Nortel Extranet (VPN) over LAN to DSL router to Corp WAN

[Blasikov]

Hi all, I'm new to the forums =)

I have researched this subject quite a bit, websites, fora (including this one) but have not found much about my problem. Any help is greatly appreciated.

My company provides two methods of remote access. RAS (MS) dial-up and VPN (Nortel Extranet). The RAS works fine, but of course it is dial-up and it's a bit slow. The VPN works OK if you are out of town and are using a generic dial-up ISP.

I periodically work from my home office and use either of the solutions above to access my company's LAN/WAN. I have recently acquired DSL (Qwest, Minnesota) and am trying to get the "Nortel Extranet Client" VPN to work.

My home setup is: 1 Desktop and 1 laptop (both Win98SE) connected to a Linksys 10/100 switch. The switch is connected to a Cisco 678 DSL modem / router. The router is configured with DHCP, NAT, and ppp for the local ISP (full time connection). Internet access has been great on both machines. File and printer sharing (and other LAN stuff) works fine as well.

I understand that DHCP allows the pc's to have dynamic IP's on the LAN and the NAT allows the pc's to share the ISP connection.

Starting the Nortel Extranet Client, it will connect to the corporate VPN server (the validation completes and the client seems to be satisfied a connection was established), but no corporate resources are accessible. I can ping the VPN server (I've specified either the name or the straight IP) but no other internal servers. External internet servers are still available.

I had suspected that the problem was with the domain/workgroup in my "Network Properties", "Identification" tab or the domain in the DNS portion of the TCP/IP properties of the NIC - changing either/both of these did not help.

If I use dial-up to my personal ISP (the same ISP my DSL connection is on) the VPN client connects fine and I have full access to the corporate LAN/WAN. For this reason I suspect something amiss in the DHCP or NAT setup of the router.

Again, any advice is appreciated. If you need any other setup info, please post.

Thanks,

Rob "Blasikov" Marshall
Andover, MN, USA

DSL telco: Qwest
DSL ISP: MinnNet (aka BossIG, AmeriOn)
O/S: Win98SE (IE5.5sp2)

 

[RusselHarvey]

The problem is somewhat related to DNS/WINS setting on the Extranet virtual adapter, once connected VPN, do a 'ipconfig /all' in command window, in the list of adapters, find the Ethernet adapter with name like a GUID number (not an actual name), it's the Extranet adapter.

However, the problem I am having is occasionally the DNS/WINS setting will be disappear, when I cannot ping any corporate internal host (VPN client connects fine), but some other time, I have a good connection after VPN client connects then the DNS/WINS setting is there in the list.

I've been using a SMC router, cable modem, 2 Win2K PCs for almost a year, running VPN from one PC has never given me problem (no specific setting in the router). All the sudden, I rebuild the Win2K box, reinstall the Extranet 2.6 client, found the above problem. Then I decide upgrade the PC to WinXP and install 4.10, problem remains.

I did try to put the PC that I run VPN client from into DMZ zone, VPN connects smoothly. But I don't like to keep the PC in DMZ zone as it's wide open to internet.

So I set up the router for port mapping for UDP 500 to the PC which I run VPN client. Then funny thing happened, in one Win2K login account, there is no network drive share, the VPN connects fine, got DNS, ping to corporate hosts. In another login, which connects to network shares from other PCs on private network and has a few mapped drive, I always failed to get a good VPN connection, though the Extranet client went well, but no DNS/WINS, no ping to any hosts.

Now I tried to recall if I did something with the 'route' table at the begining of this year when I first set up the VPN as it did work until recently, but I can remember.

Any idea is welcome. Thanks

 

[TerryK]

The problem I have is that if I connect to my ISP via dialup, I can connect and configure, but if I connect via my cable modem, I connect, but configuration fails with a Bannersock error.

According to my ISP, both the dial-up and cable modem come through the same switch and they are stumped as to why dial-up works and cable modem doesn't.

Anyone?

Terry

 

[Blasikov]

Well, I made the Nortel Extranet Client irrelevant, in my case.

I recently upgraded my home PC to Win2K (things in general seen to work much better) but still no luck with the Nortel client. Thankfully my company's IS team put together the option of using Microsoft VPN on the same server.

I uninstalled Nortel, went thru the generic setup steps for MS VPN, configured it according to the corporate instructions, tweaked my router's DHCP and NAT settings, and presto! It gets right in to the WAN. I have heard that MS VPN can be slower than Nortel, but I get great response. No complaints here.

