Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




44 posts

Geek
+1 received by user: 2


Topic # 78803 8-Mar-2011 18:12
Send private message

Hi,
 

I have a work laptop running Windows XP Pro and use Nortel Contivity to access work via a VPN. The laptop always worked fine on the TCL cable connection and still works fine via my vodafone 3G mobile (tethered) and random WiFi hotspots e.g. koru clubs around the country.
 

Since signing up to Vodafone Naked ADSL at my new address (Schnapper Rock, Albany, Auckland) I have had no joy connecting via my home connection which uses the vodafone supplied Echolife HG556a ADSL modem/wireless router. I can still access the e-mail fine and can still access the work VPN via mobile etc but no luck at all via the home modem/router. Neither my work helpdesk (only supports the laptop) or the vodafone helpdesk ("VPN is unsupported by our helpdesk - talk to your work helpdesk") were able/willing to help beyond suggesting the normal things i.e. DMZ and/or NAT/Virtual Server/Port forwarding etc.


Things I have tried:

1. Opened the ports as recommended by work (and portforward.com). This did not work so I closed them again.
 
2. Used the built in 'applications' feature from the router configuration page (and the VNC application). This opened the exact same ports as those I had previously opened manually as recommended by work so I was not surprised when this did not work. I closed them again.

3. Set up my laptop as being in the DMZ. To my mind this should have been a fool-proof solution but again did not work.

4. Set up my laptop with a static IP rather than DHCP assigned (although this is not something I do when connecting via public wireless obviously). I then re-tried all of the above again without success. 

5. Connected my laptop to the router both via wireless and Cat 5 - again, no joy.


Looking online it would appear that the router supports VPN pass-through so I am at a loss. I did also find online a few comments from other pers that could not access their VPN using the vodafone supplied router so I wonder if it is a common problem (although am sure that there would have been sufficient backlash by now for vodafone to have done something about it if it effects all users).


Finally I should note that while I have Vodafone Naked DSL I am not in the 'Red Zone' so one assumes that I am provisioned through someone else's cabinet/exchange. Not sure how/why this might be a problem but thought it worth mentioning.


 If anyone can help or offer some advice it would be most appreciated. Final fallback seems to be buying another wireless modem/router but this is obviously not a step I want to take, particularly with no guarantee that this will work either due to the issue being somewhere in the link rather than the echolife router.....


Thanks

Philbert

Create new topic
615 posts

Ultimate Geek
+1 received by user: 49

Subscriber

  Reply # 446721 8-Mar-2011 18:36
Send private message

Have you tried comparing ping/tracert results to your VPN server, using your 3G connection vs the adsl?



44 posts

Geek
+1 received by user: 2


  Reply # 446804 8-Mar-2011 21:18
Send private message

via DSL

ping: 4/4, min 31ms, max 37ms, av 34ms
tracert: 9 hops, all successful, straight to an ihig server, av response times between 4 @ 33 ms


via 3G (or actually GSM in this case as reception lousy in lounge hence desire to sort home router)

ping: 4/4, min 518ms, max 882ms, av 670ms
tracert: took 6 hops to get to ihug server via 3 x 172.26.xx.xx.xx servers and a core.vf server (av response times all greater than 600ms) and then everything else timed out up to hop 30.

when connected via contivity (GSM - despite low ping rates and time outs in tracert) no ping or tracert requests work - am assuming this is as expected as establishing the secure link via contivity (and RAS token) 'locks down' internet access for everything except the secure login webpage.

Screen shot of my successful contivity connection (IP blanked out is below)

https://cdn.geekzone.co.nz/imagessubs/blog4669f408113d06092bcc76fc900730fa.jpg


From my contivity log file I get the following for a successful connection:

Tue Mar 08 20:22:19 2011 | Isakmp | I | Contivity VPN Client V05_11.021
Tue Mar 08 20:22:19 2011 | Isakmp | I | Logging subsystem initialized.
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2 mode is enabled.
Tue Mar 08 20:22:19 2011 | Isakmp | I | Extranet
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2: Hash verification OK for file: C:\Program Files\Nortel Networks\extranet.exe
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2: Hash verification OK for file: C:\Program Files\Nortel Networks\certal.dll
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2: Hash verification OK for file: C:\WINDOWS\system32\drivers\ipsecw2k.sys
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2: Hash verification OK for file: C:\WINDOWS\system32\drivers\eacfilt.sys
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2: Triple DES KAT passed.
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2: AES (128 Bits) KAT passed.
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2: AES (256 Bits) KAT passed.
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2: SHA1 KAT passed.
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2: HMAC-SHA1 KAT passed.
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2: Diffie-Hellman Group 2 KAT passed.
Tue Mar 08 20:22:20 2011 | FIPS | I | FIPS 140-2: Diffie-Hellman Group 5 KAT passed.
Tue Mar 08 20:22:20 2011 | FIPS | I | FIPS 140-2: PRNG KAT passed.
Tue Mar 08 20:22:20 2011 | FIPS | I | FIPS 140-2: Eacfilt driver HMAC-SHA1 KAT and Integrity test passed.
Tue Mar 08 20:22:20 2011 | FIPS | I | FIPS 140-2: Ipsec driver Triple DES, AES(128 Bits and 256 Bits), SHA1, HMAC-SHA1 KAT passed.
Tue Mar 08 20:22:20 2011 | Isakmpd | I | Session End Notification setup for XP :
Tue Mar 08 20:43:51 2011 | Isakmpd | I | Connection initiated to xxx.xx.x.xx [IP blanked] using Diffie-Hellman group 5.
Tue Mar 08 20:43:56 2011 | ConfMode | S | Authentication successful.

