EXPERT RESPONSE
The symptom you describe ("Checking for banner text" when using the Nortel Contivity VPN client) is a very common indicator of Network Address Translation (NAT) problems. In short, your VPN tunnel is being established (i.e., IKE gets through your router), but incoming VPN traffic is being blocked (i.e., IPsec ESP does not get through your router). Your VPN client is waiting to receive expected "banner text" that is being blocked, and eventually times out.
There are two ways for VPN clients to successfully make it through a NAT-ing device like a broadband/wireless router: VPN pass-through and NAT traversal.
- With VPN pass-through, the NAT-ing device observes VPN tunnel establishment and uses something to map arriving VPN data to the inside host that established the VPN tunnel. For example, when using IPsec VPNs, the NAT-ing device may forward inbound ESP (protocol 50) to the host that previously sent outbound IKE (UDP port 500) traffic. It is not unusual for this approach to work for one VPN tunnel at a time, or to work better with some VPN clients than others.
- With NAT traversal, the VPN client and gateway collaborate to avoid needing anything special from the NAT-ing device. They do this by detecting the presence of a NAT-ing device during tunnel establishment and agreeing to encapsulate VPN traffic inside a standard UDP envelope. The VPN client wraps outbound ESP inside a UDP header -- the NAT-ing device just sees a regular UDP packet and translates IP address and UDP port in the normal fashion. The VPN gateway sends ESP inside UDP as well, letting the NAT-ing device use the same IP address and UDP port number to map inbound packets back to the right VPN client.
The Netgear MR814 supports IPsec VPN pass-through, although I have seen some user posts suggesting that it only supports one tunnel at any given time. Your Nortel Contivity VPN client supports NAT traversal, although this option must be enabled on the VPN gateway to use it. I'm guessing that the MR814's VPN pass-through implementation isn't compatible with your version of the Contivity VPN client, but enabling NAT traversal would help.
Many users resolve this problem by contacting their VPN administrator to ask whether they need to use a newer version of their VPN client or connect to a different VPN gateway that has NAT traversal enabled. It is also possible that you need reconfigure your wireless router to unblock the UDP port used by NAT traversal. Consult Nortel's website (PDF) for a good description of this problem and possible resolutions, including figures that illustrate Contivity NAT traversal configuration.
|
