Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > NZ Computing > VPN users and ADSL ISPs.

Reply
Thread Tools

VPN users and ADSL ISPs.

 
 
Crash
Guest
Posts: n/a
 
      01-18-2005
Greetings all,

I am currently working from home, connecting to work through Xtra/Jetstream
and using a (Nortel) VPN client to access the LAN at work (a multinational).
This has worked well for 4 weeks. Last week I was at work in Sydney. On
getting back this week the VPN client will not complete the greeting
process - one where password is validated, a few other bits happen too fast
to read them then normally banner text requiring an OK ack is presented.
However I never get the banner and do get a '"connection terminated
unexpectedly" message.

I am able to direct-connect to the VPN gateway (at dial-in speed) and I can
connect when dialing in to Xtra - just not when using the ADSL connection.
There have been no changes to the ADSL modem (standard D-LINK DSL-302G) or
switch I have sitting in front of it (TRENDnet TW100-BRF114) that I know of.
I have tried to get Xtra to help (what have they changed to render thgis
situation) but the helpdesk person had troble understanding what VPN was,
however he understood well enough what
works-on-dial-up-doesnt-work-on-ADSL - that mean the old fallback of "We
dont support the use of VPN".

My employer looked at the VPN gateway logs and determined that the gateway
thought the behavior of the cliuent to be a security threat (not
user/password validation but exhibiting symptoms of an attack) and this is
the reason the connection gets terminated.

In the first instance I would like to hear from anyone who has been in a
similar situation and has a reliable and helpfull ISP that offers an ADSL
service.

If, by some miracle, anyone has had this problem or something like it and
beaten it I would very much appreciate any advice that might lead to a fix.

The "we dont support VPN"trick doesw not sit well with me so I will probably
move on anyway.

TIA,
Crash.



 
Reply With Quote
 
 
 
 
Dave - Dave.net.nz
Guest
Posts: n/a
 
      01-18-2005
Crash wrote:
> I have tried to get Xtra to help (what have they changed to render thgis
> situation) but the helpdesk person had troble understanding what VPN was,
> however he understood well enough what
> works-on-dial-up-doesnt-work-on-ADSL - that mean the old fallback of "We
> dont support the use of VPN".


it's not blocked by IP is it?

many of the DSL IP ranges are ex-bogan IPs.

--
Dave.net.nz
reply addy is http://www.velocityreviews.com/forums/(E-Mail Removed)e
nice! http://www.dave.net.nz/images/link.jpg
 
Reply With Quote
 
 
 
 
Steve
Guest
Posts: n/a
 
      01-18-2005
Dave - Dave.net.nz wrote:
> Crash wrote:
>
>> I have tried to get Xtra to help (what have they changed to render
>> thgis situation) but the helpdesk person had troble understanding what
>> VPN was, however he understood well enough what
>> works-on-dial-up-doesnt-work-on-ADSL - that mean the old fallback of
>> "We dont support the use of VPN".

>
>
> it's not blocked by IP is it?
>
> many of the DSL IP ranges are ex-bogan IPs.
>


Nortel use some pretty strange ports for their vpn access... 10025, 26,
27 tcp and 10024, 25, 26 udp ( or something similar... this is late at
night after a few sherbets ), so it is possible that someone has
inadvertently firewalled one of them.

I have no problem using ihug across to telstra using either the standard
mickeysoft 'vpn' pptp implementation, or openvpn.

Could it be something as simple as the dynamic IP address changing when
you were away ( unlikely as you're getting error messages at the target
end ), or the certificate you;re uning expiring?

From what you've written it sounds like a configuration error at the
server end.

<soapbox>
There isn't a vpn equivalent of SPEWS that they're using is there...
that's some tinpot company that go around blacklisting your email
because somebody's aunties dogwalkers friend has heard that it's being
used for sending spam?
</soapbox>

Steve
 
Reply With Quote
 
Mark S
Guest
Posts: n/a
 
      01-18-2005
Sorry you're barking up the wrong tree. The ISP (in this case Xtra) has
pretty much nothing to do with your VPN. Your companies IT Support people
are responsible for the VPN.

