Nortel Extranet (VPN) over LAN to DSL router to Corp WAN

[Blasikov]

Hi all, I'm new to the forums =)

I have researched this subject quite a bit, websites, fora (including this one) but have not found much about my problem. Any help is greatly appreciated.

My company provides two methods of remote access. RAS (MS) dial-up and VPN (Nortel Extranet). The RAS works fine, but of course it is dial-up and it's a bit slow. The VPN works OK if you are out of town and are using a generic dial-up ISP.

I periodically work from my home office and use either of the solutions above to access my company's LAN/WAN. I have recently acquired DSL (Qwest, Minnesota) and am trying to get the "Nortel Extranet Client" VPN to work.

My home setup is: 1 Desktop and 1 laptop (both Win98SE) connected to a Linksys 10/100 switch. The switch is connected to a Cisco 678 DSL modem / router. The router is configured with DHCP, NAT, and ppp for the local ISP (full time connection). Internet access has been great on both machines. File and printer sharing (and other LAN stuff) works fine as well.

I understand that DHCP allows the pc's to have dynamic IP's on the LAN and the NAT allows the pc's to share the ISP connection.

Starting the Nortel Extranet Client, it will connect to the corporate VPN server (the validation completes and the client seems to be satisfied a connection was established), but no corporate resources are accessible. I can ping the VPN server (I've specified either the name or the straight IP) but no other internal servers. External internet servers are still available.

I had suspected that the problem was with the domain/workgroup in my "Network Properties", "Identification" tab or the domain in the DNS portion of the TCP/IP properties of the NIC - changing either/both of these did not help.

If I use dial-up to my personal ISP (the same ISP my DSL connection is on) the VPN client connects fine and I have full access to the corporate LAN/WAN. For this reason I suspect something amiss in the DHCP or NAT setup of the router.

Again, any advice is appreciated. If you need any other setup info, please post.

Thanks,

Rob "Blasikov" Marshall
Andover, MN, USA

DSL telco: Qwest
DSL ISP: MinnNet (aka BossIG, AmeriOn)
O/S: Win98SE (IE5.5sp2)

 

[Guest_imported]

Hallo !

I'm using EAC 2_06.33 as requested by my company. I opended upd 500, tcp 1723 and all gre, ah, esp ports on my Bintec X1200 DSL router.
The ports are assigned to the fixed IP of the client where the EAC is running and I'm using NAT with my ISP.
With no success. I cannot get a connetion throuhg or established on Win2k.


Any ideas? Thanks for any help !

 

[Guest_imported]

The EAC screws up your route tables when it connects which is why the local lan drops off when you connect to the target network with the EAC VPN client. If you do a route print command before you connect and after you connect you can see where it changes your default gateway.

see

http://groups.google.com/groups?hl=...-8&q=extranet+route+delete&btnG=Google+Search

for info on how to access your local lan while being connected with EAC

 

[gbasilio]

Hi All This is my story:

We have a user using a win2k laptop that can connect using Extranet via broadband or dialup. This person can ping any device on the corp network by IP address or by name, DNS resolves and can use Exchange with no problems.

The problem is when he tries to search or browse for a server. Basically he cannot access any Microsoft Resource on the network.

While looking at his IPconfig we did notice that under the "NOC Extranet Access Adapter" configuration Netbios over IP is disabled it kind of looks like this is the problem but where do you turn this on? This virtual adapter is the only one that shows this as disabled.

Thanks for any help...

 

[Guest_imported]

I have no trouble connecting to my corporate network from my home with VPN Client 4.15 on Windows 95, cable modem (ATT Broadband), no router, DHCP. But when I try to connect with the same setup on my Windows 2000 Server machine, the connection drops after about 5-7 seconds with the message: "The routing table cannot be altered after the Contivity VPN Connection has been established. The Contivity VPN connection has been closed." This is causing a lot of grief. Is there a workaround, or do I need to get a router?

Thanks,
Bob O.

