Nortel Contivity and Linksys BEFSR41/81 - Multiple VPN Tunnels

[cmendez99]

Hello,

Here's the scenario that I'm trying to implement. I want to know if anyone out there has successfully implemented a similar setup.

Basically, I need for 6 Win2K Pro PCs in a remote office to simultaneously connect to our corporate network via the Nortel Contivity VPN Client Software.

I'm thinking of buying a Linksys BEFSR81 router (which is basically a BEFSR41 router with 8 ports) and use that to share their DSL connection.

My question is: Does anyone out there know how many Nortel Contivity VPN clients can connect to the corporate network using this setup? I downloaded the Linksys BEFSR81 manual from the Linsys website and the manual indicates that the router should support many connections, but it doesn't specify how many. I also contacted Linksys tech support, and their tech told me that according to their lab tests the BEFSR41/81 supports a maximum of 10 simultaneous Nortel Contivity VPN Sessions.

In theory it seems that the setup will work, but I want to know if anyone out there has had any luck implementing a similar setup to back up their claim.

I appreciate any comments you may have on this,

Thanks in advance

 

[markku]

Have tried with BEFSR41:

-1 simultaneous VPN to same secure gateway
- many simultaneous VPN-connections to different secure gateways.

Why dont you get BEFVP41 and establish real HW IPSec connection between boxes and forget about client software.

See:

http://www.icsalabs.com/html/communities/ipsec/lab/notes/1.0B/linksys-befvp41-1403.shtml

 

[cmendez99]

Hello markku,

I've thought about doing this, but going this route would expose the entire corporate network to security issues. I think that corporate would have a problem with implementing a local vpn gateway using the BEFVP41. Nortel sells a box called the Contivity that according to the manufacturers allows for 5 simultaneous VPN connections but sells for $1,000.00. That box could be upgraded for up to 30 simultaneous VPN connections for an additional $895.00 . The Linksys BEFVP41 sells for about $100.00, so in theory the entire Linksys solution would be about $200.00 tops. I would go with the Linksys solution, but corporate would have issues with us implementing something like this.
I'm investigating the Linksys BEFSR41 solution, because our VPN admin at corporate said that he was able to connect three PCs using the Nortel Contivity VPN client with no problems from his home, but he was not able to tell me what the maximum number of simultaneous VPN connections were.

Sorry for the long response, but I wanted to include a bit more info. this time.

Thanks,

 

[jim3725]

I recommend using a CES contivity extranet switch for a small office solution. The current Nortel one is the 1100 CES which allows 4 ports, and 1 Wan port. You can purchase a netgear switch to plug into one of the 4 ports for more users.
This is a dhcp/dns device which allows for max 5 vpn tunnels. It also allows for extranet client to access it.
By using the CES this was remove the clients from having to use the extranet client while in the office.
The branch tunnel connection will be established between the 1100 and a CES at your Corporate office.
All traffic would flow thru the ipsec tunnel thru Corporate CES and you could use corporate FW for security.
The CES costs approx $1300

 

[markku]

Hi cmendez99,

Total cost will be $100 for your remote node, since you are able to define a tunnel between Linky and existing Nortel.

Hard to beat.

 

[cmendez99]

Hello markku,

Sorry for my ignorance, but wouldn't we need two Linksys BEFVP41's? One for each end?

Thanks again...

 

[markku]

Hi cmendez99,

Linksys BEFVP41 is compatible with your existing Nortel Contivity box. This is the beauty of the new inexpensive boxes. Like jim3725 said you have choices, $ 1300 or $100, worth trying, huh?

 

[snsh]

"$1000 versus $200" compares the hardware costs, but my experience with VPN has taught me that support costs overwhelm hardware costs. A $125/hr network engineer can easily spend half a day troubleshooting a $75 Linksys box. And the same engineer can spend a whole day troubleshooting IPsec configs on six different PC's.

My recommendation is buying two Linksys boxes. One for you and one at corporate for debugging purposes. After you get those talking to each other, then you reconfig your box to talk to their Nortel firewall.

 

[cmendez99]

OK,

I finally managed to round up four notebook PCs and tried a physical test. Here's what happened:
The four notebooks were a mix of Win98 and Win2K. All notebooks had the Nortel Contivity Client ver 4.15. All notebooks were connected to a Linksys BEFW11S4 Wireless Router. One of the Win98 notebooks was connected using a wireless connection via the Linksys WPC54G PCMCIA card. The other notebooks were usinng different brand/models of Ethernet PCMCIA cards. These last 3 were connected using the available wired Ethernet ports on the back of the Linksys Wireless router.

I was able to establish all 4 VPN sessions simultaneously to our corporate network. I was able to open all corporate applications as well as access corporate sites at the same time (I had some friends operate each of the notebooks in order to perform the actual simultaneous access test). Everything worked beatifully even when the DSL connection was being stressed by having all notebooks access the corporate resources. I was even allowed to use two VPN sessions with the same login name.

Taking this into consideration, I should be able to connect two more PCs with no problems. For the actual implementation I'm planning to use the more robust BEFSR81.

Nothing better than hands-on experimentation to prove a theory!!

I hope that this test may be useful to anyone out there.

Thanks all for your support and ideas!!!