Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: VPN Problems

From: Lucas Thompson <Lucas.Thompson () watchguard com>
Date: Mon, 13 Aug 2001 15:19:26 -0700
This is very often a problem where ISPs filter IP 50 or 51.  A really good
way to test it is to use the traceroute that comes with OpenBSD.
Openbsd's traceroute allows you to use arbitrary IP protocol numbers instead
of just UDP or ICMP like most of them.  Then sniff at your site(s) to see if
it gets through.

I just wish I had a Linux port of it  :)

lucas

-----Original Message-----
From: Ryan Russell [mailto:ryan () securityfocus com]
Sent: Friday, August 10, 2001 4:53 PM
To: Jason Wu
Cc: firewall-wizards () nfr com
Subject: Re: [fw-wiz] VPN Problems



On Thu, 9 Aug 2001, Jason Wu wrote:


Hi, has anyone on this list had any problems with their VPNs that can be
traced to something the ISP is doing?


Sure.  I've had ISPs not pass the packet types I needed them to, despite
their claims that they do no filtering.  Do a traceroute some time and see
how many ISPs you cross.


I want to get an idea of how
prevalent it is for ISPs to filter VPN traffic or to perform NAT causing
AH to break etc.


Yes, any of that will break AH.  Or GRE.  Or IPinIP, etc...


Also, how have you worked around these limitations?


Change ISPs or VPN software.

But at least I'm not bitter or cynical about it. :)

Note that it is explicitly against the policies of some ISPs to use a VPN.

                                        Ryan

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: