretty much all dishing out 192.168.1.X address. I am thing that I would take the contivity 1050's and assing the WAN port a 192.168.1.X address and the Private side would get the network that I set the 1010 (at HQ) to use. ie. 192.168.4.X

Then place the contivity's wan address into the DMZ of the Linksys. However when I do this at my house it doesn't connect. I can pop a laptop on the contivity and it is in fact on the internet. Just no VPN. What am I doing wrong?

 

[biv343]

Why not connect the Contivity to the DSL/cable modem, let the Contivity do NAT for you, then use the Linksys behind the Contivity as a wireless access point? Your life will be easier.

 

[chrisrudeau]

And then setup split tunneling and all that crap? That doesn't sound like it makes a lot sense on the configuration side.

All the contivity 1050's are doing is creating a VPN tunnel for the I2004 phones. Why pass everything else through it.

My life is already not easy, so if you think that is an easier route I will try it, but I think it be easier to just dump the 1050 into the dmz of the linksys.

 

[biv343]

I'm just giving my opinion. Do it however you wish.

 

[chrisrudeau]

not putting down your opinion.

Just curious which way really is easier.

I've got some things to try with the linksys in front of the contivity. If they don't work, the next step is to put the contivity in front. So we'll see.

 

[biv343]

While it might work out OK, in my opinion, it adds one more level of complexity if something breaks. If using cable modem, I'd plug the cable modem directly into LAN 1 on the Contivity, let it get a DHCP address, then build your initiator tunnel on the 1050, and your corresponding responder tunnel at HQ. If you have a DSL site, have the Contivity do PPPoE to the DSL provider. Any connectivity issues to the outside world are then isolated to the Contivity or the provider, not the Contivity, or Linksys, or provider.

Since you have 10XX boxes all around, you could do dynamic routing on your tunnels instead of static routing. That would make your life easier yet and cut down your config time. It's all a matter or preference.

 

[chrisrudeau]

what the difference in setup?

Is there a simple PDF out there that tells me exactly what to do?

 

[biv343]

The docs should be on the CD that came with your Contivity units. The PDF file called cfg_basic describes basic branch config, cfg_tunnel goes into more details on the branch office group requirements, and cfg_routing explainf dynamic routing for branch office tunnels.

Once you do one of them, it makes a lot more sense. Since you have 10XX boxes everywhere, the setup is a lot easier than if you were trying to talk to a non Contivity box (or a Contivity 221, for example).

 

[3Sixty]

If you have a Linksys. Why not just buy yourself a router with the VPN function built in like the BEFVP41 and a wireless access point. That way you have one box doing the routing and the VPN tunnels and put the BCM in the network.

Marshall

http://www.nortelsupport.net

 

[chrisrudeau]

because there are 7 homes all together and all of them already linksys routers. i already have a pile of 1050's sitting next to me. Why spend more money??

Can anyone tell from this event log what is going on? I seem to be able to get a tunnel to connect and stay connected. it even pass the test, but I am not getting anything through the tunnel. Internet, i2004 or exchange emails.

1 04/04/2006 23:54:43 (tIsakmp ) ERR SECURITY ISAKMP Code 102
Delete message for IPsec SA received from chrisvpn (65.40.192.138)

2 04/04/2006 23:54:43 (Security ) NOTICE SECURITY SESSIONCLS Code 9
Session 6c79f10: IPSEC[-]:98 logged out

3 04/04/2006 23:54:43 (tIsakmp ) NOTICE SECURITY ISAKMP Code 174
Delete message for ISAKMP SA received from chrisvpn (65.40.192.138)

4 04/04/2006 23:54:43 (Branch Off) INFO TUNNEL BRANCHOFFICE Code 62
RemoveBOSession: Branch Office logging off due to ABOT logoff. IPSEC[65.40.192.138]

5 04/04/2006 23:54:43 (Security ) NOTICE SECURITY SESSIONCLS Code 9
Session 6c7bdb8: IPSEC[chrisvpn]:95 logged out

6 04/04/2006 23:54:43 (tIsakmp ) NOTICE SECURITY ISAKMP Code 175
Deleting ISAKMP SA with chrisvpn (65.40.192.138)

7 04/04/2006 23:54:43 (Rip ) NOTICE ROUTING RIP Code 12
Circuit[68] marked for delete

8 04/04/2006 23:54:44 (Security ) INFO SECURITY SESSIONCLS Code 40
Session: IPSEC[chrisvpn] attempting login

9 04/04/2006 23:54:44 (Security ) INFO SECURITY SESSIONCLS Code 49
Session: IPSEC[chrisvpn] has no active sessions

10 04/04/2006 23:54:44 (Security ) INFO SECURITY SESSIONCLS Code 157
Session: IPSEC[chrisvpn] chrisvpn has no active accounts
11 04/04/2006 23:54:45 (tIsakmp ) NOTICE SECURITY ISAKMP Code 189
Oakley Aggressive Mode proposal accepted from chrisvpn (65.40.192.138)

12 04/04/2006 23:54:45 (Security ) INFO SECURITY SESSIONCLS Code 80
Session: IPSEC[chrisvpn]:100 SHARED-SECRET authenticate attempt...

