cancel
Showing results for 
Search instead for 
Did you mean: 

IPSEC VPN fails since upgrade to PN Fibre

buxtonmarauder
Newbie
Posts: 7
Registered: ‎04-08-2014

IPSEC VPN fails since upgrade to PN Fibre

Hello everyone,
I'm hoping that someone can help me solve a frustrating problem..
I use Shrewsoft VPN client to connect to services at work. Until I upgraded to Plus.net fibre the client worked flawlessly. Since upgrading to fibre the client fails at "bringing up tunnel" phase.
If I connect the same laptop to a different broadband service (at a friends) the it connects immediately.
I am using a Draytek Vigor 2820 as the router, I was using it prior to fibre and the VPN worked OK with that.
I have tried switching out the Draytek to use the supplied Technicolor PlusNet TG582n and I get the same problem.
I have done some googling and came up with a couple of things which I've tried but to no avail..
e.g. http://www.draytek.co.uk/archive/kb_vigor_passthrough.html
I've also upgraded the Draytek to the latest firmware version to no avail..
Any sensible suggestions based on the above info gratefully received !
Cheers
Undecided
15 REPLIES 15
MisterW
Superuser
Superuser
Posts: 14,575
Thanks: 5,411
Fixes: 385
Registered: ‎30-07-2007

Re: IPSEC VPN fails since upgrade to PN Fibre

Check your Plusnet Firewall settings here https://portal.plus.net/my.html?action=firewall ( you'll need to login with your normal member centre details ). It should be either Off or Low, it could be they got reset when the account changed to Fibre. If you have to change the setting then you will need to disconnect/reconnect the PPPoE session at the router for it to take effect.
Let us know how that goes...

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

buxtonmarauder
Newbie
Posts: 7
Registered: ‎04-08-2014

Re: IPSEC VPN fails since upgrade to PN Fibre

Thanks, I should have noted in my pre-amble that already tried that from a previous post I found on this forum..
anyway, it's set to OFF..
cheers
MisterW
Superuser
Superuser
Posts: 14,575
Thanks: 5,411
Fixes: 385
Registered: ‎30-07-2007

Re: IPSEC VPN fails since upgrade to PN Fibre

Given that you're using the same 2820 router, then I can't see it being a router problem. The only difference in the router configuration, I guess, is that you're using the WAN port rather than the ADSL port for the Internet connection.
I suppose that since it's now PPPoE rather than PPPoA there MIGHT be an MTU difference ?
There was some problems with the Huawei BT modems and VPN late last year but I thought a firmware update had long since fixed that.
It's possible that the IP you're being assigned on Fibre could be in a different range but given that your server doesn't seem to mind a connection from your friends ISP, I guess it's not that picky.
edit: the Shrewsoft client seems to have some debugging facilities http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/index.html#cshid=en-US/mvpn/ipsec/client/shrew_... , does that help ?

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

buxtonmarauder
Newbie
Posts: 7
Registered: ‎04-08-2014

Re: IPSEC VPN fails since upgrade to PN Fibre

Shrewsoft has a default MTU of 1380
2820 defaulted to 1442
I've switched the 2820to 1380 with no success..
I can't change the Shrewsoft MTU to 1442 because I need a certificate password to make the change and I don't know that password (long story)..
I can't troubleshoot the Shrew connection because the trouble-shooter module is only available on Windows and I don't have an Win devices at home.. Will have to bring one home I guess.
For the record I also use a Cisco IPSEC VPN on Linux and that works flawlessly..
Flippin annoying things, computers !
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: IPSEC VPN fails since upgrade to PN Fibre

You could try a direct connection to the BT modem, that may indicate if the problem is with the Draytek and not the PN connection.
This is how with windows, haven't a clue with linux.
http://community.plus.net/library/broadband/fibre-help-how-to-set-up-a-pppoe-dialler-in-vistawindows...
MisterW
Superuser
Superuser
Posts: 14,575
Thanks: 5,411
Fixes: 385
Registered: ‎30-07-2007

Re: IPSEC VPN fails since upgrade to PN Fibre

As long as the NTU on the router is > than the shrewsoft one it should be fine.
Very strange that the Cisco ipsec works fine.
I'll have a bit of a think to see if I can come up with any more ideas.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

buxtonmarauder
Newbie
Posts: 7
Registered: ‎04-08-2014

Re: IPSEC VPN fails since upgrade to PN Fibre

Thanks guys, I appreciate it..
@npr great suggestion I will try it !
MisterW
Superuser
Superuser
Posts: 14,575
Thanks: 5,411
Fixes: 385
Registered: ‎30-07-2007

Re: IPSEC VPN fails since upgrade to PN Fibre

You're not the only one with an Ipsec issue on fttc, have a
look at this http://community.spiceworks.com/topic/357112-cannot-establish-site-to-site-vpn-since-fibre-broadband...

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

MisterW
Superuser
Superuser
Posts: 14,575
Thanks: 5,411
Fixes: 385
Registered: ‎30-07-2007

Re: IPSEC VPN fails since upgrade to PN Fibre

Can you also try setting the MTU on the 2820 to 1492, that's the max for PPPoE, the 1442 that it's at now seems a bit small...

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

Anonymous
Not applicable

Re: IPSEC VPN fails since upgrade to PN Fibre

A bit of a long shot, however -
When going from ADSL to FTTC, did the router DNS settings change from some user defined DNS (like Google or OpenDNS) to automatic server assigned DNS (i.e. Plusnet).
It has occasionally been seen that the Plusnet DNS can return slightly different results (compared to other DNS servers), and might explain a change in connectivity ?
Huh
buxtonmarauder
Newbie
Posts: 7
Registered: ‎04-08-2014

Re: IPSEC VPN fails since upgrade to PN Fibre

Thanks for your further ideas, I will test when I get home later tonight..
From memory, I already set the MTU to 1492 but I will check.
The DNS did update itself to the plus.net defaults, however, I already re-set them to both OpenDNS and Google to see if that solved the problem..
My guess is Shrewsoft client doesn't support NAT-T which is what I believe is necessary to be able to traverse the fibre modem and the 2820..
I can get around it by using our Cisco VPN on my linux machine but I'd prefer to use my Mac and I can't get the Cisco VPN connected on that 😞
MisterW
Superuser
Superuser
Posts: 14,575
Thanks: 5,411
Fixes: 385
Registered: ‎30-07-2007

Re: IPSEC VPN fails since upgrade to PN Fibre

Quote
My guess is Shrewsoft client doesn't support NAT-T which is what I believe is necessary to be able to traverse the fibre modem and the 2820..
I'm not sure why it should be any different from using the 2820 in ADSL mode. The modem SHOULD be transparent and the only difference on the 2820 is the change from PPPoA using the DSL port to PPPoE using the WAN port. Any NAT done by the 2820 is surely the same...

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

buxtonmarauder
Newbie
Posts: 7
Registered: ‎04-08-2014

Re: IPSEC VPN fails since upgrade to PN Fibre

Dunno.. I'm at the limit of my basic networking skills.. 😞
MisterW
Superuser
Superuser
Posts: 14,575
Thanks: 5,411
Fixes: 385
Registered: ‎30-07-2007

Re: IPSEC VPN fails since upgrade to PN Fibre

I've got a couple of 2820's used for VPN between our local office and an clients site. If I get time today I'll have a look and see if there's any significant difference I can see between the WAN connection and the DSL connection.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.