Issues with ISP PPPOE - Outside Connections

blindrum323 · ‎07-14-2005

We are currently running a cisco 3000 concentrator with multiple roaming clients. Our current settings prevent these clients from checking their email or browsing the internet while connected to the vpn. This is a set in stone security policy. Unfortunately, most ISP's PPPOE clients require a keep alive that is not seen while working in this environment and kills the remote's connection (DSL, Cable, and Dial up). I am looking for a work around that could possible keep the security policy intact while also allowing the PPPOE keep alive to get to the ISP.......Any Ideas?

blindrum323 · ‎07-14-2005

By the way, our client version is 4.0.2. Thanks

jackko · ‎07-21-2005

the vpn tunnel is between the concentrator and the pc itself, so providing the remote user has a dsl/cable router at home, the router should be able to handle the keep alive

rating_is_vital · ‎07-25-2005

please let us know how you go and perhaps rate the post

m.saunders · ‎09-30-2005

I am having a similar problem in that my Bell sympatico clients (PPOE) are getting disconnects in the middle of their sessions. Let me know if you find a resolution. thanks

blindrum323 · ‎09-30-2005

We continue to have problems. The router fix worked for some, while setting the pppoe login into thier DSL modems firmware worked for others. We could not get a 100% fix on the problem though. We are currently looking at a VPN web solution that runs over port 80. This has worked very, very well. Keeping the browser open not only keeps the vpn alive but solves the problem of the PPPOE keep alive. It also solves issues of ISP's requiring Commercial accounts to open VPN ports for clients.

jackko · ‎10-01-2005

with concentrator, you can configure ipsec over tcp with a specific port. you may want to check it out.

configuration > tunneling and security > ipsec > nat transparency

jackko · ‎10-02-2005

maybe you can find out what exactly is the keepalive traffic. use the freeware "TcpView" on the pc. it shows all the in/out traffic including destination ip, protocol and port.

with the destination ip, you may split the vpn traffic then. but you needs to change the security policy to cope with this.

jackko · ‎10-13-2005

just wondering how you go.

blindrum323 · ‎10-14-2005

Update... I'd like to thank everyone for their advise. I have come to the conclusion that this is not an issue of any one protocol but rather that unfortunately, ISP's choose not to standardize their thier technologies nor their connection and traffic policies. So it forces us as engineers and administrators to develop all sorts of funky work arounds to make anything work.

I am still using our concentrator to connect from site to site over ds1's and ds3's. This solution works well here were I can manage our circuits and have open pipes with no DLEC or ISP intervention or responsibility other than connectivity.

When it comes to our outside sales force that move from location to location, roaming from network to network, technology to technology (dsl, cable, dedicated circuits, wireless, and ofcourse all the connection policies to work around) that our web connect VPN works the best with the least amount of hassle in administration.