Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Nortel Extranet (VPN) over LAN to DSL router to Corp WAN

Status
Not open for further replies.

Blasikov

Technical User
Aug 29, 2001
10
US
Hi all, I'm new to the forums =)

I have researched this subject quite a bit, websites, fora (including this one) but have not found much about my problem. Any help is greatly appreciated.

My company provides two methods of remote access. RAS (MS) dial-up and VPN (Nortel Extranet). The RAS works fine, but of course it is dial-up and it's a bit slow. The VPN works OK if you are out of town and are using a generic dial-up ISP.

I periodically work from my home office and use either of the solutions above to access my company's LAN/WAN. I have recently acquired DSL (Qwest, Minnesota) and am trying to get the "Nortel Extranet Client" VPN to work.

My home setup is: 1 Desktop and 1 laptop (both Win98SE) connected to a Linksys 10/100 switch. The switch is connected to a Cisco 678 DSL modem / router. The router is configured with DHCP, NAT, and ppp for the local ISP (full time connection). Internet access has been great on both machines. File and printer sharing (and other LAN stuff) works fine as well.

I understand that DHCP allows the pc's to have dynamic IP's on the LAN and the NAT allows the pc's to share the ISP connection.

Starting the Nortel Extranet Client, it will connect to the corporate VPN server (the validation completes and the client seems to be satisfied a connection was established), but no corporate resources are accessible. I can ping the VPN server (I've specified either the name or the straight IP) but no other internal servers. External internet servers are still available.

I had suspected that the problem was with the domain/workgroup in my "Network Properties", "Identification" tab or the domain in the DNS portion of the TCP/IP properties of the NIC - changing either/both of these did not help.

If I use dial-up to my personal ISP (the same ISP my DSL connection is on) the VPN client connects fine and I have full access to the corporate LAN/WAN. For this reason I suspect something amiss in the DHCP or NAT setup of the router.

Again, any advice is appreciated. If you need any other setup info, please post.

Thanks,

Rob "Blasikov" Marshall
Andover, MN, USA

DSL telco: Qwest
DSL ISP: MinnNet (aka BossIG, AmeriOn)
O/S: Win98SE (IE5.5sp2)
 
ok, here is how I set up mine:
extranet client 2.62.33

I named my home domain the same as our corporate domain and I use the same account name (that way I don't have to enter a domain logon).
My dns info is a mix of local and corporate (name server addresses and domain suffixes).
My internal network uses standard Ip's (192.168.0.0).
I'm routing through a win2k adv server with a 3rd party firewall (winroute). I have to open ports other(50) and tcp(500) for extranet to work.
My workstation is win98se (I've heard win2k pro is better for this - dunno)and my provider is Pacbell (dsl).
Everything works just fine.
The fact that you are not seeing corporate ressources force me to ask these questions:
What domain/workgroup are you set up for?
Do you have your corporate dns name server and suffix info configured?
Are you logging in to the corporate domaine?
 
Thanks for the reply =)

>The fact that you are not seeing corporate >ressources force me to ask these questions:
>What domain/workgroup are you set up for?

My domain/workgroup is set to the name I use at work (I need to do this for RAS as weel to browse the network shares).

>Do you have your corporate dns name server >and suffix info configured?

I have only my ISP's dns servers configured. Should I add the corp ones and place them lower in the list?

>Are you logging in to the corporate domaine?

I would assume the VPN client takes care of this. How would I go about that?
 
Yes! Definitly add your corporate dns info to you tcp/ip settings (normally, the vpn software should take care of that, but that really depends on how complexe your corprate lan/wan is).
As for the domain/workgroup, go into the properties of your network neighborhood, and on the identification tab (workgroup), enter the name of your domain there (or whatever you have there at work). On the configuration tab, add "client for Microsoft Networks" if you don't already have it, and in it's properties put a check mark in front of "log in to microsoft NT domain" and enter the name of you domain.
After you reboot, you will probably get a login screen - cancel out of it. Once you establish you vpn connection, you will once again get a login screen - enter your usual corporate login and password.
Hope this does the trick
 
I agree with the above info about the Domain name and other network properties. But, I am curious which protocol you are using in the Nortel VPN. I have a user, using Colorado Qwest DSL/ISP with a cisco router/modem. He can not stay connected for any lenght of time wothout getting dropped but if he uses PPTP he has no problems.
Good Luck!
 
Err... I thought extranet used a form of PPTP.
To quote : "The Extranet Access Client
uses the IPsec protocol with the ISAKMP/Oakley
Key Exchange protocol to authenticate and
secure an end-to-end connection into a remote
network.
The only thing he should have on the client side, is TCP/IP, so that it can bind to the extranet client. The rest is done by the software...
 
