Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Nortel Extranet (VPN) over LAN to DSL router to Corp WAN

Status
Not open for further replies.

Blasikov

Technical User
Aug 29, 2001
10
US
Hi all, I'm new to the forums =)

I have researched this subject quite a bit, websites, fora (including this one) but have not found much about my problem. Any help is greatly appreciated.

My company provides two methods of remote access. RAS (MS) dial-up and VPN (Nortel Extranet). The RAS works fine, but of course it is dial-up and it's a bit slow. The VPN works OK if you are out of town and are using a generic dial-up ISP.

I periodically work from my home office and use either of the solutions above to access my company's LAN/WAN. I have recently acquired DSL (Qwest, Minnesota) and am trying to get the "Nortel Extranet Client" VPN to work.

My home setup is: 1 Desktop and 1 laptop (both Win98SE) connected to a Linksys 10/100 switch. The switch is connected to a Cisco 678 DSL modem / router. The router is configured with DHCP, NAT, and ppp for the local ISP (full time connection). Internet access has been great on both machines. File and printer sharing (and other LAN stuff) works fine as well.

I understand that DHCP allows the pc's to have dynamic IP's on the LAN and the NAT allows the pc's to share the ISP connection.

Starting the Nortel Extranet Client, it will connect to the corporate VPN server (the validation completes and the client seems to be satisfied a connection was established), but no corporate resources are accessible. I can ping the VPN server (I've specified either the name or the straight IP) but no other internal servers. External internet servers are still available.

I had suspected that the problem was with the domain/workgroup in my "Network Properties", "Identification" tab or the domain in the DNS portion of the TCP/IP properties of the NIC - changing either/both of these did not help.

If I use dial-up to my personal ISP (the same ISP my DSL connection is on) the VPN client connects fine and I have full access to the corporate LAN/WAN. For this reason I suspect something amiss in the DHCP or NAT setup of the router.

Again, any advice is appreciated. If you need any other setup info, please post.

Thanks,

Rob "Blasikov" Marshall
Andover, MN, USA

DSL telco: Qwest
DSL ISP: MinnNet (aka BossIG, AmeriOn)
O/S: Win98SE (IE5.5sp2)
 
I'm using the Nortel Extranet Client 4.15 on a Windows2000 box and when I connect to the VPN over the internet (through the wan Gateway and out to their live ip on the other end) I lose all connectivity to my local network (can't ping, print, or play quake =) ). Previously, using the Nortel 4.10 client on windowsNT workstation, it worked fine.

Any ideas as to how I can maintain LAN connectivity as well as WAN connectivity through the VPN?
 
Boy - what a bunch of problems. I just started trying to use this puppie today. At least my error is a little different. Not getting banner timeout - but I still cannot map to any corporate drives. I am not logging in. Any ideas on why I do not see a LAN login screen? Login to Remote Domain is checked Running version 4_65.09.
 
Problem(s) solved. After I finally got logged in I still could not map to any drives. Shut down Zone Alarm and poof! I will mess around with the security settings and see what I have to turn it down to.
 
Regarding the "loking for banner text" issue.... I had the same problem with a connection to DirecPC on one of our remote sites. It seems the private IP address of the client was getting lost in the NAT from DirectPC and the Nortel box, not knowing where to send the packets, dropped them. The solution was to turn on "Nat Transversal" on UDP port 10000 on the Nortel box which cleared up the problem. Hope this helps someone out there.
 
I would like to thank Philster_Phil for the tip on connecting to the Contivity with DirecPC. I have a new user that just started using DirecPC on 9/13/02 and he was getting the banner text error. Enabling NAT transversal did the trick to make him work. I had just read about NAT transversal and was wondering if the Contivity supported it and I then found this thread which brought it all together.
 
Hi,

I've a NetBIOS issue with Nortel VPN client.

The setup is,

Cable modem from ISP -> Linksys Router (No NAT)-> 2 Windows Machines. Both Windows Clients uses VPN to connect to company Network. The Machine has two Nic Cards though only one is used.

Problem,
On one Windows machine when I start the VPN client no NetBIOS trafic passes though. Everthing else works just fine. Also when I look at the IPconfig of this Nortel VPN interface, it says NetBIOS disabled. VPN client shows NAT traversal. Kerberos patch is also installed.

NetBIOS works on the Local LAN otherwise. Event Viewer displays errors
4311 Event Source NetBT , "Initialization failed because the driver device could not be created."

Anyhelp would be highly appreciated..

Thank You,
Nitto.
 
Hi,

I'm just wondering if anybody managed to find a solution to the Bannersock error that allows a VPN connection to be created but then will not allow yout to access any internal or external resources. I'm running Extranet Access Client 2.62 over an analog dial up.

Thanks,
GAT.
 
I was getting the "checking for banner text" message. After reading all of the replies and attempting several resolutions I called my ISP. Turns out I was assigned a private static IP address. They changed it to a public static address and all my problems went away.
 
Hi All, I am a VPN administrator and may be able to help with some of your problems. I have experienced a lot of these problems. I know most of this has been answered already but just in case.

1. Unable to use your ISP while logged into the VPN. This sound like an issue related to Split Tunelling being disabled. This is done to ensure a secure tunnel. If split tunelling is activated you will only be able to communicate through the VPN tunnel not through your ISP or LAN. Check to see if you are in a group that does not allow split tunelling.

2. Bannersock errors?

Please verify that the IPX/SPX bindings are not bound if problem persist please remove any unused NIC adapters. If using Windows 95 please note there is a limit of four adapters including the Extranet Access Client. Also if using a personal Firewall make sure all IPSec ports are opened.

The following ports and protocols need to be opened.
TCP port 709

TCP port 389 LDAP

UDP port 500 IKE

IP protocol numbers (not port #'s)

50 and 51 ESP and AH

In addition if the user is behind a firewall and their source address is being Nat'ed it must be static (one to one) NAT and not dynamic (one to many NAT) The reason being that the IPSEC protocol does not allow for src/dest port numbers in its packet headers. Since dynamic NAT runs on ports it is not compatible.





 
FYI...For those of you using two machines and NAT and are being kicked off you connection. Most routers will not support multiple client side VPN connections only multiple point-to-point VPN connections this includes linksys, dlink, cisco, etc. The only two routers that support multiple client side VPN connections that I know of are Nexland and Baystack Instant Internet boxes.



 
Connecting with the Nortel concentrator is fine but as soon as Internet Explorer is launched the connection is terminated with a cannot alter routing table error. What gives?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top