Blas

 

[Guest_imported]

So I have followed many of the threads on VPN and Nortel ExtraNet Access dropping out after about five minutes with a Linksys router and must still say I did not see an answer.

If someone could offer some fixes i'd appreciate it. I tried to set UDP 500 port straight through to the machine and this prevented me from logging into the VPN at all. Is putting this machine in the DMZ any less secure than having it sit directly off the cable modem?

Any ideas greatly appreciated..

 

[Guest_imported]

I am using the extranet client with windows 2k. I connect to my server and then get a message that says,"loking for banner text." then the connection times out.

Anybody seen this before?

 

[Guest_imported]

I figured I would start on this thread first. I recently started using the Nortel Extranet client as it was chosen by my company. Since I am connected via DSL, I prefer to only allow work related traffic to flow through the Nortel client, while allowing me to use my DSL / ISP connection for other Internet traffic. It appears that the equivelent of "use default gateway on network" is embedded in Extranet client.

How can I modify the connection to allow only work related traffic through? There does not appear to be a switch in the settings.

 

[undotcom]

Let me throw in my two cents. I too, operate a Nortel VPN over a NAT router (SMC Barricade) and things work semi-fine.

Some have written here VPN over NAT doesn't work and that is only partially correct -- it depends upon the VPN connection used by your company and the type of NAT used by your router. You also need to carefully choose your router to ensure it supports the particular protocol used (there are many types used even among the same company). If you want to read deeply into this, I highly suggest this VPN help page from Practically Networked (a great source for home networkers)

http://www.practicallynetworked.com/support/VPN_help.htm

My setup uses port forwarding of 500 and 1723 - both of which are required by the Nortel Extranet (VPN) Client. Since I have not seen anyone state definitively whether these are TCP or UDP ports, I have four rules just to catch all the permutations:
1) trigger on 500 TCP - forward 500,1723 TCP;
2) trigger on 500 TCP - forward 500,1723 UDP;
3) trigger on 500 UDP - forward 500,1723 UDP;
4) trigger on 500 UDP - forward 500,1723 TCP

ALthough 500 is the key to all of this communication, I have also heard ports 17, 50, and 51 may also be involved in certain Nortel configurations but have not added them to my port forwarding rules --- yet.

Another eccentricity of Nortel is it requires the server to help with some type of connection renewals. While I have not tested it yet, this may be the reason a few of us are getting dropped VPN connections (mine tells me I am still connected but does not pass information). I am planning on fixing my IP address for my laptop running the VPN and setting it up as a virtual server to accept incoming traffic on ports 500 and 1723. If my corporate VPN is handling the communications to refresh the connection, port forwarding might block this since it looks for the communication to originate from the client, not the server. Some routers only allow you to accomplish this by putting your system in the open (or DMZ)...I would not advise this. Make sure your router can selectively limit the ports to an IP address rather than exposing to every hacker on the planet. DMZ basically means outside the firewall.

Also, beware the ISPs and DSL providers that block IPSec packets (why - so you are forced to buy the more expensive business package with static IPs, a router, etc.) Make sure your service provider does not do this. If they do, call and complain. Also tell them you will write to the FCC and your state attorney general.

reply to previous message:

I may be mistaken, but my understanding of a VPN circuit limits the traffic path -- that is, all TCP/IP traffic is handled through the VPN back to your corporate servers. When you connect to the VPN server, your client piggybacks the VPN adaptor on top of your ethernet adaptor (or whatever hardware you connect to the internet with). The VPN sets up another IP address and handles all internet traffic through this new connection. Keep in mind a VPN is a tunnel set up specifically to restrict incoming and outgoing information. ALL traffic flows through this pipeline to one of the endpoints. A leak or alternative path would defeat the entire reason for establishing a VPN circuit. The secure communication path would not exist. Bottom line -- it means you have to disconnect the VPN anytime you want to peep the xxx websites ;-)

You will also find that printing to a local network printer (with LAN server) requires either a statically defined public IP address or sharing the printer from another PC on your LAN. If anyone has a way of accessing a local LAN IP address while connected to the VPN, please let me know!

thanks,
Robert

 

[Guest_imported]

Well it turns out my suimple solution was to disable keepalive parameters in the Nortel ExtraNet Access client. This must be down before logging into the VPN service via the options menu. This stopped the disconnects I was experiencing when using Nortel to connect to work.

This may help some of you experiencing a disconnect after being connected for a short period.

 

[Guest_imported]

I totally agree with those stating that Nortel client works with NAT. I'm also using a SMC/Barricade router and have had no problems. Need to operate in DMZ mode or configure port 500 to go to a specific host if using IPSEC.

