Nortel BSR222 to Nortel BSR222 VPN Issues

[juxvp]

Here is the setup:

Business with two locations, each with a DSL connection with Static IPs. Internet traffic works flawlessly at both locations.

Site1: 192.168.1.0/24
Site2: 192.168.2.0/24

I have setup a VPN between the two sites, and the tunnel comes up and connects between the two BSRs, at least according to the SA Monitor on both ends. Yet, I am unable to ping any device on the other side of the tunnel from either side. I have redone the IP policies on both sides several times from single address to address range to the complete subnets and still have no connectivity through the tunnel. I have been working on this for two days now and have yet to find a rhyme or reason to the issue.

I have setup several of these before, and have never had this much trouble.

Any assistance would be most appreciated.

Thanks!

Jux VP

 

[oldestgeek]

Do you have the firewall turned on in the BS222? If so, test it with it disabled and if it works you'll need to create some rules.

 

[juxvp]

That has been tried. Same result, the tunnel comes up but I am unable to pass traffic across the VPN tunnel. A strange thing has shown itself, though, and I am working with AT&T to see what can be done about it. I noticed that I was unable to ping the WAN IP from the other side. Each side has a Netopia DSL Router/Modem setup in bridge mode so that I can have one of the statics on the external interfaces of the respective BSR222. I am able to ping from each Netopia to its directly attached BSR222, but no ping packets appear to be traversing the Netopia to the "internal" side of the bridge from the other location. I have the firewall on the Netopia turned down as far as it will go (there is no disable option) and NAT turned off, which is exactly what I have done in the past during these sorts of setup, so the only thing I can conclude is that the Netopia is somehow blocking one of the needed ports for the tunnel to actually be complete, even though both BSR222s say the tunnel is up and viable.

My next step (assuming AT&T tells me to pound sand because the DSL is up) is to try and re-setup the Netopias in router mode and port-forward the needed VPN ports to the BSR222, but it has been my experience that this doesn't work very well. Unless someone can give me a different viable suggestion.

Thanks for your input, oldestgeek, it is much appreciated.

 

[juxvp]

For those interested, it ended up being a configuration issue with the Netopia modems. The way to setup and expose the IP addresses changed with the new firmware update. Instead of just placing the external IP on the internal interface (which puts the old modems into de-facto bridge mode), you have to burn one of the five IP addresses that AT&T assigns you to the internal interface and then go into Security -> Stateful Inspection and add the 5-IP range to the Exposed IP Addresses list. Then Save and Restart. This will expose any device with a public IP to the Internet-at-large.

Hope this helps someone in the future.