From what you say below the most likely scenario is a problem in the NAT-T
configuration of either your VPN server or VPN client (assuming you are
using IPSEC).



"Crash" <(E-Mail Removed)> wrote in message
news:uh2Hd.9001$(E-Mail Removed)...
> Greetings all,
>
> I am currently working from home, connecting to work through

Xtra/Jetstream
> and using a (Nortel) VPN client to access the LAN at work (a

multinational).
> This has worked well for 4 weeks. Last week I was at work in Sydney. On
> getting back this week the VPN client will not complete the greeting
> process - one where password is validated, a few other bits happen too

fast
> to read them then normally banner text requiring an OK ack is presented.
> However I never get the banner and do get a '"connection terminated
> unexpectedly" message.
>
> I am able to direct-connect to the VPN gateway (at dial-in speed) and I

can
> connect when dialing in to Xtra - just not when using the ADSL connection.
> There have been no changes to the ADSL modem (standard D-LINK DSL-302G) or
> switch I have sitting in front of it (TRENDnet TW100-BRF114) that I know

of.
> I have tried to get Xtra to help (what have they changed to render thgis
> situation) but the helpdesk person had troble understanding what VPN was,
> however he understood well enough what
> works-on-dial-up-doesnt-work-on-ADSL - that mean the old fallback of "We
> dont support the use of VPN".
>
> My employer looked at the VPN gateway logs and determined that the gateway
> thought the behavior of the cliuent to be a security threat (not
> user/password validation but exhibiting symptoms of an attack) and this is
> the reason the connection gets terminated.
>
> In the first instance I would like to hear from anyone who has been in a
> similar situation and has a reliable and helpfull ISP that offers an ADSL
> service.
>
> If, by some miracle, anyone has had this problem or something like it and
> beaten it I would very much appreciate any advice that might lead to a

fix.
>
> The "we dont support VPN"trick doesw not sit well with me so I will

probably
> move on anyway.
>
> TIA,
> Crash.
>
>
>



 
Reply With Quote
 
Crash
Guest
Posts: n/a
 
      01-19-2005

"Dave - Dave.net.nz" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Crash wrote:
>> I have tried to get Xtra to help (what have they changed to render thgis
>> situation) but the helpdesk person had troble understanding what VPN was,
>> however he understood well enough what
>> works-on-dial-up-doesnt-work-on-ADSL - that mean the old fallback of "We
>> dont support the use of VPN".

>
> it's not blocked by IP is it?
>
> many of the DSL IP ranges are ex-bogan IPs.


I am not quite sure what you mean. Certainly the gateways dont require IP
address validation - otherwise I would have to have a fixed IP address.

Crash.


 
Reply With Quote
 
Crash
Guest
Posts: n/a
 
      01-19-2005

"Steve" <(E-Mail Removed)> wrote in message
news:csio1b$83p$(E-Mail Removed)...
[snip]
> Nortel use some pretty strange ports for their vpn access... 10025, 26, 27
> tcp and 10024, 25, 26 udp ( or something similar... this is late at night
> after a few sherbets ), so it is possible that someone has inadvertently
> firewalled one of them.
>
> I have no problem using ihug across to telstra using either the standard
> mickeysoft 'vpn' pptp implementation, or openvpn.
>
> Could it be something as simple as the dynamic IP address changing when
> you were away ( unlikely as you're getting error messages at the target
> end )


Unlikely to be an issue - I can get in with dialin which is most likely to
use a different IP address range to ADSL.

>or the certificate you;re uning expiring?
>

Then I could never get in at all.

> From what you've written it sounds like a configuration error at the
> server end.
>

No change or error there - many ADSL/Xtra users working OK I am told.



