Author Topic: BSR222 (Read 956 times)

rambling_rebel · « **on:** December 07, 2011, 10:58:34 PM »

Hi

I'm new here...

I have an issue, rather urgent, I need to get a bsr222 client to branch tunnel working with a cisco IPsec and the cvc client. I have done the cvc to bsr and B2B with the BSR's but I don't know what I'm forgetting. I hit the BSR (and i thought I set the termination details as I have always done. I'm getting a failure on authentication. It says on the client Profile doesn't exist (or something to that extent) I'm just doing a basic IPsec with username and password (and the logs on the bsr are suggesting I'm hitting it, but if I remember correctly it said "no proposal chosen)

anyone have any insight. I have looked through the docs and reviewed previous configs and I don't see what I'm missing....maybe I can't see the forest for the trees.

rr

Michael McNamara · « **Reply #1 on:** December 08, 2011, 12:36:18 AM »

Hi rr and welcome to the forums.

Quote

I need to get a bsr222 client to branch tunnel working with a cisco IPsec and the cvc client. I have done the cvc to bsr and B2B with the BSR's

Perhaps you could re-word this... doesn't make much sense to me.

You are trying to get the BSR222 to connect to a Cisco PIX/ASA?

"No proposal chosen" means you have a mismatch in either your Phase 1 or Phase 2 configuration. You should verify that you have the exact same settings on both endpoints. Are you setting up an Aggressive or Main Mode tunnel? Which is VPN endpoint has the static IP address?

Good Luck!

rambling_rebel · « **Reply #2 on:** December 08, 2011, 06:42:27 AM »

Hi Michael

thanks for your prompt reply. The "termination device" is the BSR222. There aer two teams that are trying to connect to it. One uses the Cisco Client, the other uses the CVC client. Both are failing authentication (at least thats what the client logs are saying) but the bsr says No Proposal chosen.

I thought i was doing Agressive mode if i remember correctly. The BSR has a static address on it.

thanks again

Randy

Flintstone · « **Reply #3 on:** December 08, 2011, 07:01:27 AM »

Hi rambling_rebel,

'No proposal chosen' in IPSEC usually means an error seen in phase 2?

As @Michael mentions, I would check that the source and destination IP addresses/Networks match at both ends?

CheerZ and good luck

rambling_rebel · « **Reply #4 on:** December 08, 2011, 08:45:15 PM »

Hi Flinstone and Michael

I'm too embarrassed to say what my issue was (I put the wrong BSR in there, the account i was trying to log into wasn't on this BSR)

so I get successfully authenticated but it times out and says User did not acknowledge banner, but I was never presented with one. I know I've seen this before but darned if I can remember what i did to solve it

any idea's. I'm back on site saturday, and I'm going to try and find the VPN lab guides i used when I was at Nortel, but if anything jumps out at anybody, i would appreciate it

RR

Telair · « **Reply #5 on:** December 09, 2011, 12:42:34 PM »

The "User Did not Acknowledge Banner" issue is usually found to be related to a firewall or port blocking problem. I have a mobile data stick that I use, and unless you use the specific IPSec ports the ISP defines you get the banner error. I have also seen this caused by routers not being IPSec aware and firewall software on PC's.

rambling_rebel · « **Reply #6 on:** December 09, 2011, 12:56:26 PM »

Hi Telair

thanks for your reply. I was looking through some of the archives and thats seems to be the concensus. Is there a way I can turn acknowledgement off?

Bell just put a cisco 800 series router in but i specifically told the tech I will be doing IPSec to the BSR and they said they understood and said they would make sure the ports are open....

I'm going to do some remote testing from here this afternoon

RR

Telair · « **Reply #7 on:** December 12, 2011, 11:44:32 AM »

Not, not really. Even if there isn't a banner to display, it is still checked for. So the only solution is to fix the source of the problem. Somewhere there is a firewall or router that is behaving badly in your path. I suppose to start troubleshooting it, can you take a system somewhere else ( a lab with separate Internet connection? ) and try to make it connect? I have had to upgrade routers with newer code to make them work correctly in the past. Try turning off software firewalls.

Honestly, the BSR222 was not a very good box and I was very unhappy with it when we tested it for "work from home" users. But you can try to make sure it is running the latest code at least to see if that could help. For me, I went and bought some Contivity 1010/1100's off eBay for $50 each. Much better performance and still supported with new code coming out for them in the last month.

rambling_rebel · « **Reply #8 on:** December 12, 2011, 03:55:26 PM »

Hey Telair

you're going to laugh, but I've taken his Contivity 1050 out, because I could see where I could "easily" do URL filtering. He has employees that aren't adhering to corporate "guidelines" for acceptable websites. The BSR looked like it was easy for that purpose, i just could find it on the Contivity

and you say theres new code for the contivity 1010/1050's coming out, i hadn't heard that, is Avaya doing that?

also, the contivity seemed easier to get a cisco IPSec client working on.

again, any insight is appreciated (I run my SOHO on a contivity 1010)

rr

Telair · « **Reply #9 on:** December 12, 2011, 05:58:44 PM »

Doh!

Yeah, the 1010/1050/1100's are decent little routers that I use all the time still. I picked up an Avaya SR2330 recently to replace my Contivity 1100 at home as I run a VPN network with some friends and family for moving files between locations and so when the call me for support I can just open an RDP connection to their PC. Avaya is still producing code for the Contivities, the latest version came out less than a month ago is v8_05.453 .

As for URL filtering, no the Contivity doesn't do that. It has a nice little firewall, is excellent at VPN tunnels ( I still think they are the best boxes I have ever seen or worked with for VPN tunnels ), does decently at routing and WAN connectivity if needed. But it won't do web filtering. Maybe look at a Barracuda Web Filter appliance. They offer a nice box to do web filtering based on categories. Also does A/V scanning of transfers, logging and stats, etc...

http://www.barracudanetworks.com/ns/downloads/Datasheets/Barracuda_Web_Filter_DS_US.pdf

rambling_rebel · « **Reply #10 on:** December 13, 2011, 07:56:21 AM »

Hey Telair

the bsr won't be the final solution, i just have to get the vpn's working so I can relax and look into different options for the client in the new year at a more relaxed pace.

Does anyone know if the Cisco client will work with the BSR? I'm on iste this afternoon and am going to be working with one of the contractors who will be remote and try and get it working.

rr

Telair · « **Reply #11 on:** December 13, 2011, 09:35:32 AM »

Can't say that I have tried a Cisco VPN client connecting to the Contivity before. I know the Contivity can accept non-Avaya/Nortel VPN clients as long as you configure the group settings to allow non-Avaya clients. You can always try to use the built-in Windows PPTP/L2TP client to connect with. I know that can work.

Network Infrastructure Forums

Author Topic: BSR222 (Read 956 times)

rambling_rebel

BSR222

Michael McNamara

Re: BSR222

rambling_rebel

Re: BSR222

Flintstone

Re: BSR222

rambling_rebel

Re: BSR222

Telair

Re: BSR222

rambling_rebel

Re: BSR222

Telair

Re: BSR222

rambling_rebel

Re: BSR222

Telair

Re: BSR222

rambling_rebel

Re: BSR222

Telair

Re: BSR222