Yes, it can use PPTP but IPSEC is the newer, more secure and effiecent protocol. I use both via cable, but lately IPSEC has been dropping frequently so I use PPTP and it is stable. But that is only true for me using cable. I have 100+ users that have great dialup connections with IPSEC. When you set up the Nortel server side you get a option of, PPTP, IPSEC, L2TP and L2F tunnels to connnect with.
 
Hi everybody. I have a similar problem. I setup a remote access server with W2K and RRAS service ofr VPN client and dial up client. The server is stand alone and no firewall. Remote users can logon but they can't brawse the network, they can ping only RAS server, but I can ping remote machine from local LAN. Remota clients are on the same subnet of local computers, and on the server IP routing is enabled. Any idea? Please help.
Thank you
 
I'll give those suggestions a shot. Thanks =)
 
I have a similar problem using the Nortel Extranet with a cable modem and 3COM Wi-Fi access point. The wireless link works, but can not hold its connection for more than five minutes. When I attempt to connect using ethernet cable to the access point, I get a BannerSock error which translates into a connection, but no access to the corporate LAN.
 
Is anyone out there using the new version 4.x of the Nortel client? It's supposedly supposed to do two things of interest. One is allow for the IPSec(ESP) to pass over NAT, and the other is to allow for Microsoft Certificates. Anyone have this client installed?
 
Hi everyone. I am having the same issue.

I think that what we are seeing is a problem between the client and it's environment. I'm thinking it's along the lines of dynamic changes that the client won't deal with. Something like the Linux IPCHAINS issue w/ PPPoE having to have a locked MSS for masquerading (NAT) working.

Has anybody contacted Nortel about this?
 
Actually.. the problem is when you NAT a VPN session it changes the packet headers. Any decent company will have a network setup behind a firewall and when that firewall receives theses packets, it checks the headers. When it sees that it does not match what the address should be it considers it a "spoofed" or bad packet and drops it.
 
i have dailup connction and to gain access to my stallite internet connctionj i have to use Nortel but as soon as it login i lose communication with the station on my network how cani slove this problem and share the VPN connction with my LAN ?
anyone
 
Is it possible that your company does not allow NAT?
 
Help Dagadish
Given:
-dailup connection to ISP used for Sending only
-Settlite connection using DVB recievers via Nortel extranet acess (VPN)used for Recieve only
-Netgain is used as a proxy ONLY for VPN & Modem
-W2K Server to manage a LAN and Microsoft proxy for Web access.
-regular switch to manage the lan
- No router is used in this connection

Possible access:
only server was able to access the (Recieve only) service

Problem:
When I try to login to VPN, connection between LAN & server is droped.
Also, pinging the server from any of the stations is timed out. Also, pinging the stations from the server timed out.
Also, Pinging (server) local host returns VPN IP.

Solutions:
Advised to use a router which is a logical solution however, I have 150 customers that uses this same config. It wont be feasible to supply them all with routers.

Solution Needed: HELLLLLLLLLLLLp
- Software solution that takes the ROUTER place.

Deeply apprecaite your help and cooperation.

 
Hopefully I can help some of you out here. My company uses the Nortel extranet client and Connitvity switches for the IPsec termination. Most people here in out TCOM dept have Linksys routers of one flavor or another. It took us awhile but we were able to find some ways about 'shakey' connectivity.

1) Your router/DSL/Cable modem...etc must support IPsec pass-through.
Workaround: If you are using a Cable/DSL router (linksys) remove the linksys from the equation and connect directly to your DSL cable modem. If you don't have a router and already connect straight to the DSL/Cable modem then contact your ISP and make sure they support IPsec.

2) Nortel clients communicates on UDP port 500 to send and receive 'hello' packets. So if you see users getting dropped after a few minutes, this is probably the issue.
Workaround: I've only tried this on a linksys..sorry. However, open UDP port 500 and set TTL to 99. This has cured about 95% of these problems. The other 5% had to set their machines with the Nortel client in a DMZ (check documentation).

Once again, I hope this helps some of you out there.
 
NatWideGuy.....you are clueless, the issues you raise are irrelevant!

The problem is with NAT behind a DSL/Cable router....Nortel Extranet Client will not work via a NAT connection, you must have a direct "routable/public" IP address assigned to your machine!
 
WanManVPN,


That's funny. I am able to do it via NAT.
Must be your experience... Too bad.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top