 
Reply With Quote
 
Crash
Guest
Posts: n/a
 
      01-19-2005

"Mark S" <(E-Mail Removed)> wrote in message
news:41ed7ab1$0$24490$(E-Mail Removed)...
> Sorry you're barking up the wrong tree. The ISP (in this case Xtra) has
> pretty much nothing to do with your VPN. Your companies IT Support people
> are responsible for the VPN.
>
> From what you say below the most likely scenario is a problem in the NAT-T
> configuration of either your VPN server or VPN client (assuming you are
> using IPSEC).

[snip]

So how come it works through dialin as apposed to ADSL?

Crash.


 
Reply With Quote
 
Gordon Smith
Guest
Posts: n/a
 
      01-19-2005

"Crash" <(E-Mail Removed)> wrote in message
news:U8oHd.9367$(E-Mail Removed)...
>
>
> So how come it works through dialin as apposed to ADSL?
>
> Crash.
>


Now that is what you should be asking your support people.
Frame size? DF bit being unset by something in the transit path, thus
causing packet checksum validation to fail? MTU mismatch?

You don't give any info on WHY the VPN server drops the connection. What
sort of attack does it think it is? What is the VPN gateway? What type of
VPN is it?

There are many possible causes... there is not enough info to narrow it down


 
Reply With Quote
 
Mark S
Guest
Posts: n/a
 
      01-19-2005
No NAT occurs on dialup.

"Crash" <(E-Mail Removed)> wrote in message
news:U8oHd.9367$(E-Mail Removed)...
>
> "Mark S" <(E-Mail Removed)> wrote in message
> news:41ed7ab1$0$24490$(E-Mail Removed)...
> > Sorry you're barking up the wrong tree. The ISP (in this case Xtra) has
> > pretty much nothing to do with your VPN. Your companies IT Support

people
> > are responsible for the VPN.
> >
> > From what you say below the most likely scenario is a problem in the

NAT-T
> > configuration of either your VPN server or VPN client (assuming you are
> > using IPSEC).

> [snip]
>
> So how come it works through dialin as apposed to ADSL?
>
> Crash.
>
>



 
Reply With Quote
 
Crash
Guest
Posts: n/a
 
      01-20-2005
"Gordon Smith" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "Crash" <(E-Mail Removed)> wrote in message
> news:U8oHd.9367$(E-Mail Removed)...
>>
>>
>> So how come it works through dialin as apposed to ADSL?
>>
>> Crash.
>>

>
> Now that is what you should be asking your support people.
> Frame size? DF bit being unset by something in the transit path, thus
> causing packet checksum validation to fail? MTU mismatch?
>
> You don't give any info on WHY the VPN server drops the connection. What
> sort of attack does it think it is? What is the VPN gateway? What type of
> VPN is it?
>
> There are many possible causes... there is not enough info to narrow it
> down


I agree. The problem is that the employer says that other folks are working
fine using Xtra ADSL so it mst be something in Xtra's setup specifically for
me that is the problem and from this springs a reluctance to do the hard
yards trapping what is happening at the VPN server when the fault cannot
posssibly be with them.

I may be able to prod them into action next weerk though.

Crash.




 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Config for cisco 1841 with one adsl for internet and one adsl for vpn jmf@iutbayonne.univ-pau.fr Cisco 0 10-29-2006 08:31 AM
Sweex ADSL Annex-A wired ADSL Router Switch Alex Clarke Computer Support 2 10-15-2005 11:34 PM
IPSec VPN problem with a CISCO C827 ADSL Router and a Nortel Contivity VPN Client mw Cisco 2 04-20-2005 08:18 PM
adsl pci modem, and adsl ethernet modem jameshanley39@yahoo.co.uk Computer Information 8 01-18-2005 03:36 PM
Cisco vpn server enabled / VPN and no-VPN connections mix Elise Cisco 6 05-22-2004 07:55 AM



Advertisments