Carriers blocking IPSec...official policy?
Greetings folks, We have had several instances recently of problems with IPSec VPNs that turned out to be caused by ACL's at the ISP or carrier level blocking ESP traffic, or rather any IP traffic that isn't TCP, UDP, ICMP or routing stuff. There is no one particular network provider involved (one was offshore), and it doesn't seem to be a general practice, but we seem to be getting caught occaisonally by default "deny all IP" catch-all rules of the kind you stick at the bottom of the access list. Sometimes, it's only one interface in a particular direction. We've wasted a large amount of time and effort debugging and trying to get people to check their router configs for us, with varying degrees of co-operation. Has anyone else struck similar issues? Can anyone comment on whether this is a general 'no VPNs on our turf' policy, as one provider's help desk has (not terribly helpfully) suggested? Rgds, Rob Edkins Systems Consultant Axon Computertime email: rob.edkins(a)axon.co.nz -- The information contained in this e-mail message is intended only for the use of the person or entity to whom it is addressed and may contain information that is CONFIDENTIAL and may be exempt from disclosure under applicable laws. If you read this message and are not the addressee you are notified that use, dissemination, distribution, or reproduction of this message is prohibited. If you have received this message in error, please notify us immediately and delete the original message. You should scan this message and any attached files for viruses. Axon Computertime accepts no liability for any loss caused either directly or indirectly by a virus arising from the use of this message or any attached file. - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
We do IPSec VPNs on a weekly basis, and have never struck any carrier in NZ blocking ESP traffic. -----Original Message----- From: owner-nznog(a)list.waikato.ac.nz [mailto:owner-nznog(a)list.waikato.ac.nz] On Behalf Of rob.edkins(a)axon.co.nz Sent: Thursday, 9 May 2002 3:55 p.m. To: nznog(a)list.waikato.ac.nz Subject: Carriers blocking IPSec...official policy? Greetings folks, We have had several instances recently of problems with IPSec VPNs that turned out to be caused by ACL's at the ISP or carrier level blocking ESP traffic, or rather any IP traffic that isn't TCP, UDP, ICMP or routing stuff. There is no one particular network provider involved (one was offshore), and it doesn't seem to be a general practice, but we seem to be getting caught occaisonally by default "deny all IP" catch-all rules of the kind you stick at the bottom of the access list. Sometimes, it's only one interface in a particular direction. We've wasted a large amount of time and effort debugging and trying to get people to check their router configs for us, with varying degrees of co-operation. Has anyone else struck similar issues? Can anyone comment on whether this is a general 'no VPNs on our turf' policy, as one provider's help desk has (not terribly helpfully) suggested? Rgds, Rob Edkins Systems Consultant Axon Computertime email: rob.edkins(a)axon.co.nz -- The information contained in this e-mail message is intended only for the use of the person or entity to whom it is addressed and may contain information that is CONFIDENTIAL and may be exempt from disclosure under applicable laws. If you read this message and are not the addressee you are notified that use, dissemination, distribution, or reproduction of this message is prohibited. If you have received this message in error, please notify us immediately and delete the original message. You should scan this message and any attached files for viruses. Axon Computertime accepts no liability for any loss caused either directly or indirectly by a virus arising from the use of this message or any attached file. - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
participants (2)
-
Philip D'Ath -
rob.edkins@axon.co.nz