What can an ISP do to block IPSEC traffic?

vpn firewall ipsec
21,870

Solution 1

Drawing on Chapter 4 of IPsec Virtual Private Network Fundamentals the following architectural issues can disrupt IPsec traffic:

  • Firewall not allowing required protocols
    • ISAKMP (Port 500)
    • ESP (IP Protocol 50)
    • AH (IP Protocol 51)
  • Firewall (or router) not handling fragmented IPsec packets, such as
    • not replying to ICMP-Unreachable packets - breaking Path MTU Detection

Some of these things could result from an ISP introducing new equipment that by default does one of the above (blocking ICMP-Unreachable seems quite a likely default setting). They may not realise they need to fix such problems in order to support their customers who use IPSEC - and it may not affect all their customers.

Solution 2

There's really not much we can do to answer this "question" -- they can block IKE, they can block L2TP/GRE/other tunneling protocols, they can block any packet that looks like it might be using ESP/AH, etc.

-- The exhaustive list of ways things can break is (usually) infinite: Without details of how your VPNs are set up and a specific breakage to troubleshoot it's nigh impossible to give you much more detail than the above, though I'm sure others can list specific breakages they've encountered and how they were resolved...

Share:
21,870

Related videos on Youtube

dunxd
Author by

dunxd

I'm currently freelance specialising in international connectivity and infrastructure working with clients in the humanitarian space. If your organisation struggles to work effectively because of limited internet options in far flung locations, maybe I can help. Until 2017 I worked at a large international development charity in London, as International Operations Manager. I managed a team of Regional ICT Service Managers, based in developing world countries, who kept the users happy through fixing problems, setting up great connectivity and generally making sure users could do their day jobs. I think I did a good job as a manager - some of my team went on to great things! I previously worked at the same place as International Network Systems Analyst. I looked after a bunch of ICT systems in offices in the developing world, as well as looking after systems in our HQ. I gained a lot of knowledge in that job, and the techy side competes with the people stuff in the new role, hence I still hang out here a lot. I'm passionate about the use of ICT in developing countries, both in terms of dealing with the inherent problems for ICT in those places, and using ICT as a tool for development.

Updated on September 18, 2022

Comments

  • dunxd
    dunxd almost 2 years

    Every so often we encounter a problem where we cannot get an IPSEC VPN tunnel to work. Sometimes we know the local authorities restrict use of IPSEC (e.g. Bangladesh), and have to get some kind of exemption. Other times the ISP changes something and the connection drops (e.g. Haiti).

    I assume there are a bunch of things that might prevent IPSEC from working. For example, blocking UDP port 500 would prevent IKE.

    Rather than looking for a resolution for a specific problem, can anyone give a list of what different things an ISP might do to block IPSEC traffic, either on purpose or by accident?

    The answer to this question will be useful in troubleshooting, but also letting ISPs know what specific things they need to fix when we can't get our VPN up!

    • MrGigu
      MrGigu about 13 years
      Converting to wiki as it specifically asks for a list of items, rather than a specific answer
  • dunxd
    dunxd almost 13 years
    The list you gave is useful. The commentary was not necessary or particularly helpful.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I allow IPSec over TCP through a Cisco ASA?
What is the difference between concurrent sessions and IPsec/VPN sessions?
Fortigate Remote VPN : no matching gateway for new request
How do you implement NAT-T passthrough on a Juniper SRX series Firewall?
Can you run a VPN connection over HTTP?
how do I connect to a VPN with ipsec?
VPN between Ubuntu server (14.04.1 LTS ) AND Cisco ASA 5510
L2TP IPsec VPN client on Ubuntu Desktop 16.04
Unable to connect L2TP IPSec VPN from ubuntu 16.04
L2TP / IPSec failing to connect (Kubuntu 17.10)