 

[Guest_imported]

I use Nortel Extranet with an SMC router and pachell DSL. I have no problem getting it to work with everything but windows XP. When I install Extranet and reboot I can no longer connect to the internet before I even try to use the Extranet. Good thing for the System Restore because uninstalling it did no not fix my internet conection....

My company gives me a preconfigured Extranet software, all the settings pre configured so its easy to install then just add your username and password and it works. I never have any problems connecting to my company's network...

Dos anyone know if nortel is offering an update for Extranet for XP, has anyone else been able to use extranet with XP
Have Fun
RaLySpoRT

 

[diembi]

Hi Blasikov, I have a similar experience to yours and was able to access corporate network through VPN after a change to the Linksys configuration.

Home network has a 3Com cable modem, Linksys Cable/DSL Router and Linksys USB Network adapter. Connection to internet is great with this setup, however when attempting to log on to corporate network using Nortel Extranet Client, a Bannersock timeout message was received. The connection was established, but no corporate resources are accessible. I can ping the VPN server.

I accessed the router's administrative utility by typing in the IP address. The important part here was finding the setup page that allowed the IPSec Protocol to be enabled. Since IPSec was enabled, I have beeb able to access corporate network with Nortel Extranet Access Client.

 

[ir0nh34d]

Using WinRoute, I'm able to connect using the Extranet Client on both my laptop, and my gateway (running WinRoute). When I use my laptop, as I said, I can get connected to the VPN, but I cannot access any machines on the corporate LAN. It works perfectly fine on my gateway, but it disrupts the internet connection for all my other machines.

Can some one please help me! I can't figure out why the connection is not working correctly if I'm behind the gateway!

Thanx!

 

[Guest_imported]

Just briefly looking through this here is something that might help some of you. Nortel uses IPSec. IPSec and NAT does not work together. so if you are using the Nortel client and "internet connection sharing" you will have problems. One more thing to add is that if you are using the nortel client 3.7 or below, this is hardblocked from being installed on WinXP and will not work no matter what you do.

 

[Guest_imported]

On the DSL/Cable router, you need to have IPSEC PASSTHRU enabled.

 

[blipper]

spiderwarepc & All

It appears I suffer from a Nats (WINroute 4.1) and Nortel Extranet Access client.I am running an ADSL-Win Route 4.1 Lite - ME –100T – Win 2000 – Nortel EAC.which I am attempting to connect to my company internet. ADSL connected directly via USB works fine. However I would prefer the more elegant solution of connecting via my home network.The NEA client appears to achieve a one way connect = data can be sent but not downloaded. There is also a Bannersock timeout errorI was wondering if you were aware of any work rounds or upgrades that could resolve the issue for me.

 

[Guest_imported]

for most of you using linksys routers that are getting the bandsock errors, you need to first make sure you have the latest firmware installed (one that supports ipsec). then you have to ENABLE it in the web config interface- in the "filters" area. **note: by default the feature is disabled.

good luck.

 

[Kludge]

ESP can be routed over NAT, just not AH. Remember, NAT changes every packet by modifying the header and when IPsec examines the packet it will discard any one's which have been tampered with. ESP just encrypts the payload which NAT is not concerned with. Just turn off AH authentication and you should be good to go.

 

[trompetaloco]

I have been reading these posts and am still having trouble using Extranet. I have two machines(a laptop and a desktop) at home. I am also using a cable modem. I do not have a router, so I just swap the line to switch between the machines. The laptop connects fine and has access to corp shares. The desktop connects fine but cannot access any shares. In fact, it appears to not even try. The "network path not found" message appears immediately. Both machines are configured with the ISP domain (@HOME), DHCP and no static DNS servers.

I am at a complete loss. I have checked all of the settings that I can think of and they are all the same on both machines. For what it is worth, the desktop uses a 3Com NIC via the USB port.

Any ideas?

 

[Guest_imported]

trometoloco, I have a user with the same issue. His Win95 machine will connect to resources, but his Win2k machine will not. He receives the error 53 message using the net command. I am not 100% sure, but I believe it may be a user/computer account issue. I am going to test my theory and see if it holds true.

 

[trompetaloco]

StLouie, thanks for the response. I don't actually get any errors whe I connect. Infact, all appears fine. It is when I attempt to access shares across the VPN, I just can't. It tells me that the network path was not found. The curious thing is that my Win2K laptop works fine. I have checked every setting I can think of between the two machines and can't find anything different.