-----Original Message----- From: Ahmed, Sajid [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 9:52 AM To: Matt Repko Subject: RE: [gb-users] Nortel Contivity VPN clients behind Gnatbox
Matt We had this problem too. This is the workaround we worked out but it may not be the right solution for a large number of users. i.e ensure every internal user is mapped to a static Public IP. 1. create an alias Public IP for each user ie if u hv 10 create 10 2. Put a static NAT mapping ur internal IP to the alias public IP ie if u hv 10 create static NAT for 10. 3. Create an OBF permitting internal IP (range) to the destination IP (IP address of the VPN concentrator - initially permit src to any) with logging ON and information option selected. If u check ur logs u will see that the first IP freezes the src port on the ext IP address to 500. So when the next user tries to connect and it is also NAT it would try to sieze the same src port ie 500 which is already taken. This is the way VPN clients operate atleast Nortel/CISCO. Hope this helps thanks -----Original Message----- From: Matt Repko [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 7:07 PM To: [EMAIL PROTECTED] Subject: [gb-users] Nortel Contivity VPN clients behind Gnatbox I am having some difficulties with multiple Nortel VPN clients behind a Gnatbox GB-1000 unit. I've scoured Gnatbox's knowledgebase and various other resources and have not found any solid information. Hopefully someone on the list has run into this problem or has some good suggestions. Here is the situation. We have a client who allows a handful of our developers VPN access into their network. We have a GB-1000 and our users are connecting to a Nortel VPN server using the Nortel Contivity client version 4.65. When a single developer connects to the VPN, everything works fine. If a second VPN connection is established, both connections hang. The developers have resorted to a verbal, "who's using the VPN?" method to avoid compromising one another's VPN sessions. Needless to say, this is cutting into productivity. I have been able to rule out network issues, bandwidth issues and the like. My guess is that the problem is with the GB-1000 and Nortel's IPSec transmissions. All of our network traffic appears to originate from a single IP address, that's the point of NAT though. When a single VPN connection is active, the GB-1000 routes traffic properly, with a second VPN connection, the routing is not functioning properly. To take this a step further, when our VPN clients connect to two different external IP addresses on the clients VPN server, both sessions work fine. Unfortunately, we cannot configure the VPN client to specify which VPN server IP address to use, the second IP address is only assigned as a failover. Looking through Nortel's documentation yielded a known issue with NAT traversal connection failure which essentially explains that multiple VPN connections behind a NAT firewall will lead to unreliable connection with the Nortel Contivity client. Has anyone had problems like this? Has anyone come up with a solution or at least a workaround. I am open to suggestions. Matthew R. Repko Advanced Automation Associates, Inc. 640 Rice Boulevard Exton, PA 19341 (610) 458-8700 (610) 458-0606 F <mailto:[EMAIL PROTECTED]> www.aaainc.com The information contained in this communication may be confidential, is intended for the use of the recipient(s) named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communications, or any of its contents, is strictly prohibited. ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/ ____________________________________________ Confidential: This electronic message and all contents contain information from Syntel, Inc. which may be privileged, confidential or otherwise protected from disclosure. The information is intended to be for the addressee only. If you are not the addressee, any disclosure, copy, distribution or use of the contents of this message is prohibited. If you have received this electronic message in error, please notify the sender immediately and destroy the original message and all copies. ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/
