VPN users and ADSL ISPs.

Discussion in 'NZ Computing' started by Crash, Jan 18, 2005.

  1. Crash

    Crash Guest

    Greetings all,

    I am currently working from home, connecting to work through Xtra/Jetstream
    and using a (Nortel) VPN client to access the LAN at work (a multinational).
    This has worked well for 4 weeks. Last week I was at work in Sydney. On
    getting back this week the VPN client will not complete the greeting
    process - one where password is validated, a few other bits happen too fast
    to read them then normally banner text requiring an OK ack is presented.
    However I never get the banner and do get a '"connection terminated
    unexpectedly" message.

    I am able to direct-connect to the VPN gateway (at dial-in speed) and I can
    connect when dialing in to Xtra - just not when using the ADSL connection.
    There have been no changes to the ADSL modem (standard D-LINK DSL-302G) or
    switch I have sitting in front of it (TRENDnet TW100-BRF114) that I know of.
    I have tried to get Xtra to help (what have they changed to render thgis
    situation) but the helpdesk person had troble understanding what VPN was,
    however he understood well enough what
    works-on-dial-up-doesnt-work-on-ADSL - that mean the old fallback of "We
    dont support the use of VPN".

    My employer looked at the VPN gateway logs and determined that the gateway
    thought the behavior of the cliuent to be a security threat (not
    user/password validation but exhibiting symptoms of an attack) and this is
    the reason the connection gets terminated.

    In the first instance I would like to hear from anyone who has been in a
    similar situation and has a reliable and helpfull ISP that offers an ADSL
    service.

    If, by some miracle, anyone has had this problem or something like it and
    beaten it I would very much appreciate any advice that might lead to a fix.

    The "we dont support VPN"trick doesw not sit well with me so I will probably
    move on anyway.

    TIA,
    Crash.
    Crash, Jan 18, 2005
    #1
    1. Advertising

  2. Crash wrote:
    > I have tried to get Xtra to help (what have they changed to render thgis
    > situation) but the helpdesk person had troble understanding what VPN was,
    > however he understood well enough what
    > works-on-dial-up-doesnt-work-on-ADSL - that mean the old fallback of "We
    > dont support the use of VPN".


    it's not blocked by IP is it?

    many of the DSL IP ranges are ex-bogan IPs.

    --
    Dave.net.nz
    reply addy is e
    nice! http://www.dave.net.nz/images/link.jpg
    Dave - Dave.net.nz, Jan 18, 2005
    #2
    1. Advertising

  3. Crash

    Steve Guest

    Dave - Dave.net.nz wrote:
    > Crash wrote:
    >
    >> I have tried to get Xtra to help (what have they changed to render
    >> thgis situation) but the helpdesk person had troble understanding what
    >> VPN was, however he understood well enough what
    >> works-on-dial-up-doesnt-work-on-ADSL - that mean the old fallback of
    >> "We dont support the use of VPN".

    >
    >
    > it's not blocked by IP is it?
    >
    > many of the DSL IP ranges are ex-bogan IPs.
    >


    Nortel use some pretty strange ports for their vpn access... 10025, 26,
    27 tcp and 10024, 25, 26 udp ( or something similar... this is late at
    night after a few sherbets ), so it is possible that someone has
    inadvertently firewalled one of them.

    I have no problem using ihug across to telstra using either the standard
    mickeysoft 'vpn' pptp implementation, or openvpn.

    Could it be something as simple as the dynamic IP address changing when
    you were away ( unlikely as you're getting error messages at the target
    end ), or the certificate you;re uning expiring?

    From what you've written it sounds like a configuration error at the
    server end.

    <soapbox>
    There isn't a vpn equivalent of SPEWS that they're using is there...
    that's some tinpot company that go around blacklisting your email
    because somebody's aunties dogwalkers friend has heard that it's being
    used for sending spam?
    </soapbox>

    Steve
    Steve, Jan 18, 2005
    #3
  4. Crash

    Mark S Guest

    Sorry you're barking up the wrong tree. The ISP (in this case Xtra) has
    pretty much nothing to do with your VPN. Your companies IT Support people
    are responsible for the VPN.

