Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Nortel Contivity VPN problem over ICS

Status
Not open for further replies.
Stu247

Stu247

Technical User
Mar 11, 2003
1
0
0
CA
Hi,
I'm having problems using Nortel's Contivity VPN Client V04_15.06 on a laptop running W2K Pro connected via a wireless lan (peer to peer) to a desktop on XP Pro running ICS (ADSL)
When I try to connect, I get the "Checking for Banner Text" then the connection fails.
The Client runs fine on the desktop so obviously its the ICS that's not passing the VPN.
Does anybody know of a way round this ?
Thanks in advance.
Stu.
 
Sort by date Sort by votes
Stu247, This is a known issue with Nortel. If you are using a router, there is no need to use ICS, disable it and you will be able to connect. You also do not need to have ICS running with ADSL either.
As far a work around, this is done by design for security purposes.
 
Upvote 0 Downvote
Stu,

Nortel Networks has indicated that they are seeing this error on the 4.0 series of the Extranet Access Client connecting to a server running the 4.0 series of the Contivity Server software, when the end user is trying to connect from a machine with broadband access using a home router that is "IPSec aware". (The router opens inbound UDP 500, which IPSec uses)-outbound is typically wide open) One of the new features of the 4.0 code of the EAC and Contivity Server software is the "IPSec NAT Traversal". You also need the 4.0 EAC, as earlier versions did not support it. The new 4.0 EAC wraps the outbound packets in a UDP header, before reaching your home router so it will connect to the Contivity even if your home router is not IPSec aware. The problem arises when your server tries to display back the "Banner Text", as this is the first ESP encapsulation packet which is sent back down the tunnel. It is timing out because, to put it bluntly, it's not able to negotiate back on the random port it was initiated on from your EAC. There are several workarounds which may help.
1. Disable NAT Traversal on the Contivity, you can do this by group.
2. Open the UDP port on your home router that you have configured on the Contivity under "Services>IPSec ...NAT Traversal"
4. Disable IPSec passthru on your home router
5. Sometimes a firmware upgrade on your router may help. I use Linksys' BEFSR41 model with their latest firmware and have no problems.
6. Remove the home router from your setup
7. Use the 3.7 code from Nortel (actually, any code before the 4.0 series which did not have IPSec NAT traversal

Thanks,

jincto@rcn.com
 
Upvote 0 Downvote
Did you ever get this working? I am having exactly the same problem and have followed the instructions to disable IPSEC passthrough on my router but it still isnt working. Can you let me know what you did to get it working?

Thanks

Peter
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

teknance
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
306
GlobeTrekkerGal
GlobeTrekkerGal
F
  • Question
some IP Phone not working over site-to-site OpenVPN, packets modified on other side of tunnel
Replies
0
Views
1K
FrankSider12
F
sarahz2
  • Question
Best vpn safe and fast
Replies
4
Views
199
GlobeTrekkerGal
GlobeTrekkerGal
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
169
sircles
sircles
ramblingrebel
  • Locked
  • Question
Built-in Windows 10 VPN
Replies
1
Views
129
Joon Smith
Joon Smith

Part and Inventory Search

Sponsor

Back
Top