Tool for testing filters?

["Fernando da Silveira Montenegro" <montenegro () nutec com br>]

Hi everyone!

Typical scenario: customer wants client PC with VPN software
(EagleMobile in this case, but can be generalized) through his local ISP
all the way to the corporate site, through some other ISP. Does anybody
know of a good tool we can use to check if the path from the local ISP
to the corporate firewall) is clear of packet filters that would block
VPN traffic (TCP/1723, TCP/420, SWIPE, IPSEC, GRE, ...)?

I thought perhaps a modified traceroute might work for the TCP
connection status (on getting anything different than ICMP TTL exceeded,
such as TCP RST, TCP SYN or timeout, you got to someone discarding
traffic, or you got to the firewall and your problem is something else)
but I don't know about the different IP packet types. Does ICMP hold for
them as well?

We keep hitting into this problem on implementing VPNs for customers. We
end up having to check every ISP in the path, and we all know the pain
it is to explain the situation to every admin, and those delays keep
adding up...

If no one has this running, I'll give it a shot (modify traceroute).
Otherwise, any pointers?

Thanks in advance!

Regards,
Fernando
--
Fernando da Silveira Montenegro     NutecNet Servicos Corporativos
System/Network Consultant           Sao Paulo, SP, BRAZIL
mailto:montenegro () nutec com br      http://www.nutecnet.com.br
voice.:+55-11-5505-5728             #include <disclaimer.h>