Michael McNamara

We recently started looking for a more cost effective VPN router for small office and home office environments. With the current price of gas over $4.13/gallon there are a lot of businesses looking to try and ease the strain by effectively utilizing telecommuting for both voice and data applications. In my next few posts I'm going to look at some different technologies that a telecommuter could potential use in the virtual office.

We're currently using the Nortel VPN Router 1010, 1050 and 1100 models for mid-size to large offices but needed a more cost effective solution for home office environments such as remote call center agents and other professionals. It also doesn't help that Nortel has manufacture discontinued the 1010, 1050 and 1100 models (the bulletin from Nortel can be viewed here). There are two approaches that we are currently looking at with respect to the remote call center agents; 1) hardware solution with VPN router and IP phone; 2) software solution with VPN client and IP softphone. In this post I'm going to discuss my impressions of the Nortel Business Secure Router 222.

Let me be honest up front and tell you that I'm no fan of the Nortel VPN 200 Series Router from which this product was born. I know from opening a Nortel VPN 221 Router that it appears as if Nortel has OEM the product from Zyxel. I'm not sure if that's still the case but the GUI of the BSR 222 looks almost identical to the VPN 221.

"The Business Secure Router 222, specifically designed for the small to medium business (SMB), is a converged broadband access router that provides a secure connection to the Internet via digital subscriber line (DSL) or cable modem broadband services. The Business Secure Router 222 is an advanced, feature-rich router offered at an affordable price."

We tested the BSR 222 and were very happy with the results. We provisioned multiple IPSec tunnels with Triple DES encryption to a Nortel VPN Router 1700 (V06_05.140) using Asymmetric Branch Office Tunnel (ABOT) in Aggressive mode. In our previous tests with the VPN 221 router we had all sorts of issues with the IPSec tunnels staying up in Aggressive mode. With the BSR 222 we had no such issues using the exact same profile on the VPN Router 1700 we used for the VPN 221.

We also tested connecting a Nortel i2002 over the BSR 222 and found the call quality to be excellent. While I could have paired a BES 50 with the BSR 222 to provide PoE I decided to just use a power supply on the i2002. The hardware solution seems to be a very reliable and stable solution as it probably should be. I would probably guess that a hardware solution such as this would probably cost around $800 (IP ISM, IP Phone, BSR 222). Please just remember that any VPN solution is only as stable as your broadband connection to the Internet.

The default username is "nnadmin" and the default password is "PlsChgMe!". The default IP address is 192.168.1.1 and the router can be configured from a web browser by using the URL http://192.168.1.1.

In defense of the VPN 221 router it does support a feature called "Control Ping". When this feature was configured it allowed the VPN 221 to determine if an IPSec tunnel had become disconnected from the far side. It did this by pinging an IP address that was within the tunnel network range. If the ping failed the router would essentially restart the tunnel by disconnecting it and reconnecting it. It would also keep the tunnel active on the far side preventing and keepalive issues from arising. When I configured this feature on the VPN 221 the tunnels seemed to work flawlessly. This same feature is available on the BSR 222 and it may be required if you find your tunnels bouncing up and down.

Cheers!

We recently had an issue were the configuration of a Nortel VPN Router 1700 became corrupt causing the VPN router to continually core dump and reboot itself. The solution required us to boot the VPN router from a floppy boot disk (the floppy disk was a previously created emergency recovery diskette - the floppy drive can be accessed by removing the front bezel). After we booted from the floppy disk we could factory reset the configuration and then restore the configuration from the previous night's backup.

We needed to assign a temporary IP address from the serial interface and then use Internet Explorer to connect to the temporary IP address. We then selected the option to "Restore" the configuration from a backup. The backup needs to be an FTP site with the appropriate username and password.

The restore took about 30 minutes to complete and never really gave any indication that it was working other than the IE logo just swirling in the upper right hand corner of Internet Explorer. We were able to use Nortel's Java Device Manager to confirm that there was a lot of data moving over the Ethernet switch port connecting the Nortel VPN Router so we knew it was probably working.

I should point out that the Nortel VPN Router 1010, 1050 and 1100 do not have floppy drives although they may support a PROM based recovery option which would need to be executed from the CLI (serial) interface while the router booted.

It also seems that Nortel will be manufacture discontinuing the Nortel VPN Router 600, 1010 and 1100 at the end of December 2008. You can find the announcement here.

Cheers!

In this post I'll review how to configure a Nortel VPN Router (formerly Contivity Switch). You'll need a special RJ45 -> DB9 serial cable in order to connect to the console port of the VPN router. The default username is "admin" while the default password is "setup". If your not working with a brand new device, right out of the box, I would suggest that you factory reset. You can do that from the main menu by selecting the "R" for "Reset System to Factory Defaults".