It then goes on to track the various stages of the session.

The log file is identical for the failed connection except the last line which is instead:
Tue Mar 08 21:05:55 2011 | Failover | W | Client failover invoked to "xxx.xx.x.xx" [alternate IP blanked]

It then goes through the authentication process for the alternate IP before returning:
Tue Mar 08 21:16:15 2011 | Isakmpd | F | Login Failure due to: Remote host not responding

 
 
 
 


225 posts

Master Geek
+1 received by user: 1


  Reply # 446811 8-Mar-2011 21:50
Send private message

Have you checked with your work's IT dept about firewalling your assigned vodafone ip range? A lot of companies will blacklist ranges that were not assigned to prevent spoofing (but with the runout of addresses, these have been assigned)

615 posts

Ultimate Geek
+1 received by user: 49

Subscriber

  Reply # 447056 9-Mar-2011 19:07
Send private message

Philbert: ...

It then goes through the authentication process for the alternate IP before returning: 
Tue Mar 08 21:16:15 2011 | Isakmpd | F | Login Failure due to: Remote host not responding


The authentication us failing so possibly something is going wrong with isakmp (port 500) being routed back to your laptop.

With the port forwarding stuff you've tried already, did you test it?  You can try this tool - http://www.portforward.com/help/portcheck.htm



44 posts

Geek
+1 received by user: 2


  Reply # 447361 10-Mar-2011 17:44
Send private message

Thanks for the replies. In response:

1. Work helpdesk has re-iterated no problem at their end but they will "investigate further". We are a very large company with hundreds if not thousands that RAS in so they should know what they are doing......

2. Portforward checker
- I downloaded and used the tool and it said that the ports were not open.
- Long story short, no combinations of software firewalls/different clients etc made one bit of difference until I put the static IP laptop back into DMZ at which stage it did a lot of random things including telling me some were open, some were open on another computer in my network and none were open. I then took my laptop out of DMZ and ever since then the tool tells me that all VNC necessary ports (plus port 500) are open from my laptop.

Good news, problem solved you are thinking? Alas no, still no authentication from the remote host with the exact same log file as previously reported.

Sigh.



44 posts

Geek
+1 received by user: 2


  Reply # 448080 14-Mar-2011 00:09
Send private message

Quick update - am waiting on a return call from the work helpdesk who are going to go through some more detailed diagnostics at their end to try and work out why it is not authenticating.

In the meantime I have also shelled out $99 to get "Sure Signal" so that I can at least connect in via the mobile phone at 3G speeds rather than GSM - it will be interesting to see if routing my 3G connection back through my ADSL modem all of a sudden shuts down connection to the VPN via my mobile....if so I I will be returning "Sure Signal" and asking for my money back!



44 posts

Geek
+1 received by user: 2


  Reply # 461071 20-Apr-2011 20:31
Send private message

Have got a different laptop through work and it connects through to my VPN fine when using either my tethered phone or the Vodafone router - the laptop does use a later version of Nortel Contivity which may be the reason although it also has a different modem/drivers/firewall from the original laptop so could be any combination of things......all in all I am just happy that I am able to connect via my adsl rather than my mobile (a little bit cheaper and a damn sight faster!)

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Security concerns reach new peak, Unisys Security Index
Posted 27-Jun-2017 14:11


Behind Spark’s slow-burn 4.5G plan
Posted 26-Jun-2017 16:23


Red Hat unveils production-ready open source hyperconverged infrastructure
Posted 23-Jun-2017 22:10


Whatever ailed Vodafone broadband … seems to be fixed
Posted 23-Jun-2017 14:10


VMware NSX Meets Stringent Government Security Standards with Common Criteria Certification
Posted 22-Jun-2017 19:05


Brother launches next-generation colour laser printers and all-in- ones for business
Posted 22-Jun-2017 18:56


Intel and IOC announce partnership
Posted 22-Jun-2017 18:50


Samsung Galaxy Tab S3: Best Android tablet
Posted 21-Jun-2017 12:05


Wellington-based company helping secure Microsoft browsers
Posted 20-Jun-2017 20:51


Endace delivers high performance with new 1/10/40 Gbps packet capture card
Posted 20-Jun-2017 20:50


You can now integrate SMX security into Microsoft Office 365, Google and other cloud email platforms
Posted 20-Jun-2017 20:47


Ravensdown launches new decision-making tool HawkEye
Posted 19-Jun-2017 15:38


Spark planning to take on direct management of all consumer stores
Posted 19-Jun-2017 10:03


Qrious acquires Ubiquity
Posted 14-Jun-2017 12:21


Spark New Zealand prepares for 5G with Nokia
Posted 14-Jun-2017 12:16



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.