Subject: VPN/IPsec and Nortel Extranet Access Client
To: None <>
From: Gerald C. Simmons <>
List: netbsd-users
Date: 08/07/2001 09:40:11
On Fri, Aug 3, 2001 Imran wrote:
>  sir,
>       i am sr network engineer in galileo india .we are
> using nortel extranet access client to connect to our switch in Denver .our ISP is specternet which give us real IP address . we r also using another ISP which connect the cable operators via radio or sattlite link
> the cable operators give internet connection via mapping
> lan cards mac address and give their own IP address through their own dhcp server this is not the real ip addresses.
> the problem is that if i connect using cable operators
> internet connection i got error when i connect extranet access client "remotehost not responding" if i use the real IP address which the main ISP gives to cable operator it works fine n get connected.
>  please tell me is it problem of ipsec protocal
> or what do i need some patches for it
>    please help me out
>            i shall be thankful to you
>                              imran
> _________________________________________________________
> For Rs. 2,000,000 worth of Aptech scholarships click below

I know a little something about getting a Nortel Access Client (on a Windows
platform) to work accross a NetBSD router.

It appears to me that the reason your cable / satellite connection gives you an
error could be due to your ISP mapping MAC addresses to new IP's.

I know from experience going through IPNAT will NOT work with the Nortel Extranet
Client. The IP address that the Client machine is assigned MUST be the address
that the Extranet switch gets. Otherwise, it's considered something like a
security threat, and is not allowed to pass.

I also could not get the Nortel Client to work over a DirecPC (Hughes) satellite
connection either (and tech support at Hughes told me it wouldn't work.)

I don't know if this has to do with IPSec or just the way Nortel implemented
their protocol.

I would talk to your ISP about the Nortel requirement, and see if they could
assign you a set of Fixed IP addresses to use (these can be assigned via DHCP.)    

Good Luck!

Gerry Simmons