Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4823
Views
0
Helpful
6
Replies

ESP - protocol 50 dropped by ISPs. Workaround?

jroyster
Level 1
Level 1

‎03-31-2003 02:26 PM - edited ‎03-09-2019 02:42 AM

I'm seeing more and more ISPs have trouble with IPsec. Typical scenario is:

Pix 501/506 <---ipsec tunnel mode, ESP---> 3030 concentrator

When troubleshooing the tunnel is formed yet can't pass traffic. You can see packets being encrypted and decrypted at the pix end, but only encrypted on the 3030 end. Traces on the internet router on 3030 end show that indeed the udp500 traffic is flowing fine between pix/3030, but ESP frames (ip protocol 50) are one way only.

I've searched and it seems like this is a common occurance and in my experience it is happening more often. Is there any recommendation for a workaround for LAN-2-LAN ipsec tunnel mode to bypass the blocking or nat that may be happening within ISPs? Are ISPs indeed starting to frown on IPsec and VPNs?

Labels:
0 Helpful
6 Replies 6

roraver
Level 1
Level 1

‎03-31-2003 02:32 PM

You could always go with AH and try it that way. Although you not have the security you want. GET THE STUPID ISP TO PERMIT ESP!!!! That is about it.

0 Helpful

jroyster
Level 1
Level 1
In response to roraver

‎04-01-2003 06:43 AM

So no other work around?

I guess if NAT was the reason the ESP frames weren't making it to their destination some kind of nat traversal other esp in udp would work. But I'm guessing at this point and trying to get more folks to chime in with their experience in solving this growing problem.

Thanks for the replies!

John Royster

0 Helpful

roraver
Level 1
Level 1
In response to jroyster

‎04-01-2003 09:36 AM

John,

This is a lan to lan between the PIX and the concentrator right? Is there NAT going on? NAT/PAT can kill ESP, but from the topo map you put on here it looked like there was no NAT/PAT.

Rob

0 Helpful

jroyster
Level 1
Level 1
In response to roraver

‎04-01-2003 10:20 AM

Rob,

Thanks for the reply. In that simple-topo map the middle is the Internet. I can't be for sure there is no NAT. As far as our gear is concerned we avoide NAT at all costs with VPNs. I don't know if one of the providers or their upstream is natting somewhere or simply dropping ESP frames. The ISP in question is in Taiwan, but I've seen this problem in other ISP services as well with it being more common outside of the states.

The PIX does indeed have a public IP range.

Thanks again for the assistance. I've had TAC verify my configurations and they have checked everything. Sniffer traces confirm ESP frames flow only one way from the states to Taiwan, but do not return.

0 Helpful

jeffrey.zhou
Level 1
Level 1
In response to jroyster

‎04-01-2003 10:42 PM

If you can not be sure if it has NAT/PAT in the middle, try this feature to see if it work.

Now we can implement the IPSec through NAT function both in our IOS router ( "IPSec NAT Transparency" )

and PIX firewall ("VPN NAT Transparency"), the following is their URL:

IOS:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bca.html

PIX OS:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_data_sheet09186a0080148714

0 Helpful

markedavis
Level 1
Level 1
In response to jroyster

‎04-08-2003 06:44 AM

You must be using the same ISP we are in Taiwan. I still have not been able to convince our office personnel out there that the problem is with the ISP. We have over 70 Lan to Lan connections in the world and Taiwan is our biggest headache.

0 Helpful
Customers Also Viewed These Support Documents