VPN, Peer to Peer Network, Broadband ICS (+ NAT?)

  first500 18:45 09 Oct 2005

I have a problem getting my firm's VPN Access software to run over my home network. Could somebody help - I feel in my bones that it is just a simple final step to get it working, but the firm's helpdesk seem stumped.

I have a peer to peer wireless network - my home desktop is linked to the internet by a USB broadband modem, XP Pro SP2 and ICS enabled. Connects to my firm's laptop by Belkin 54g cards, and the network works perfectly in every other respect.

My work laptop has Access Manager software installed which uses Nortel Networks Contivity VPN Client. It works perfectly over a straight dial-up from the laptop modem. But over the home network it fails at the final hurdle with the message "The secure Contivity VPN connection has been lost".

The Help File for this message reads as follows:

“The secure Contivity connection has been lost.

Cause: The Contivity VPN Switch that you are connected to has either logged your connection off or the Switch is no longer responding, or a device that does not support IPsec NAT Traversal is causing the connection failure.

This indicates that the Contivity VPN Switch is unable to communicate with the client because it is behind some kind of NAT (Network Address Translation) device. NAT (Network Address Translation) Traversal allows a number of devices on a private network to access the Internet simultaneously without each requiring its own external IP address.

If you are able to access the NAT device and adjust the settings, you can try reconfiguring it to connect.”

I have read Microsoft’s paper on NAT Traversal, but it could well be written in a foreign language. I understand that this may be something on my home desktop ICS interface that needs tweaking, but don’t know where to start. I have tried running the software with the XP Firewall switched off, but same result. So I have eliminated a Firewall setting I presume. I guess it may be a setting on the Broadband Modem Networking TCP/IP Properties tab, but I may be totally wrong.

The laptop and desktop both have fixed IP addresses on the PtoP Network. I think the internet connection to Wanadoo uses variable IP addresses.

I can offer the following:

1. The Contivity VPN Client Readme.txt states that “The Contivity VPN Client is a Windows application that lets you create and store connection information for tunneling into an Extranet Access Switch connected to a remote corporate network. The Contivity VPN Client uses the IPsec protocol with the ISAKMP/Oakley Key Exchange protocol to authenticate and secure an end-to-end connection into a remote network.

2. The program’s logfile gives the following information (I have changed the IP addresses to maintain confidentiality):

Fri Oct 07 15:23:53 2005 | Isakmpd | I | Connection initiated to 1xx.1xx.2xx.4xx [1xx.1xx.2xx.4xx] using Diffie-Hellman group 2.
Fri Oct 07 15:23:56 2005 | ConfMode | S | Authentication successful.
Fri Oct 07 15:23:56 2005 | ConfMode | I | IP Address 1xx.1xx.6xx.2xx.
Fri Oct 07 15:23:56 2005 | ConfMode | I | Keepalive interval set to 60 seconds.
Fri Oct 07 15:23:56 2005 | ConfMode | I | Maximum keepalive retransmissions set to 3 retries.
Fri Oct 07 15:23:56 2005 | ConfMode | I | Mandatory tunneling enforced.
Fri Oct 07 15:23:56 2005 | ConfMode | I | Primary Domain Name Server "1xx.1xx.2xx.3xx".
Fri Oct 07 15:23:56 2005 | ConfMode | I | Secondary Domain Name Server "1xx.4xx.2xx.3xx".
Fri Oct 07 15:23:56 2005 | ConfMode | I | Primary WINS Server "1xx.1xx.2xx.6xx".
Fri Oct 07 15:23:56 2005 | ConfMode | I | Secondary WINS Server "1xx.4xx.2xx.7xx".
Fri Oct 07 15:23:56 2005 | ConfMode | I | Primary Failover "6xx.2xx.1xx.3xx".
Fri Oct 07 15:23:56 2005 | ConfMode | I | Current time on switch is 10/07/05 14:02:27 GMT.
Fri Oct 07 15:23:59 2005 | NameSrvr | W | Adding DNS Servers "1xx.1xx.2xx.3xx 1xx.4xx.2xx.3xx".
Fri Oct 07 15:24:00 2005 | NameSrvr | W | Adding WINS Servers "1xx.1xx.2xx.6xx *1xx.4xx.2xx.7xx".
Fri Oct 07 15:26:29 2005 | Isakmpd | F | The secure Contivity VPN connection has been lost.
Click Connect to re-establish the connection”

Any help appreciated

  Forum Editor 18:58 09 Oct 2005

that you are using a USB broadband modem - which one is it?

I take it there's no wireless router involved - the PC is physically connected to the modem?

  first500 19:06 09 Oct 2005

Hi. It's an Alcatel Speedtouch Modem (supplied by Wanadoo), and it is physically connected to the Desktp PC. There is no router, just a simple (ad-hoc?) "Peer to Peer" network.

  Forum Editor 20:15 09 Oct 2005

1) Right click My Computer and select 'Manage'

2) Click the + beside ‘Services and Applications’

3) Click on 'Services' in the left pane.

4) Look for IPSEC Services in the right pane.

5) Disable the service.

Now try to connect.

  first500 21:58 09 Oct 2005

Hi. I presume this is to be done on the desktop. I disabled it on desktop, but no change.

It is already disabled on the laptop (Windows 2000 by the way).

I will leave desktop IPSEC disabled in case there are any further ideas.

Regards, David

  Forum Editor 00:03 10 Oct 2005

I should have said that my post referred to Windows XP. I hadn't noticed that your laptop's running Windows 2000.

Do you have service pack 3 installed on that machine? If you do, I suggest that you try installing an update.

click here
and then

1. Click Find updates for Microsoft Windows operating systems.

2. Click to select your operating system and language, and then click Advanced Search.
You must select either Windows 2000 Professional Service Pack 3 or Windows 2000 Professional Service Pack 4. If you select a different operating system, the update is not returned in the search.

3. In the 'Contains these words' box, type 818043, and then click Search.

Install the IPSEC update and see what happens - you'll need to restart your computer before the update will function.

This is a complex technology, and we're working through some very basic possibilities - do you know which operating system is running on your company server?

  first500 21:16 10 Oct 2005

The server splash screen indicates Windows Server 2003 Standard Edition.

Laptop is running W2000 SP4, with IPSEC disabled. The Access Manager will not run with IPSEC started (Error message asks for it to be disabled before re-trying), so it is obviously correct for it to be disabled on the laptop.

Makes no difference if started or disabled on desktop.

I appreciate the complexity of this - thanks for trying to help. Is there perhaps something on the desktop’s ICS properties maybe which relates to NAT that needs tweaking?

  Forum Editor 21:25 10 Oct 2005

through my network notes - accumulated over the years - and I found this, in my handwriting, in heavy red felt-tip:-

"Don't try to get an IPsec VPN connection working through ICS because it's not supported"

That was written in 2001.

  first500 23:31 10 Oct 2005

Sounds terminal (excuse the pun). So nothing changed with XP's version of ICS I presume?

But hey, thanks for trying.

  Forum Editor 23:52 10 Oct 2005

that I linked you to? It might be worth installing this on the Win2000 machine and giving it a try.

  first500 16:30 11 Oct 2005

The VPN works when used on a direct dial up from the laptop. Could this update make a difference? (IT dept may not like me updating off my own bat!)

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

AMD Radeon Adrenalin release date, new features, compatible graphics cards

8 brilliant character artists speaking at Pictoplasma 2018

iMac Pro release date, UK price & specs

Football : comment regarder la Ligue 1 en direct ?