VPN Access On-the-road
Apr 27, 2004 | 7:07 pm
#1
Original Poster
Join Date: Mar 2001
Location: tallahassee, florida, us
Programs: DL/Ex-NWA
Posts: 31
VPN Access On-the-road
I'm a consultant with several small accounts and two large ones. Both of my large clients have Cisco network equpment and provide access for me to their corporate resources using a VPN.
With client one, who use a Cisco 3000 series appliance, the IPSec connection is over TCP and it works like a champ. Client two, a large technology company, uses a Cisco 7000 series router and provides IPSec over UDP. That connection seems to time out after about 15 minutes. I've talked to the companies internal Cisco guy, and have had long conversations with a router SE at Cisco. There claim is that UDP is an "industry standard" and that because most hotel networks and access points provide services through NAT/DHCP, there is no way to reliably connect to the VPN. This sounds like an excuse to me.
Any traveling net geeks amoung the faithful who can offer advice on this one?
Regards,
Dave
With client one, who use a Cisco 3000 series appliance, the IPSec connection is over TCP and it works like a champ. Client two, a large technology company, uses a Cisco 7000 series router and provides IPSec over UDP. That connection seems to time out after about 15 minutes. I've talked to the companies internal Cisco guy, and have had long conversations with a router SE at Cisco. There claim is that UDP is an "industry standard" and that because most hotel networks and access points provide services through NAT/DHCP, there is no way to reliably connect to the VPN. This sounds like an excuse to me.
Any traveling net geeks amoung the faithful who can offer advice on this one?
Regards,
Dave
Apr 28, 2004 | 4:43 pm
#2
Join Date: Jan 2000
Location: SoCal to the rest of the world...
Programs: AA 1MM EXP. UA 2MM Lifetime Plat
Posts: 6,742
We're using TCP and we have a very secure implementation...
Has your IT team considered using TCP + a cypher key... The CISCO VPN client supports them pretty well
Has your IT team considered using TCP + a cypher key... The CISCO VPN client supports them pretty well
Apr 28, 2004 | 8:12 pm
#4
A FlyerTalk Posting Legend
Join Date: Aug 2002
Location: NY Metro Area
Programs: AA 2MM Yay!, UA MM, Costco General Member
Posts: 50,847
Im not exactly sure what the question is. But I can say that we have a Cisco 3000 and I use Win2K, MacOSX, and PPC2002 VPN clients on WiFi and wired connections on the Win2K and MacOSX without any trouble most places I go. Im almost certain they all use DHCP. I have run into a few places where wireless would work but I couldnt get VPN to work. These are a great minority in my experience.
Apr 29, 2004 | 7:44 am
#5
FlyerTalk Evangelist
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 34,337
Some NAT devices can handle UDP automatically, and some have to be programmed to do the portmapping. Also it depends on the protocol. Some protocols like FTP have to have special NAT handling since ports are exchanged inside the data stream. I'm guessing that is your problem.
Apr 29, 2004 | 10:56 pm
#7
Join Date: Jul 2000
Location: Commuting around the mid-atlantic and rust-belt on any number of RJs
Programs: TSA Random Selectee Platinum, * Gold, SPG/HH/MR mid-tier, and a tiny bag of pretzels.
Posts: 9,255
Cisco's UDP over NAT and NAT-T implementations work pretty well in the 3000 series with a recent client.
Not that you would actually want to do it, mind you, but it does work.
Not that you would actually want to do it, mind you, but it does work.
Apr 29, 2004 | 11:32 pm
#8
Join Date: Jan 2000
Location: SoCal to the rest of the world...
Programs: AA 1MM EXP. UA 2MM Lifetime Plat
Posts: 6,742
The problems is many routers along the path may have issues with UDP packets... no-resend; hence you're hosed.
UDP is not good for VPN in a variable network config (e.g. someone on the road)
UDP is not good for VPN in a variable network config (e.g. someone on the road)