Link to home
Start Free TrialLog in
Avatar of jakobmarkussen
jakobmarkussenFlag for Afghanistan

asked on

VPN Deutche Telekom

Hi Experts

I'm trying to setup a site-to-site vpn router on a german DSL ppoe DSL line.
Do You know if Deutche Telekom block this kind of trafik?

A speedport W303V modem is installed. Behind that is a Linksys RV042 router.
I have created a VPN tunnel in the Linksys Router. When I try to connect it, I see no VPN traffic on our firewall. Ping, Http and other things seems fine.

Also - If I remove the Linksys router and connect a client directly to the Speedport, make the PPOE connection and then try to connect to our firewall I get a "unable to establish a connection" error. That made me think that perhaps VPN traffic is blocked by the ISP??

Thank you
Avatar of Qlemo
Qlemo
Flag of Germany image

Deutsche Telekom does not block any traffic.
If you use a client, you cannot have a site-to-site VPN.
Please explain what config exactly you use - in particular, how the VPN is configured, and what you mean with "firewall".

I assume the modem isn't managing PPPoE, instead either Router or Linksys do that? Speedport itself should be able to establish the connection - that's the method most folks in Germany use.
Avatar of jakobmarkussen

ASKER

Thx

Okay: The Linksys does the PPPoE... Also the VPN tunnel will be created on the Linksys Router.
We have several of these routers with tunnels to our HQ firewall (ISA/TMG). This is the first line we have using PPPoE.

I Have setup the Tunnel like on our other Routers. 3DES/SHA1/2 .. This doesn't work. The reason I'm talkinh about clients: If I remove the Linksys router and connect a computer to the Speedport modem, I can on that computer make the PPPoE connection. Then I'm able to ping our HQ. Also ordinary web traffic is fine. But If try to create a vpn connection to HQ from this computer I get the 800 error.

So pptp vpn from clients and ipsec from the Linksys doesn't work. That made me think that Telekom might be blocking this....

We have other non-PPPoE DSL lines in germany - even in same office.. VPN are not an issue on these lines.
The Router Log show:

Apr 6 14:51:14 2010     VPN Log    Initiating Main Mode  
Apr 6 14:51:14 2010     VPN Log    [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet  
Apr 6 14:51:14 2010     VPN Log    Received Vendor ID payload Type = [MS NT5 ISAKMPOAKLEY 00000004]  
Apr 6 14:51:14 2010     VPN Log    Ignoring Vendor ID payload Type = [FRAGMENTATION]  
Apr 6 14:51:14 2010     VPN Log    Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]  
Apr 6 14:51:14 2010     VPN Log    [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet  
Apr 6 14:51:14 2010     VPN Log    [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet  
Apr 6 14:51:14 2010     VPN Log    [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet  
Apr 6 14:51:14 2010     VPN Log    [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet  
Apr 6 14:51:14 2010     VPN Log    [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet  
Apr 6 14:51:14 2010     VPN Log    Main mode peer ID is ID_IPV4_ADDR: 'X.X.X.X'  <- Removed by auther
Apr 6 14:51:14 2010     VPN Log    [Tunnel Negotiation Info] Main Mode Phase 1 SA Established  
Apr 6 14:51:14 2010     VPN Log    [Tunnel Negotiation Info] Initiator Cookies = 35ea ad56 983f 44c3  
Apr 6 14:51:14 2010     VPN Log    [Tunnel Negotiation Info] Responder Cookies = f49e 89b8 6184 5089  
Apr 6 14:51:14 2010     VPN Log    initiating Quick Mode PSK+TUNNEL+PFS+NAT-T  
Apr 6 14:51:14 2010     VPN Log    [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet  
Apr 6 14:51:14 2010     VPN Log    Received informational payload, type INVALID_ID_INFORMATION  
Apr 6 14:51:24 2010     Authentication Success     HTTP Basic authentication succeeded for user: admin

And the ISA show:

Dest. port 500, Protocol: IKE Client. initiated Connection....

Nothing else.
Phase 1 is negotiated ok, but in Phase 2 Router sends config data the ISA disagrees on. Usually, INVALID_ID_INFORMATION is a "Proxy-ID" or "Local and Remote Network" setting which is different, or the initiater gateway (Router's public IP) does not fit to the expected on ISA side. You are using Main Mode in VPN, so both gateways need to know of the other's public IP address.
ASKER CERTIFIED SOLUTION
Avatar of jakobmarkussen
jakobmarkussen
Flag of Afghanistan image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial