VPN Deutche Telekom

Hi Experts

I'm trying to setup a site-to-site vpn router on a german DSL ppoe DSL line.
Do You know if Deutche Telekom block this kind of trafik?

A speedport W303V modem is installed. Behind that is a Linksys RV042 router.
I have created a VPN tunnel in the Linksys Router. When I try to connect it, I see no VPN traffic on our firewall. Ping, Http and other things seems fine.

Also - If I remove the Linksys router and connect a client directly to the Speedport, make the PPOE connection and then try to connect to our firewall I get a "unable to establish a connection" error. That made me think that perhaps VPN traffic is blocked by the ISP??

Thank you
jakobmarkussenAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Deutsche Telekom does not block any traffic.
If you use a client, you cannot have a site-to-site VPN.
Please explain what config exactly you use - in particular, how the VPN is configured, and what you mean with "firewall".

I assume the modem isn't managing PPPoE, instead either Router or Linksys do that? Speedport itself should be able to establish the connection - that's the method most folks in Germany use.
0
jakobmarkussenAuthor Commented:
Thx

Okay: The Linksys does the PPPoE... Also the VPN tunnel will be created on the Linksys Router.
We have several of these routers with tunnels to our HQ firewall (ISA/TMG). This is the first line we have using PPPoE.

I Have setup the Tunnel like on our other Routers. 3DES/SHA1/2 .. This doesn't work. The reason I'm talkinh about clients: If I remove the Linksys router and connect a computer to the Speedport modem, I can on that computer make the PPPoE connection. Then I'm able to ping our HQ. Also ordinary web traffic is fine. But If try to create a vpn connection to HQ from this computer I get the 800 error.

So pptp vpn from clients and ipsec from the Linksys doesn't work. That made me think that Telekom might be blocking this....

We have other non-PPPoE DSL lines in germany - even in same office.. VPN are not an issue on these lines.
0
jakobmarkussenAuthor Commented:
The Router Log show:

Apr 6 14:51:14 2010     VPN Log    Initiating Main Mode  
Apr 6 14:51:14 2010     VPN Log    [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet  
Apr 6 14:51:14 2010     VPN Log    Received Vendor ID payload Type = [MS NT5 ISAKMPOAKLEY 00000004]  
Apr 6 14:51:14 2010     VPN Log    Ignoring Vendor ID payload Type = [FRAGMENTATION]  
Apr 6 14:51:14 2010     VPN Log    Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]  
Apr 6 14:51:14 2010     VPN Log    [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet  
Apr 6 14:51:14 2010     VPN Log    [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet  
Apr 6 14:51:14 2010     VPN Log    [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet  
Apr 6 14:51:14 2010     VPN Log    [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet  
Apr 6 14:51:14 2010     VPN Log    [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet  
Apr 6 14:51:14 2010     VPN Log    Main mode peer ID is ID_IPV4_ADDR: 'X.X.X.X'  <- Removed by auther
Apr 6 14:51:14 2010     VPN Log    [Tunnel Negotiation Info] Main Mode Phase 1 SA Established  
Apr 6 14:51:14 2010     VPN Log    [Tunnel Negotiation Info] Initiator Cookies = 35ea ad56 983f 44c3  
Apr 6 14:51:14 2010     VPN Log    [Tunnel Negotiation Info] Responder Cookies = f49e 89b8 6184 5089  
Apr 6 14:51:14 2010     VPN Log    initiating Quick Mode PSK+TUNNEL+PFS+NAT-T  
Apr 6 14:51:14 2010     VPN Log    [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet  
Apr 6 14:51:14 2010     VPN Log    Received informational payload, type INVALID_ID_INFORMATION  
Apr 6 14:51:24 2010     Authentication Success     HTTP Basic authentication succeeded for user: admin

And the ISA show:

Dest. port 500, Protocol: IKE Client. initiated Connection....

Nothing else.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Phase 1 is negotiated ok, but in Phase 2 Router sends config data the ISA disagrees on. Usually, INVALID_ID_INFORMATION is a "Proxy-ID" or "Local and Remote Network" setting which is different, or the initiater gateway (Router's public IP) does not fit to the expected on ISA side. You are using Main Mode in VPN, so both gateways need to know of the other's public IP address.
0
jakobmarkussenAuthor Commented:
The ISA "end" IP is known and public. The Router is getting a fixed IP after PPPoE connection.
Both gateways know the others IP. I have deleted and created the tunnel on boths sides several times. And on both ISA and TMG servers at HQ.

This again makes me think that maybe I do not understand this PPPoE DSL correct...

What I did: I got a speedport modem from a german Telekom store. The menus was in german so not quite sure if a translate correct. Connected this to the DSL line and marked something like "Pass through PPPoE". The linksys is connected to the modem, and makes the PPPoE connection. Clicking "connect" gives the fixed IP supplied by Telekom. My ISA also show ping etc comming from this IP. The VPN tunnel is created on the router as we have created these on all our other Linksys routers.

Anyone of you using this kind of german DSL and site to site VPN?

I'm no longer at the german office so cannot connect to the modem - but I can connect to- and administer the linksys router.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Telecommunications

From novice to tech pro — start learning today.