Linking two Contivity 221

[lexer]

Hello,

I have 3 remote sites, each running a Contivity 221 router. These remotes sites have IPSEC tunnel with the main in site (Main site is running a Contivity 1010, Remotes sites access the main site network without problem. I'm trying to interconnect brach offices, Is It possible that any brach office can access another brach office (Network), I've tried to create statics routes in contivity's 221 But It doesn't work, Is there another way to do that?

 

[DaddyOfThree]

In the Nortel VPN Router 1010 (formerly Contivity) you need to allow branch to branch access. You'll find it in the web GUI under System -> Forwarding -> Tunnel to Tunnel Traffic.

Cheers!

 

[lexer]

Thanks for your answer DaddyOfThree, I've had already allowed branch to branch access in Router 1010, But It didn't wotk

 

[DaddyOfThree]

Hmmm... perhaps you could provide some additional information. What IP networks are at your remote sites, what does your routing table look like on the C1010. Are you tunneling everything (0.0.0.0/0.0.0.0) from your branch offices back to the C1010 or do you have specific subnets/hosts setup and then allowing the remaining traffic to be NAT'd by the C221 direct to the Internet.

You should definitely be able to-do this.

Cheers!

 

[lexer]

In the brach offices I'm using subnets setup (each branch office has defined its Local IP network and the remote IP C1010 network)I'm not using static routes.

 

[DaddyOfThree]

Hmmm... I was hoping for some specifics. What are the specific IP networks in question?

You'll need to setup a tunnel that includes the IP network for your opposite branch office, or you could setup a tunnel (main mode) between the two C221s if you have static public IP addressing.

If I have a main office (10.1.0.0/16) and two branch offices (10.2.1.0/24 and 10.3.1.0/24) I'll need to setup two IP networks in the VPN configuration, one for each network - no need for the local network.

Office A will have the following VPN tunnels;
Local 10.2.1.0/24 Remote 10.1.0.0/16
Local 10.2.1.0/24 Remote 10.3.1.0/24

Office B will have the following VPN tunnels;
Local 10.3.1.0/24 Remote 10.1.0.0/16
Local 10.3.1.0/24 Remote 10.2.1.0/24

Without the proper IP networks, the C221 will NAT your traffic and route it direct to the Internet outside of the VPN tunnel.

Good Luck!

 

[lexer]

Daddy, I have the following configuration:


Office A (It has a C221, I setup a VPN tunnel that connect with the main office C1010) This is the Selected IP Policy:
Local IP Address: subnet address: 192.168.16.0
Remote IP Adress: subnet address: 192.168.1.0

Office B (It has a C221, I setup a VPN tunnel that connect with the main office C1010) This is the Selected IP Policy:
Local IP Address: subnet address: 192.168.36.0
Remote IP Adress: subnet address: 192.168.1.0

I change branches offices as follow:
Office A: I added branch office B, Now I hace two IP Policiy's:
First Policy :
Local IP Address: subnet address: 192.168.16.0
Remote IP Adress: subnet address: 192.168.1.0
Second Policy :
Local IP Address: subnet address: 192.168.16.0
Remote IP Adress: subnet address: 192.168.36.0

Office B: I added branch office A, Now I hace two IP Policy's:
First Policy :
Local IP Address: subnet address: 192.168.36.0
Remote IP Adress: subnet address: 192.168.1.0
Second Policy :
Local IP Address: subnet address: 192.168.36.0
Remote IP Adress: subnet address: 192.168.16.0

If I ping from office A or B to the main office everything Ok, But If I try to ping from office A to B or from B to A It doesn't work, I dont if I missing something.

Can I make a VPN tunnel from a C221 to another C221 (main mode), How can I do it?

 

[DaddyOfThree]

When you perform a traceroute how far does it get? Are the packets getting back to the C1100?