IKv2-VPN and SSL-VPN both fail…

StefanZ

Set up a FLEX200 with my client.
Set up IKEv2 cert VPN for the team - works like a charm Germany-to-Germany.

Client is now on holiday in Greece.
Connects to IKEv2, tunnel is established, but unable to ping any hosts.

Set up SSL-VPN on the FLEX200:
- Moved the WWW interface to another port, added SSL-VPN on :443 (TCP)
- Works well Germany-to-Germany.

When he connects, it all goes well, but then after some seconds the log says "Client logged out for idle" and after ~30 seconds SecuExtender also realizes it's disconnected.

Switching to iOS private hotspot via roaming does not establish any VPN connections either – this usually works well too. The second you click "connect", you already get the error.

"Last year it worked fine in the same hotel" – but back then they were using L2TP-VPN on FritzBox. And of cause we don't know what the hotel did to the WiFi installation / firewall in the meantime.

Any ideas what might cause all this and how to still get a connection?

The IKEv2 I get – it needs certain ports.
But the SSL-VPN should hide in the web-SSL traffic, right? Or is it possible for the hotel to detect that too and shut it down?

Or maybe it's just a symptom of "crappy WiFi mesh stretched to the max and the DHCP playing tricks on you"?

PeterUK

Ok get it now its possible with IKEv2 to have port 500 get you established and then for port 4500 or protocol 50 to be dropped.

Not sure how SSL VPN is not working...I take it other users connect fine? Its possible the hotel filters SSL traffic when it checks client hello if its got the Extension server_name as Zyxel SecuExtender does not have that option when connecting.

maybe try SSL VPN on port 80?

PeterUK

So IKEv2, tunnel is established likely a firewall rule blocking getting to a device? do you see on the WAN packet capture ports 500, 4500 or protocol 50 showing up to flex200?

StefanZ

Very unlikely that it is caused by the FLEX200 itself – the exact same VPN and config have been working great for a month now. And all other users can connect just fine (they all fall under the same rules). The same laptop with the same VPN profile was using it just 48 hrs ago.

As for the package captures… The client is on holiday, but yeah that will be next order of business if it doesn't somehow work out.

PeterUK

Ok get it now its possible with IKEv2 to have port 500 get you established and then for port 4500 or protocol 50 to be dropped.

Not sure how SSL VPN is not working...I take it other users connect fine? Its possible the hotel filters SSL traffic when it checks client hello if its got the Extension server_name as Zyxel SecuExtender does not have that option when connecting.

maybe try SSL VPN on port 80?

StefanZ

As far as I understand, SSL-VPN basically uses port 443 to "tunnel the tunnel", so regular firewalls can't block you via the usual VPN ports.

And yeah, it works fine when I test it from a domestic line.

Will try port :80 next – sounds dirty tho :-P

PeterUK

As far as I understand, SSL-VPN basically uses port 443 to "tunnel the tunnel", so regular firewalls can't block you via the usual VPN ports.

How do you think content filter works😉

StefanZ

Yeah well, "regular firewalls" as in "we tick the usual boxes and that keeps the kids on low bandwidth for streaming and annoys business users by blocking their VPN".

But yes, seemingly SSL/TLS has a drawback in my scenario: The first phase is not as secret as it should be.

If port 80 doesn't help, it's gonna be a bumpy ride for sure…

Last resort would be to create a L2TP VPN and see if that works, but if even SSL-VPN is blocked, chances aren't too good.

PeterUK

Do we know the setup of the hotel that might be doing the filtering?

StefanZ

OK, port :80 for the SSL-VPN did the trick!

They didn't anticipate us to sink that low I guess 😂

Anyway… Customer can access his stuff now, awesome!

Thanks!