    From what you say below the most likely scenario is a problem in the NAT-T
    configuration of either your VPN server or VPN client (assuming you are
    using IPSEC).



    "Crash" <> wrote in message
    news:uh2Hd.9001$...
    > Greetings all,
    >
    > I am currently working from home, connecting to work through

    Xtra/Jetstream
    > and using a (Nortel) VPN client to access the LAN at work (a

    multinational).
    > This has worked well for 4 weeks. Last week I was at work in Sydney. On
    > getting back this week the VPN client will not complete the greeting
    > process - one where password is validated, a few other bits happen too

    fast
    > to read them then normally banner text requiring an OK ack is presented.
    > However I never get the banner and do get a '"connection terminated
    > unexpectedly" message.
    >
    > I am able to direct-connect to the VPN gateway (at dial-in speed) and I

    can
    > connect when dialing in to Xtra - just not when using the ADSL connection.
    > There have been no changes to the ADSL modem (standard D-LINK DSL-302G) or
    > switch I have sitting in front of it (TRENDnet TW100-BRF114) that I know

    of.
    > I have tried to get Xtra to help (what have they changed to render thgis
    > situation) but the helpdesk person had troble understanding what VPN was,
    > however he understood well enough what
    > works-on-dial-up-doesnt-work-on-ADSL - that mean the old fallback of "We
    > dont support the use of VPN".
    >
    > My employer looked at the VPN gateway logs and determined that the gateway
    > thought the behavior of the cliuent to be a security threat (not
    > user/password validation but exhibiting symptoms of an attack) and this is
    > the reason the connection gets terminated.
    >
    > In the first instance I would like to hear from anyone who has been in a
    > similar situation and has a reliable and helpfull ISP that offers an ADSL
    > service.
    >
    > If, by some miracle, anyone has had this problem or something like it and
    > beaten it I would very much appreciate any advice that might lead to a

    fix.
    >
    > The "we dont support VPN"trick doesw not sit well with me so I will

    probably
    > move on anyway.
    >
    > TIA,
    > Crash.
    >
    >
    >
    Mark S, Jan 18, 2005
    #4
  5. Crash

    Crash Guest

    "Dave - Dave.net.nz" <> wrote in message
    news:...
    > Crash wrote:
    >> I have tried to get Xtra to help (what have they changed to render thgis
    >> situation) but the helpdesk person had troble understanding what VPN was,
    >> however he understood well enough what
    >> works-on-dial-up-doesnt-work-on-ADSL - that mean the old fallback of "We
    >> dont support the use of VPN".

    >
    > it's not blocked by IP is it?
    >
    > many of the DSL IP ranges are ex-bogan IPs.


    I am not quite sure what you mean. Certainly the gateways dont require IP
    address validation - otherwise I would have to have a fixed IP address.

    Crash.
    Crash, Jan 19, 2005
    #5
  6. Crash

    Crash Guest

    "Steve" <> wrote in message
    news:csio1b$83p$...
    [snip]
    > Nortel use some pretty strange ports for their vpn access... 10025, 26, 27
    > tcp and 10024, 25, 26 udp ( or something similar... this is late at night
    > after a few sherbets ), so it is possible that someone has inadvertently
    > firewalled one of them.
    >
    > I have no problem using ihug across to telstra using either the standard
    > mickeysoft 'vpn' pptp implementation, or openvpn.
    >
    > Could it be something as simple as the dynamic IP address changing when
    > you were away ( unlikely as you're getting error messages at the target
    > end )


    Unlikely to be an issue - I can get in with dialin which is most likely to
    use a different IP address range to ADSL.

    >or the certificate you;re uning expiring?
    >

    Then I could never get in at all.