Welcome to the Contivity Secure IP Services Gateway                                               
Copyright (c) 1999-2004 Nortel Networks, Inc.                                         

Version:                 V05_00.136                               
Creation date:           Aug 20 2004, 15:50:15                                          

Date:                    07/23/1980                               
Unit Serial Number:      11221                          

Please enter the administrator's user name: admin                           

Please enter the administrator's password:

Main Menu:  System is currently in NORMAL mode.
  1) Interfaces
  2) Administrator
  3) Default Private Route Menu
  4) Default Public Route Menu
  5) Create A User Control Tunnel(IPsec) Profile
  6) Restricted Management Mode       FALSE
  7) Allow HTTP Management            TRUE
  8) Firewall Options
  9) Shutdown
  B) System Boot Options
  P) Configure Serial Port
  C) Controlled Crash
  L) Command Line Interface
  R) Reset System to Factory Defaults
  E) Exit, Save and Invoke Changes

Please select a menu choice (1 - 9,B,P,C,L,R,E):

The first step will be to configure the IP addressing for the private LAN and WAN interfaces. Using the serial console select "L" for "Command Line Interface" from the menu options.

CES>

Upon entering the CLI interface the prompt will be changed to "CES>". You must now enter the privledged mode using the "enable" command entering the default admin password of "setup".

CES> enable
Password: *****

Let's take care of the easy stuff first;

CES#clock timezone est
CES#clock set 16:45:00 24 FEBRUARY 2008

You can discern from the syntax above that #clock set . Now you must enter configuration mode using the commands listed below;

CES#configure terminal
Enter configuration commands, one per line. End with Ctrl/z.
CES(config)#
CES(config)#adminname admin password

We’ll first configure the private LAN IP Address (10.101.203.1/24);

CES(config)#interface FastEthernet 0/1
CES(config-if)#ip address 10.101.203.1 255.255.255.0
CES(config-if)#exit

Next we’ll configure the MANAGEMENT IP Address; (they must be on the same subnet!)

CES(config)#ip address 10.101.203.10
Management address set to 10.101.203.10 successfully !
Next, make sure Mgt addr and private LAN addr are on same subnet
CES(config)#

You should use the IP addressing that’s been assigned to the equipment your configuring in place of the IP addressing used above. Next we’ll assign the public WAN IP Address provided by the Internet Service Provider (ISP). We'll using 192.168.100.100/24 for this example along with 192.168.200.50 and 192.168.200.51 as DNS servers ;

CES(config)#interface FastEthernet 1/1
CES(config-if)#ip address 192.168.100.100 255.255.255.0
%Warning: The IP address type is changed from DHCP dynamic to static
CES(config-if)#exit
CES(config)#ip default-network 192.168.100.1 public
CES(config)#ip name-server 192.168.200.50 192.168.200.51

NOTE: FastEthernet 0/1 is the PRIVATE LAN while FastEthernet 1/1 is the PUBLIC WAN
Let’s disable those services we won’t be using and enable those we will be using;

CES(config)#no tunnel protocol pptp public
CES(config)#no tunnel protocol pptp private
CES(config)#no tunnel protocol l2tp public
CES(config)#no tunnel protocol l2tp private
CES(config)#ipsec encryption 3des-sha1
CES(config)#ipsec encryption aes256-sha1
CES(config)#no ipsec encryption aes128-sha1
CES(config)#no ipsec encryption des40-md5
CES(config)#no ipsec encryption des40-sha1
CES(config)#no ipsec encryption des56-md5
CES(config)#no ipsec encryption des56-sha1
CES(config)#no ipsec encryption hmac-md5
CES(config)#no ipsec encryption hmac-sha1

Let’s configure the “Base” default Branch Office Group with the standard settings. We will use 3DES-SHA1 for the main encryption with 3DES-Group2 for the IKE.

CES(config)#bo-group ipsec /Base
CES(config-bo_group/ipsec)#encryption 3des-sha1
CES(config-bo_group/ipsec)#encryption ike 3des-group2
CES(config-bo_group/ipsec)#antireplay enable
CES(config-bo_group/ipsec)#no compress
CES(config-bo_group/ipsec)#initial-contact enable
CES(config-bo_group/ipsec)#exit

Let’s add a designator for the local network (to be used later – replace with your IP network)

CES(config)#network add LocalNetwork ip 10.101.203.0 mask 255.255.255.0

Let’s add a sub group for our IPsec tunnel configuration call NortelVPN;

CES(config)#bo-group add /Base/NortelVPN
CES(config)#bo-conn add TestProfile /Base/NortelVPN
CES(config)#bo-conn TestProfile /Base/NortelVPN
CES(config/bo_conn)#conn-type peer2peer
CES(config/bo_conn)#local-endpoint 192.168.100.100
CES(config/bo_conn)#remote-endpoint
CES(config/bo_conn)#tunnel-type ipsec
CES(config/bo_conn)#ipsec authentication text-pre-shared-key password987
CES(config/bo_conn)#routing type static
CES(config/bo_conn)#state enable
CES(config/bo_conn)#routing static
CES(config/bo_conn/routing_static)#local-network LocalNetwork
CES(config/bo_conn/routing_static)#remote-network 0.0.0.0 mask 0.0.0.0 state enable cost 1
CES(config/bo_conn/routing_static)#exit

CES(config)#no service dhcp enable
CES(config)#ip default-network 192.168.100.1 public
CES(config)#ip dhcp-relay 10.101.203.1
CES(config)#ip dhcp-relay 10.101.203.1 enable
CES(config)#ip helper-address 10.101.203.1 server 1
CES(config)#ip forward-protocol dhcp-relay

Now we’ll need to configure certificate services for our SSL certificate in order to perform remote management via SSL over HTTPS;

CES(config)#crypto password somepassword

In the command above we used “somepassword” as the password for the certificate keys.

