Vpn IpSec Ike V2 and ISP policies

Options
Fred_77
Fred_77 Posts: 115  Ally Member
First Anniversary 10 Comments Friend Collector First Answer

Hi,

I have several customers using the windows ipsec ike2 vpn client to have their employees connect remotely.

Lately some users have complained that they are unable to connect due to the policies of the home ISP (In italy Eolo, Wind3, Iliad and i fear many other...)

In these cases, when the user tries to log on, connection goes in error and nothing appears on the ATP / USG logs.

Connection with hotspot on their business mobile is ok.

Has anyone had similar experiences, and found a viable solution?

Thank in advance

Fred

All Replies

  • Blabababa
    Blabababa Posts: 151  Master Member
    First Anniversary Friend Collector First Answer First Comment
    Options

    Do you mean when connect vpn through mobile network to the ATP/USG, it works. However, it doesn't work if connect via home ISP line(PPPoE,IPoE, Cable modem, lease line…etc) ??

    If so, can try to adjust the MTU size and see if packets were dropped due to packet oversized since you didn't see any log on ATP/USG which means it may not receive those vpn related packets

  • Fred_77
    Fred_77 Posts: 115  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi,

    yes, VPN throught their business mobile works, throught home isp … it depends on wich provider.

    However: they don't use ssl vpn client but the windows embedded ipsec client.

    MTU size is 1400

    HTE Vodafone is IKE2 IPSec

    Eth 5 is the virtual adapter for the Secuextender SSL

    Fred

  • Zyxel_James
    Zyxel_James Posts: 626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hello @Fred_77
    Since the device didn't have any logs, I suspect the device even didn't receive the VPN packets. It could be blocked by the home ISP router, please check if it allows VPN through the router firewall.

  • Fred_77
    Fred_77 Posts: 115  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @Zyxel_James

    that's exactly the point.

    We can't configure every employee's home router. Not to mention that "domestic contracts" are a jungle and everyone is free to change provider at any time. My question was just whether anyone has come up with a solution that works regardless of the router.

  • Zyxel_James
    Zyxel_James Posts: 626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    In my opinion, it must be investigated between the employee's PC and the home router since it only connects failed when connecting to the home router.
    We can narrow down the root cause first, then figure out the best solution for the employees.

    Except for the test I mentioned previously, could you conduct the mtupath test?
    Please refer to the screenshot, and change the IP address to the VPN gateway Address.
    mtupath.exe download link

    https://www.iea-software.com/products/mtupath/

Security Highlight