    > From what you've written it sounds like a configuration error at the
    > server end.
    >

    No change or error there - many ADSL/Xtra users working OK I am told.
    Crash, Jan 19, 2005
    #6
  7. Crash

    Crash Guest

    "Mark S" <> wrote in message
    news:41ed7ab1$0$24490$...
    > Sorry you're barking up the wrong tree. The ISP (in this case Xtra) has
    > pretty much nothing to do with your VPN. Your companies IT Support people
    > are responsible for the VPN.
    >
    > From what you say below the most likely scenario is a problem in the NAT-T
    > configuration of either your VPN server or VPN client (assuming you are
    > using IPSEC).

    [snip]

    So how come it works through dialin as apposed to ADSL?

    Crash.
    Crash, Jan 19, 2005
    #7
  8. Crash

    Gordon Smith Guest

    "Crash" <> wrote in message
    news:U8oHd.9367$...
    >
    >
    > So how come it works through dialin as apposed to ADSL?
    >
    > Crash.
    >


    Now that is what you should be asking your support people.
    Frame size? DF bit being unset by something in the transit path, thus
    causing packet checksum validation to fail? MTU mismatch?

    You don't give any info on WHY the VPN server drops the connection. What
    sort of attack does it think it is? What is the VPN gateway? What type of
    VPN is it?

    There are many possible causes... there is not enough info to narrow it down
    Gordon Smith, Jan 19, 2005
    #8
  9. Crash

    Mark S Guest

    No NAT occurs on dialup.

    "Crash" <> wrote in message
    news:U8oHd.9367$...
    >
    > "Mark S" <> wrote in message
    > news:41ed7ab1$0$24490$...
    > > Sorry you're barking up the wrong tree. The ISP (in this case Xtra) has
    > > pretty much nothing to do with your VPN. Your companies IT Support

    people
    > > are responsible for the VPN.
    > >
    > > From what you say below the most likely scenario is a problem in the

    NAT-T
    > > configuration of either your VPN server or VPN client (assuming you are
    > > using IPSEC).

    > [snip]
    >
    > So how come it works through dialin as apposed to ADSL?
    >
    > Crash.
    >
    >
    Mark S, Jan 19, 2005
    #9
  10. Crash

    Crash Guest

    "Gordon Smith" <> wrote in message
    news:...
    >
    > "Crash" <> wrote in message
    > news:U8oHd.9367$...
    >>
    >>
    >> So how come it works through dialin as apposed to ADSL?
    >>
    >> Crash.
    >>

    >
    > Now that is what you should be asking your support people.
    > Frame size? DF bit being unset by something in the transit path, thus
    > causing packet checksum validation to fail? MTU mismatch?
    >
    > You don't give any info on WHY the VPN server drops the connection. What
    > sort of attack does it think it is? What is the VPN gateway? What type of
    > VPN is it?
    >
    > There are many possible causes... there is not enough info to narrow it
    > down


    I agree. The problem is that the employer says that other folks are working
    fine using Xtra ADSL so it mst be something in Xtra's setup specifically for
    me that is the problem and from this springs a reluctance to do the hard
    yards trapping what is happening at the VPN server when the fault cannot
    posssibly be with them.

    I may be able to prod them into action next weerk though.

    Crash.
    Crash, Jan 20, 2005
    #10
  11. Crash

    Crash Guest

    "Mark S" <> wrote in message
    news:41eed0da$0$67869$...
    > No NAT occurs on dialup.
    >
    > "Crash" <> wrote in message
    > news:U8oHd.9367$...
    >>
    >> "Mark S" <> wrote in message
    >> news:41ed7ab1$0$24490$...
    >> > Sorry you're barking up the wrong tree. The ISP (in this case Xtra) has
    >> > pretty much nothing to do with your VPN. Your companies IT Support

    > people
    >> > are responsible for the VPN.
    >> >
    >> > From what you say below the most likely scenario is a problem in the

    > NAT-T
    >> > configuration of either your VPN server or VPN client (assuming you are
    >> > using IPSEC).

    >> [snip]
    >>
    >> So how come it works through dialin as apposed to ADSL?
    >>
    >> Crash.

    In using this VPN client and server there is no defined NAT dependency and I
    am told that other Xtra ADSL users can access the service presumably with
    default NAT settings which I am using (and have always been using).

    Crash.
    Crash, Jan 20, 2005
    #11
  12. Crash

    Mark S Guest

    NAT can break VPNs, it will depend on the VPN Concentrator configuration,
    your VPN client config, and your ADSL modem. Even as mentioned by someone
    else your MTU settings will come into play.

    In summary, its not Xtra's problem, its your IT support staff at your
    employers.

    "Crash" <> wrote in message
    news:pXJHd.9769$...
    >
    > "Mark S" <> wrote in message
    > news:41eed0da$0$67869$...
    > > No NAT occurs on dialup.
    > >
    > > "Crash" <> wrote in message
    > > news:U8oHd.9367$...
    > >>
    > >> "Mark S" <> wrote in message
    > >> news:41ed7ab1$0$24490$...
    > >> > Sorry you're barking up the wrong tree. The ISP (in this case Xtra)

    has
    > >> > pretty much nothing to do with your VPN. Your companies IT Support

    > > people
    > >> > are responsible for the VPN.
    > >> >
    > >> > From what you say below the most likely scenario is a problem in the

    > > NAT-T
    > >> > configuration of either your VPN server or VPN client (assuming you

    are
    > >> > using IPSEC).
    > >> [snip]
    > >>
    > >> So how come it works through dialin as apposed to ADSL?
    > >>
    > >> Crash.

    > In using this VPN client and server there is no defined NAT dependency and

    I
    > am told that other Xtra ADSL users can access the service presumably with
    > default NAT settings which I am using (and have always been using).
    >
    > Crash.
    >
    >
    Mark S, Jan 20, 2005
    #12
  13. Crash

    Crash Guest

    "Mark S" <> wrote in message
    news:41f026aa$0$94800$...
    > NAT can break VPNs, it will depend on the VPN Concentrator configuration,
    > your VPN client config, and your ADSL modem. Even as mentioned by someone
    > else your MTU settings will come into play.
    >
    > In summary, its not Xtra's problem, its your IT support staff at your
    > employers.


    Then I repeat - everything was working (with whatever my NAT settings were
    and still are) up to 2 weeks ago today and I had a week away last week,
    meaning the problem arose on Monday this week.

    I am told by my employer that existing VPN users who use Xtra are still
    working - its just me who is not. My employer has a vested interest in
    making this work so I have no reason to assume an adversarial relationship
    with their VPN server folks so I believe what they tell me.

    So, given that the NAT rules in my adsl modem are thew same rules in place
    when all was working, how do you arrive at the conclusion that they may now
    be causing the problem?

    I am very interested in finding a solution but at present Xtra are saying
    íts not us and we dont support VPN anyway'and my employer is saying that my
    VPN client behaves differently when I dial in (via Xtra) versus using my
    Xtra ADSL service. If therer is a NAT rule (reading the modem help text on
    this I believe this is what you are referring to) involved in this I would
    dearly like to understand why and from there try to find what may need
    fixing.

    To everyone responding to date - thanks for your efforts.

    Crash.
    Crash, Jan 21, 2005
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bjorn

    VPN across multiple ISPs

    Bjorn, Oct 31, 2003, in forum: Cisco
    Replies:
    1
    Views:
    505
    Claude LeFort
    Nov 3, 2003
  2. -pau.fr
    Replies:
    0
    Views:
    698
    -pau.fr
    Oct 29, 2006
  3. ADSL signals and ISPs

    , Jul 23, 2006, in forum: Computer Support
    Replies:
    6
    Views:
    459
    Thoronwen
    Jul 27, 2006
  4. a.d.

    Give ADSL ISPs a break

    a.d., Dec 7, 2005, in forum: NZ Computing
    Replies:
    20
    Views:
    581
    steve
    Dec 12, 2005
  5. Old Wolf

    Possible to have ADSL from two ISPs?

    Old Wolf, Nov 23, 2007, in forum: NZ Computing
    Replies:
    2
    Views:
    427
Loading...

Share This Page