Protocol 50

charles.manley · ‎12-31-2002

Is there a way that anyone knows of for testing to see if protocol 50 is being blocked? We have a number of users who connect over remote LAN's and are going through mom and pop ISP's before getting to us and in some of these cases the tunnel is being created, but once any true (pings work) data starts being passed they lose the connection. The tunnel stays up, but no data will pass.

Thanks.

charles.manley · ‎12-31-2002

Also, is it correct that if we're using IPSec over UDP protocol 50 isn't used anyway?

ajagadee · ‎12-31-2002

Hi,

Yes, you are right!!

If IPSec Over UDP Option is used, then protocol 50 is wrapped in UDP Port 10000 (Default, which is configurable).

Regards,

Arul

ajagadee · ‎12-31-2002

Hi,

You can define an access-list on your edge routers based on the vpn server's ip address and do a debug on it or you can run a sniffer to look at the ESP packets.

Regards,

Arul

Phillip Remaker · ‎01-03-2003

There is no easy way to tell. Since the connection is established using ISAKMP (UDP protocol 500), the connection may establish even if IP protocols other than TCP/UDP/ICMP are blocked. Smaller ISPs may use NAT, and may not support NAT of IP/ESP (aha IP protocol 50). A workaround is to use the NAT traversal option of the VPN which uses UDP prot 10000 (I am assuming you are using VPN 3000 here).

Another thing to try is to lower the ethernet MTU of the PC , for fragmentation unfriendly ISPs. Try 1300.