What can an ISP do to block IPSEC traffic?
Every so often we encounter a problem where we cannot get an IPSEC VPN tunnel to work. Sometimes we know the local authorities restrict use of IPSEC (e.g. Bangladesh), and have to get some kind of exemption. Other times the ISP changes something and the connection drops (e.g. Haiti).
I assume there are a bunch of things that might prevent IPSEC from working. For example, blocking UDP port 500 would prevent IKE.
Rather than looking for a resolution for a specific problem, can anyone give a list of what different things an ISP might do to block IPSEC traffic, either on purpose or by accident?
The answer to this question will be useful in troubleshooting, but also letting ISPs know what specific things they need to fix when we can't get our VPN up!
Drawing on Chapter 4 of IPsec Virtual Private Network Fundamentals the following architectural issues can disrupt IPsec traffic:
- Firewall not allowing required protocols
- ISAKMP (Port 500)
- ESP (IP Protocol 50)
- AH (IP Protocol 51)
- Firewall (or router) not handling fragmented IPsec packets, such as
- not replying to ICMP-Unreachable packets - breaking Path MTU Detection
Some of these things could result from an ISP introducing new equipment that by default does one of the above (blocking ICMP-Unreachable seems quite a likely default setting). They may not realise they need to fix such problems in order to support their customers who use IPSEC - and it may not affect all their customers.
There's really not much we can do to answer this "question" -- they can block IKE, they can block L2TP/GRE/other tunneling protocols, they can block any packet that looks like it might be using ESP/AH, etc.
-- The exhaustive list of ways things can break is (usually) infinite: Without details of how your VPNs are set up and a specific breakage to troubleshoot it's nigh impossible to give you much more detail than the above, though I'm sure others can list specific breakages they've encountered and how they were resolved...