Vpn IpSec Ike V2 and ISP policies

Fred_77
Fred_77 Posts: 120  Ally Member
5 Answers First Comment Friend Collector Fourth Anniversary
in Security

Hi,

I have several customers using the windows ipsec ike2 vpn client to have their employees connect remotely.

Lately some users have complained that they are unable to connect due to the policies of the home ISP (In italy Eolo, Wind3, Iliad and i fear many other...)

In these cases, when the user tries to log on, connection goes in error and nothing appears on the ATP / USG logs.

Connection with hotspot on their business mobile is ok.

Has anyone had similar experiences, and found a viable solution?

Thank in advance

Fred

All Replies

  • Blabababa
    Blabababa Posts: 151  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary

    Do you mean when connect vpn through mobile network to the ATP/USG, it works. However, it doesn't work if connect via home ISP line(PPPoE,IPoE, Cable modem, lease line…etc) ??

    If so, can try to adjust the MTU size and see if packets were dropped due to packet oversized since you didn't see any log on ATP/USG which means it may not receive those vpn related packets

  • Fred_77
    Fred_77 Posts: 120  Ally Member
    5 Answers First Comment Friend Collector Fourth Anniversary

    Hi,

    yes, VPN throught their business mobile works, throught home isp … it depends on wich provider.

    However: they don't use ssl vpn client but the windows embedded ipsec client.

    MTU size is 1400

    image.png

    HTE Vodafone is IKE2 IPSec

    Eth 5 is the virtual adapter for the Secuextender SSL

    Fred

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    Hello @Fred_77
    Since the device didn't have any logs, I suspect the device even didn't receive the VPN packets. It could be blocked by the home ISP router, please check if it allows VPN through the router firewall.

  • Fred_77
    Fred_77 Posts: 120  Ally Member
    5 Answers First Comment Friend Collector Fourth Anniversary

    Hi @Zyxel_James

    that's exactly the point.

    We can't configure every employee's home router. Not to mention that "domestic contracts" are a jungle and everyone is free to change provider at any time. My question was just whether anyone has come up with a solution that works regardless of the router.

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    In my opinion, it must be investigated between the employee's PC and the home router since it only connects failed when connecting to the home router.
    We can narrow down the root cause first, then figure out the best solution for the employees.

    Except for the test I mentioned previously, could you conduct the mtupath test?
    Please refer to the screenshot, and change the IP address to the VPN gateway Address.
    mtupath.exe download link

    https://www.iea-software.com/products/mtupath/

    mtupath example.png

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)