CES(config)#crypto server request
CES(config-request)#name NortelVPN-1050
CES(config-request)#country US
CES(config-request)#locality Somewhere,US
CES(config-request)#org-unit "Information Services"
CES(config-request)#organization "Acme Inc."
CES(config-request)#state AZ
CES(config-request)#key 3
ES(config-request)#openSSL enable
CES(config-request)#
CES(config-request)#create
-----BEGIN CERTIFICATE REQUEST-----
MIIBJjCB0WidjxSxXjsQIBADBsMQswCQYDVQQGEwJVUzELMAkGA1UECBMCUEExDzANBgNVBAcTBkJlcnd5bjEgMB4
GA1UEChMXTWFpbiBSHXJWKqMaW5lIEhlYWx0aCBTeXN0ZW0xHTAbBgNVBAsTFEluZm9ybWF0aW9uIFNlcnZpY2
VzMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALg+8o2dMLT47w3vdf8taNKbnizdTk+d7WT9CdNE9wRC8
wo41zie2oT+l8SmNKLnZIjRBS8e13j4kxWVMQodkqqM/1vGWoq0m2qBcCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA0EAOsF9
RxKcp0CBfICIK/VYppWk9s7BjiLCqcAZ5aKYDsmRJMNUj6cw/u9EZwHZj0xWXj+wj8ME+lXh+KZ24Hg
dgg==
-----END CERTIFICATE REQUEST-----
CES(config-request)#

At this point you’ll need to take the CSR request and get it signed. You’ll then need to upload via FTP the root CA certificate along with the signed CSR certificate back to the Contivity switch. You should place the files in \system\cert\import the issue the following commands;

CES(config)#crypto ca import rootca.crt
CES(config)#crypto server import signed.crt

Note: If you get a “% RSA: Unknown operation for key type.”, then uncheck the Key Usage Extention Required, under system, certificates, certificate configuration in the GUI.

In the example above both “rootca.crt” and “signed.crt” are the filenames of the signed certificates.

CES(config)#show crypto ca certificates
CA Certificate:
----------------------------------------------------
Subject DN : mail=hostmaster@acme.org, CN=Contivity Root CA, OU=Information Services, O=Acme Inc, L=Somewhere, ST=Arizona, C=US
Trusted : ENABLED
Enabled : ENABLED
Default Group : /Base
Validity : 12/10/2004 - 12/08/2014
CES(config)#show crypto server certificates
Certificate:
----------------------------------------------------
Subject DN : CN=CES-SSL, OU=Information Services, O=Main Line Health System, L=Berwyn, ST=PA, C=US
Trusted : ENABLED
Validity : 01/13/2005 - 01/11/2015

With the full DN above we can now configure the server certificate to use for SSL (HTTPS) management;

CES(config)#ssl server-cert “CN=NortelVPN-1050, OU=Information Services, O=Acme Inc, L=Somewhere, ST=AZ, C=US”
CES(config)#ssl https-port 10443
CES(config)#ssl cipher all
CES(config)#https public

We’re still working on finishing the rest of the document……

This command enables and disables the audible alarm that is sounded on the
switch under certain error conditions.

CES(config)#no audible alarm

At this point you should reboot the Nortel VPN router from main menu (you can get back to the main menu by type "exit" at the CLI interface prompts).

Once the Nortel VPN router (both the larger 1700, 2700s and the 1010, 1050, 1100s take about 5 minutes to boot up so please be patient) has booted up there will be a green light ont he right switch of the router labled as "G: ready". You should now be able to cable up to one of the LAN Ethernet ports with a PC. You should be able to open a web browser to the management IP address;

http://10.101.203.10

You should be able to check the status of the VPN tunnel through the GUI. You will of course also need to configure the main office VPN router before the tunnel will connect.

Cheers!

The Nortel VPN (formerly Contivity) Routers are among some of the best in the industry. The majority of the product line came to Nortel (formerly Bay Networks) from the acquisition of New Oak back in 1999.

Since that time Nortel has added a few lower end SOHO solutions, Nortel VPN Router 200 series, to the product line which I believe are OEM'd from ZyXEL. I'm not very fond of the 200 series and I would NOT recommend them to anyone. I am, however, very fond of the 1100 series as it runs the same software that the larger models run.

Thankfully they all share the same default username and password. Unfortunately they don't all share the same software or configuration interface.

The default username is "admin".
The default password is "setup".

With the traditional Nortel (Contivity Switches) VPN routers there are two internal IP addresses assigned to the one physical internal interface. One IP address is for management and the other for routing traffic. The default management IP address for these models (Nortel VPN Router 1000 Series, 2000 Series, 4000 Series, 5000 Series) is;

http://192.168.1.2

The actual traffic interface is 192.168.1.1 and the default DHCP address range should be between 192.168.1.3 - 192.168.1.254.

Cheers!