4

Every so often we encounter a problem where we cannot get an IPSEC VPN tunnel to work. Sometimes we know the local authorities restrict use of IPSEC (e.g. Bangladesh), and have to get some kind of exemption. Other times the ISP changes something and the connection drops (e.g. Haiti).

I assume there are a bunch of things that might prevent IPSEC from working. For example, blocking UDP port 500 would prevent IKE.

Rather than looking for a resolution for a specific problem, can anyone give a list of what different things an ISP might do to block IPSEC traffic, either on purpose or by accident?

The answer to this question will be useful in troubleshooting, but also letting ISPs know what specific things they need to fix when we can't get our VPN up!

dunxd
  • 9,482
  • 21
  • 80
  • 117
  • Converting to wiki as it specifically asks for a list of items, rather than a specific answer – Mark Henderson Jun 22 '11 at 21:53
  • Rewrote question more specifically to my current incident - http://serverfault.com/questions/283732/what-might-prevent-ike-handshake-success-in-building-an-ipsec-tunnel - but I would still find a list of useful things to check useful. – dunxd Jun 24 '11 at 08:53

2 Answers2

8

Drawing on Chapter 4 of IPsec Virtual Private Network Fundamentals the following architectural issues can disrupt IPsec traffic:

  • Firewall not allowing required protocols
    • ISAKMP (Port 500)
    • ESP (IP Protocol 50)
    • AH (IP Protocol 51)
  • Firewall (or router) not handling fragmented IPsec packets, such as
    • not replying to ICMP-Unreachable packets - breaking Path MTU Detection

Some of these things could result from an ISP introducing new equipment that by default does one of the above (blocking ICMP-Unreachable seems quite a likely default setting). They may not realise they need to fix such problems in order to support their customers who use IPSEC - and it may not affect all their customers.

dunxd
  • 9,482
  • 21
  • 80
  • 117
5

There's really not much we can do to answer this "question" -- they can block IKE, they can block L2TP/GRE/other tunneling protocols, they can block any packet that looks like it might be using ESP/AH, etc.

-- The exhaustive list of ways things can break is (usually) infinite: Without details of how your VPNs are set up and a specific breakage to troubleshoot it's nigh impossible to give you much more detail than the above, though I'm sure others can list specific breakages they've encountered and how they were resolved...

voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • 2
    The list you gave is useful. The commentary was not necessary or particularly helpful. – dunxd Aug 03 '11 at 10:46