13 04/04/2006 23:54:45 (Security ) INFO SECURITY SESSIONCLS Code 83
Session: IPSEC[chrisvpn]:100 attempting authentication using LOCAL

14 04/04/2006 23:54:45 (Security ) INFO SECURITY SESSIONCLS Code 84
Session: IPSEC[chrisvpn]:100 authenticated using LOCAL

15 04/04/2006 23:54:45 (Security ) INFO SECURITY SESSIONCLS Code 73
Session: IPSEC[chrisvpn]:100 bound to group /Base/BASE/chrisvpn

16 04/04/2006 23:54:45 (Security ) INFO SECURITY SESSIONCLS Code 133
Session: IPSEC[chrisvpn]:100 Building group filter permit all

17 04/04/2006 23:54:45 (Security ) INFO SECURITY SESSIONCLS Code 139
Session: IPSEC[chrisvpn]:100 Applying group filter permit all

18 04/04/2006 23:54:45 (Security ) INFO SECURITY SESSIONCLS Code 94
Session: IPSEC[chrisvpn]:100 authorized

19 04/04/2006 23:54:45 (Branch Off) INFO TUNNEL BRANCHOFFICE Code 56
Setting up branch office gateway [65.40.192.138] uid:[chrisvpn]

20 04/04/2006 23:54:45 (Branch Off) INFO TUNNEL BRANCHOFFICE Code 58
InstallBOSession: IPSEC[65.40.192.138] routing [DYNAMIC]
21 04/04/2006 23:54:45 (tIsakmp ) NOTICE SECURITY ISAKMP Code 185
ISAKMP SA established with chrisvpn (65.40.192.138)

22 04/04/2006 23:54:45 (Rip ) NOTICE ROUTING RIP Code 12
Circuit[67] created.

23 04/04/2006 23:54:45 (Rip ) NOTICE ROUTING RIP Code 12
Rcv UP event from cid[67], ip:[0x8bc02841], mask:[0xffffffff. rip enabled 1, c 7471128, trust 1

24 04/04/2006 23:54:46 (Security ) INFO SECURITY SESSIONCLS Code 29
Session: network IPSEC[0.0.0.0-0.0.0.0] attempting login

25 04/04/2006 23:54:46 (Security ) NOTICE SECURITY SESSIONCLS Code 116
Session: IPSEC[chrisvpn]:100 physical addresses: remote 65.40.192.138 local 65.40.192.139

26 04/04/2006 23:54:46 (Security ) NOTICE SECURITY SESSIONCLS Code 116
Session: IPSEC[-]:103 physical addresses: remote 65.40.192.138 local 65.40.192.139

27 04/04/2006 23:54:46 (tIpsecDeca) INFO TUNNEL IPSEC Code 20
ESP encap session SPI 0xfd760e00 bound to s/w on cpu 0

28 04/04/2006 23:54:46 (tIpsecDeca) INFO TUNNEL IPSEC Code 26
ESP decap session SPI 0x92df5e3a bound to s/w on cpu 0

29 04/04/2006 23:54:46 (tIsakmp ) ERR SECURITY ISAKMP Code 102
Delete message for IPsec SA received from chrisvpn (65.40.192.138)

30 04/04/2006 23:54:46 (Security ) NOTICE SECURITY SESSIONCLS Code 9
Session 6c78e08: IPSEC[-]:103 logged out
31 04/04/2006 23:54:46 (tIsakmp ) NOTICE SECURITY ISAKMP Code 174
Delete message for ISAKMP SA received from chrisvpn (65.40.192.138)

32 04/04/2006 23:54:46 (Branch Off) INFO TUNNEL BRANCHOFFICE Code 62
RemoveBOSession: Branch Office logging off due to ABOT logoff. IPSEC[65.40.192.138]

33 04/04/2006 23:54:46 (Security ) NOTICE SECURITY SESSIONCLS Code 9
Session 6c7bdb8: IPSEC[chrisvpn]:100 logged out

34 04/04/2006 23:54:46 (tIsakmp ) NOTICE SECURITY ISAKMP Code 175
Deleting ISAKMP SA with chrisvpn (65.40.192.138)

35 04/04/2006 23:54:46 (Rip ) NOTICE ROUTING RIP Code 12
Circuit[67] marked for delete

 

[chrisrudeau]

I just noticed that on the one contivity box I can only ping in house machines. And the machines that are connecting through the tunnel. however I can't ping anything out on the net, ie..

http://www.google.com.

It does however translate

http://www.google.com

to the IP address...

PING

http://www.google.com

(64.233.179.104): 36 data bytesno answer from

http://www.google.com

So i'm assuming my issue may just be a DNS error? I'm looking through the GUI and I can't for the life of me find where to put in the DNS settings. I can see it only for the DHCP setup. But this box is not using DHCP.

 

[biv343]

DNS settings go under System, Identity (if memory serves me correctly).

If you're resolving names, then DNS is making it out. Question is which IP are you using for a default gateway on the PC? Make sure you use the interface IP and not the management IP. Also, check your NAT rules (under Services/Firewall and NAT) and make sure you've got the proper rule in place.

If you can ping external addresses from the Contivity (Admin, Tools), but not from the PC, it might just be the gateway setting.