AlwaysOn VPN IKEv2 issues on shared connection

F

FreakyNL

Hi,


we have some users that have issues connecting to the AlwaysOn VPN.


This only seems to occur to couples that work at the same company.


Monitored the firewall in front of our VPN, because I thought it would be the NAT of ESP (proto 50) causing the issues, but there's no ESP traffic coming in at all.


So did some packet capturing and noticed the VPN client uses source ports 500/4500 and not ephemeral ports for the source.


My suspicion is that the NAT routers, or at least some of them, simply use the same source port for the NAT and UDP not having a state, only the first one to connect will have a VPN as the router simply doesn't know where to return the return traffic.


Anyone know if it's possible to make the VPN client use ephemeral (or at least different) ports for the source? I see no reason to fix the source ports to 500/4500 as well. Having it use ephemeral/different source ports should probably resolve this just fine.

Continue reading...
 
Back
Top Bottom