Vodafone blocking ipsec (I suppose…)



  • Hi all,
    I'm trying to configure a mobile ipsec client, I've double checked phase 1 and phase 2 parameters, the machine has mobile clients allowed and the firewall is not blocking any kind of traffic. I'm using the shrew client on the mobile client, but no traffic seems to reach the pfsense box at all! I'm using a vodafone umts connection, I believe that the network is blocking ipsec, since I'm able to reach the pfsense box for example via http but not via ipsec. Racoon in debug mode shows me nothing at all!
    I've searched the web and find contrasting statements about vodafone and ipsec, so I'm asking is there is a workaround (maybe changing ports?) and if anyone else has had the same problem.

    Thanks.



  • I was apparently wrong, since I've tried with another umts card and the same thing happens: no connection at all.
    Now, what is strange is that if I connect from the mobile client to the pfsense box on, for instance, the web port, I can see the traffic going to the pfsense machine, while on the 500 port I cannot see anything. I've tried to change the shrew connection port from 500 to 80 to see if I can at least see this traffic, but nothing happens. It seems as shrew has some connection problem that I cannot understand. In the trace log I see the repeating of:

    resend 1 phase1 packet
    

    Of course I've double checked the remote gateway address and the phase 1 settings, but still on the pfsense box I cannot see any traffic incoming.
    I've also tried to connect the mobile client to a WAN address and in such case the vpn works. This makes me think there is an ipsec setting on the client that triggers some rejection from my umts provider.
    Any idea?



  • Ok, this is really strange: using the intergrated umts modem on an acer aspire one AO 752 and observing the traffic graph (outgoing traffic) during a shrew ipsec tunnel connection I see clearly that no traffic is leaving the machine at all. Using an external HUAWEI E1550 modem I can see outgoing traffic and the tunnel is built. I've tried to upgrade the drivers of the integrated modem, but nothing changed.
    Any idea about?



  • Having a deeper look at the shrew trace utility in debug mode I've seen that it initiates always a connection from port 500 of the client to port 500 of the ipsec gateway. Now, while it is simple to change the ipsec gateway port in the shrew configuration, this does not solve any problem since still I've got no traffic coming out the client. This means that while I'm able to connect to the pfsense box via http on port 80 from the client, when I try to initiate a shrew connection to the same port 80 no traffic is reported at all. This means that:

    1. something is blocking traffic initiated from port 500 to any other port, and this could be a windows security problem;
    2. the umts card (or the modem???) is blocking UDP traffic.

    With regard to 1, I've tried disabling the windows firewall but nothing happen. Either netstat on the client machine and on the server machine do not report any packet in any direction. I haven't disarmed the antivirus, but sounds really ridiculous that it could block udp traffic. I guess a way to test if problem 1 is happening is to change the connection port of shrew, so that connection are initiated from another port different from the 500 one. However, I haven't found a way to do this, while it is really simple to change the destination port.
    With regard to problem 2, I have no idea on how to test except on using a kind of program to test UDP connectivity.
    Now, the client machine is running windows 7, if this matters (I believe what matters is the w in windows, not the version  :-).

    Suggestions are welcome.



  • Now I'm sure: no udp traffic is generated at all! I've installed a network monitor on the windows machine and I cannot see any udp traffic outgoing the machine when the shrew client tries to connect, while I can see normal ICMP and TCP traffic when doing ping, surfing the web, etc.
    I suspect that, if this does not depend on the machine itself, the problem is with the vodafone operator that is blocking UDP maybe to block some P2P protocols?



  • I've been experiencing issues with IPSec VPNs over Vodafone connections as well…. but.... I think its a routing issue.
    It only occurs on the Windows 7 laptops.  If I use exactly the same setup but with Windows XP it all works fine.
    On the Windows 7 Laptop when I do a tracert to the target computer it ends up resolving to a vodafone host.

    Gonna try adding a static route with a priority metric and seeing if that works.



  • I don't remember the exact details, but a couple of years ago a collegue of mine also tried to build a ipsec vpn from a vodaphone umts connection. Back then vodaphone was making a lot of fuss about their umts connections and the amazing ability to create a vpn connection. But when we called them, nobody could tell us anything. It wasn't a vpn to pFsense but to a hardware router (netopia).

    I do know that he finnaly gave up because it was inpossible to make a true IPsec vpn and we went with KPN umts in stead of vodaphone.



  • Hi all!

    I had the same situation in Windows XP!
    Shrew said "Tunnel enabled" but not a single byte got through.  :(
    I solved it by uninstalling shrew and reinstalling ist (v2.1.7).  :o
    Obviously, the Vodafone Mobile Connect Software must be installed FIRST and second comes Shrew VPN, otherwise the Vodafone Software won't properly work with Shrew.
    I think that I did it the other way round first…

    Also, make sure to set the checkbox for the "Shrewsoft Lightweight Filter" VPN-Adapter in the properties of the UMTS Network Card.

    Good Luck!  ;D


Locked