VPN Problem

[Chiggy]

Well one of the people in the company I work in can't establish a VPN into work. I think I have boiled it down to the ISP she uses but I am still not sure. I know some ISP's block IPSec, so I called them a couple of times and they have assured me they don't. What are some ways I can test to see if they do block IPSec? Or what are some security reasons an ISP would do it? I am baffled on this one.

 

[typhoon43]

Can your user ping the external interface on your company's box ( I assume ICMP is allowed) ? Find out if it's a routing issue before you start diving into protocol stuff.

 

[Chiggy]

I am pretty postive she can, but I asked her to try tonight and email me with the results. She did a packet capture while trying to establish the vpn connection and it is sending out the request just not hearing anything back. I had her diable windows firewall and connect right up to the DSL modem so there shouldn't have been any firewalls blocking anything.

 

[typhoon43]

Have her do a traceroute as well. For all we know it's failing 18 hops down the line.

 

[PS!]

If the tunnel is up, she probably won't be able to ping the external address.

Step 1: Verify the tunnel is up and running.
Step 2: Assuming you're doing NAT on both ends, have the user ping from their internal address to an internal address on the remote end.

If it's a point to point (gateway-to-gateway) link, look in each of the IPSec gateway's logs to see if they're speaking to each other. If it's a client-to-gateway link, make sure the client is configured correctly. Proper IP address, cryptography, etc.

 

[Chiggy]

It is a client to gateway link and we have taken her laptop and connected to it here with one of our external addresses so we know the client is configured properly. I will tell her to do the tracert as well.