Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outgoing IPSec connection failing?

    IPsec
    1
    1
    3.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Papfox
      last edited by

      Hi,

      I have a Vodafone Sure Signal(SS) (a.k.a. Vodafone Access Gateway) (http://www.vodafone.co.uk/suresignal). It is a personal 3G mobile phone (cell phone) transmitter. It connects back to Vodafone (my phone provider) using an IPSec VPN, joins their infrastructure network then transmits a private 3G cell so you can get a good signal on your phone at home if you live in a poor service area. It uses your broadband connection to carry voice and call data back to the provider.

      My Internet connection is ADSL. I use a PPPoA -> PPPoE gateway which translates the raw PPPoA from my ISP to PPPoE. The PPPoE is connected to the WAN NIC on my PFSense box and PFSense has the ISP credentials and runs the connection as PPPoE. All the network devices I have work fine except the SS. The SS has poor diagnostics with only 4 status lights (the meaning of which aren't universally agreed). The manufacturer is paranoid about the device being compromised and haven't provided any web interface or means of telnetting in to get meaningful logs.

      When my network is on PFSense the SS initialises but appears to never manage to establish the VPN back to Vodafone and never enters the ready state. It doesn't produce a "fault" indication. I can see the SS has successfully obtained a DHCP lease. In the States table I can see DNS connections from it as well as NTP and UDP port 500 & 4500 (bidirectional) to documented IP addresses in the Vodafone domain (I therefore conclude the DNS is working right as these addresses have resolved). The UDP connections appear to change from time to time so it may be that something is failing and retrying. I can't see any sign on the PFSense console or in the logs that any packets are being blocked between the SS and Vodafone.

      I've disconnected my PFSense setup and tried a Draytek Vigor 2820n SOHO router and the SS initialises perfectly, joins the phone network and works correctly. I tried installing an IPCop firewall on a spare machine as a test in place of PFSense. With IPCop the SS failed much faster, indicating a fault condition.

      I have seen theories that the SS uses 1500 byte UDP datagrams during the setup and operation of the VPN tunnel. It has been suggested that it will fail to work if the MTU of the Internet connection is less than 1500 and the router doesn't correctly reassemble the fragmented UDP datagrams, particularly the IKE_AUTH. The PPPoA from my ISP has a 1500 MTU but the MTU of the PPPoE connection between the modem-gateway and PFSense can only be 1492 so I'm wondering if the fragmentation problem is at work here.

      I'd be really grateful of any suggestions as to what the problem might be and what I can do to try and get it working. The spare machine is available and I'm willing to try beta releases if necessary.

      Thanks,
      Paul.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.