 

[Guest_imported]

I also have the "checking for banner text" error on my Nortel VPN Client 4.15. I can ping my corporate address just fine, but it won't come back through my Orinoco BG-2000 wireless router. I also use the Orinoco wireless gold PCMCIA card and can connect to the Internet just fine. I just can't do a Nortel connect to my company. Any help would be appreciated.

Howellj4

 

[MHarmless]

Finally, another possible solution to the bannersock timout error.

I have been struggling with this issue off and on for about 6 months now, and finally fixed it this morning. I was forced to perform considerable kicking of myself.

For those that cannot connect due to bannersock timout errors, try the following:

Win98 (others similar)
- Control panels
- Add/Remove Programs
- Windows Setup tab
(maybe optional steps)
- UNcheck "Communications"
- click OK
- restart (hardware adapters/drivers etc should auto reinstall)
- May want to unistall Nortel Contivity here?
(back to NON-optional steps)
- Get back to Add/Remove_Programs->Windows_Setup
- Click on "Communications"
- Check all items you want to re/install
*** INCLUDING "VIRTUAL PRIVATE NETWORKING" ***
- Click OK twice (You may need Windows install disc)
- Restart
- Re/install nortel Networks?
- restart

- BINGO, it should work now.


I hope this helps some people.
Good luck.

-MH

 

[Guest_imported]

Hi, we are using Nortel Extranet(VPN) through a LAN which uses Microsoft Proxy 2.0 passing through 2 gateways to access the internet etc. When we ping vpn.xxxxx.com we get the ip address and the request timed out. Internet and everything else works perfectly. Any suggestions whats happening.

 

[Koolaid]

I'm a network administrator. I just upgraded from a linux domain running Samba to a Windows 2000 active directory domain.

I am using the Netscreen 10 as my firewall and VPN server. My remote users are using windows 2000 and Netscreen Remote VPN client software over Cable DSL to connect to the office. Everything was working fine until the change over for Linux to Windows. Now my remote users can't map network resources,however, the VPN itself is working fine, they can ping my LAN and even access their Outlook.

When I try to map I am getting 'Access Denied' in some cases and sometime on error at all. I have tried adding the remote workstations to the new domain but with no luck but I did add them to the new workgroup. still no luck

So I just don't know what the problem is. Is there anyone out there that can help!!!!

khalidh21@yahoo.com

 

[Blasikov]

Hello again =)

Remember when I said that the Nortel Extranet Client was now irrelevant since MS VPN worked well? Well, now THAT stopped working. My corp IS had me try the new (version 4.1.5.D) Nortel client, but I'm still at odds with it.

I've fiddled with the ports in NAT: 500, 50, (NOT 51!) and even disabled some for other software (p2p, ICQ, etc) - nope. =(

What a pain. I'll post if I end up figuring it out.

Later, Blas

 

[Blasikov]

And I'm back once again.

I figured it out. Holy bytes of NAT tables, Batman!

Going back to my setup, I have a broadband connection via a Cisco 678 DSL modem/router and 4 port switch. Windows 2000 Pro-SP2.

I had set up MS VPN, and since it worked, never went back to figure out Nortel. I installed the newer version, 4.1.5.d, and wen to the trouble of re-evaluating my DHCP, DNS, and NAT setup.

Lo and behold, the internal IP that my router's DHCP server had given my system was different than what I had in the NAT (port forwarding). DOH!

Lesson learned:

1) LAN DHCP and ISP ip addresses = Dynamic (mine are usually stable enough to consider static, however)
2) NAT != Dynamic
3) If you can't connect via VPN, do an "ipconfig /all" and make sure it matches your NAT table!

Oh, and BTW, the MS VPN works again too.

Thanks for reading this far. Good luck to you.

Blasikov

 

[Guest_imported]

My problem is probably very simple for most of you, but I would really appreciate any help.

I'm trying to reach a VPN from behind a cisco router and I keep getting an error "bannersock"

I forgot to copy all the pertinent info from the error, but if someone has a starting point that I can use for direction

 

[Guest_imported]

I too am seeing both occasional Bannersock messages (more often with cable than dial) and sessions which spontaneously drop for no apparent reason.

I have a theory though, which I am now trying to test. The IPSec protocol is carried over UDP, and consequently there is no retry mechanism. So if the banner packet happens to go astray, perhaps the client ain't happy if it don't get it. Also if the keepalive sent from the gateway goes awol, then we get what we see... bannersock errors and dropped sessions. On the other hand, 'real' traffic inside the tunnel is TCP, and so if a tunnel packet (UDP) is lost, the client app will NAK the TCP packet inside the UDP packet and it will be resent. What I'm testing right now is a 10-sec repeated ping so that the keepalive is never needed, and I'll see how long the session lasts!

 

[Guest_imported]

I was getting BannerSock on/off using Cable ISP. Disabling the keepalives under options fixed me up ( Perharps Latency was the cause)

 

[greg2e]

After reading all the postings and trying almost everything posted, I'm wondering if any of you can help us.

We have a Windows NT 4.0 running behind a Cisco 678 (PPP connection to ISP, static IP, NAT, server has static IP on LAN). The server is set up for VPN. I've set up ports 1723 TCP and 500 UDP and mapped them to the server's static IP. I can log onto the server remotely using VPN but cannot get any further. I can see stuff going out to the server, but nothing ever comes back; the byte count is frozen at around 226 after log on. I've checked the server's Remote Access Admin program and I'm logged on.

I don't know if it's relevant, but I'm accessing the VPN through another Cisco 678 which is also running NAT.

Here's the setup:

NT 4.0----Cisco.....INTERNET....Cisco----Win98SE
Server 678 #1 678 #2
VPN (static IP) (dynamic IP)

Are we running into the IPSec header issue? I can't find any IPSec settings on our server. Any hope of getting this to work?

Thanks everybody.

 

[Guest_imported]

Hi:
I am wondering how to obtain this client/server software for some test purposes.

Can someone point me in the right direction?

Thanks.

 

[Guest_imported]

If you are getting 'Please re-boot' messages when using the Extranet Client with Win 2k you need to uninstall the software and then remove the Nortel key from the registry. There is only one (can't exactly remember where it is though!)

Then reinstall as normal.

I also suffer from the 'Bannersoc' error and would like to see if anyone can help. I just have one machine connected via ADSL (no router other than what Win2K is doing), and a software firewall, which I have tried disabling.

What is wierd is that after I get the error the connection appears to be made, i.e. the icon appears in the system tray, but I cannot contact any resources on the VPN.

If anyone has a similar problem and can help that would be appreciated.

Cheers

 

[scratchinghead]

OK,

Here it goes:

VPN Client 4.15d on W2K Server.
Same problem as a couple of posts above.
I can connect for about 10 seconds and get the now infamous "The routing table cannot be altered after the Contivity VPN Connection has been established. The Contivity connection has been closed."

I'm running direct internet connection to the outside VPN port, so I should have no issues with port 500, etc..., I'm on the same LAN Segment as the outside VPN Extranet Port.

Remote Access and Routing are not enabled.
Network properties indicate only Microsoft networking client and TCP/IP client running on NIC.

Any clues?

Thanks

 

[scratchinghead]

Well,

It appears, that in order to run the client, it must be installed as a "Service" on W2K, (DOH!!!). I spent at least three hours on this, and as a IT tech person, I should have known better. Anyway, this is a great site for sharing of tech issues. Keep up the good work.

Rubbing Chin
[Ponder]

Thanks

 

[Guest_imported]

I have a Windows 2000 Professional Client which works fine when I dial up direct with ISDN, so I know that the basic config is correct, but when I try and use it from behind my Win2k server running Winroute Pro, I keep getting timeouts when it's checking for banner text, and then it disconnects itself.
I have ports 500 and 1723 NATed to the static address my laptop has on my LAN.

I am about to go out of my mind here....

HELP.

 

[Guest_imported]

Hi everybody, I have the exact same problem as BitingNails described. My WIN 2000 professional works fine when using VPN client, but running it on my WIN 2000 server I always get timed-out while it is checking the banner text. Can anyone provide some help here?