Vpn, Trace Route Doesn't Work

[kudroz]

Oh well,

Just subscribed with CAT for a 2 mb/s package - i can't do a trace route and I can't connect to any VPN (ports or packets blocked?). I have a TOT and TT&T line, which ISP in Chiang Mai would be the most friendly to my VPN, Torrents, etc and can provide at least a 2 mb/s connection?

I can't even make a trace route, it gets blocked for some reason... Any help would be great! Thanks!

[bazmlb]

Tracert use ICMP and TCP protocol, they may only have TCP open across the vpn, can you ping an address at the other end? Ping uses ICMP too, so if that works so should tracert.

[Lannig]

I can traceroute from my TOT ADSL account.

Traceroute sends UDP or ICMP packets (ICMP on most versions of Windows) but no TCP AFAIK. It expects to receive ICMP replies from routers along the path.

Some lousy ISPs block ICMPs in a feeble attempt at "improving security" (wouldn't be suprised at all if CAT is among them - "lousy" fits them alright - actually I know that they *do* block ICMPs on some of their links) . Not only it's useless, but it also breaks essential mechanisms of TCP/IP (PMTU discovery) and traceroute.

Things can get a little bit more complex if you traceroute from behind a NAT ADSL router (basically most of the non-USB ones).

Some have buggy connection tracking in their firmwares and don't route the ICMPs back to the client properly.

The same NAT routers can really make VPN connections difficult. In most cases, you have to tweak the configuration of the router so that VPN packets (GRE or IPSEC) are properly routed to the right client behind the router. Quite often that means only one VPN client behind your ADSL router, sometimes even only one connection from one client.

This kind of tweaking usually is found in a menu called "port forwarding" in the web admin interface of your ADSL router.

Details depend on the exact model and the kind of VPN connection.

--Lannig

[bazmlb]

If the packets arent getting thru the VPN it sounds more like a ISP supplied VPN than a router based VPN as the tunnel would exist between the two end points making anything the isp do not affect the traffic in the tunnel.

Is the Tunnel ISP supplied or one you have configured on the end point routers? If you set it up is a IPSEC or L2tp tunnel as it may be harder on the later to tracert thru, what model of routers do you use?

Nat and port forwading dont really come into it as nearly all VPN's use private IP addessing.

[Lannig]

Nat and port forwading dont really come into it as nearly all VPN's use private IP addessing.

Sorry, that's nonsense . VPN IP addresses (usually private, yes) are inside the encapsulated packet that crosses your ADSL router. They're not used for anything by the ADSL router (not even seen). But the packets still use real IPs on the "outside" to route the packet from the VPN client to the VPN server/concentrator and back.

When such a packet hits your ADSL router, it has to figure out what client behind the NAT should receive it. For "ordinary" IP connections, the router does connection tracking of the HTTP, FTP, whatever connections originated from the client. But for a VPN connection that's using an IP protocol which is neither TCP nor UDP (e.g. GRE for L2TP) many routers don't know how to handle this. At least not automagically. You have to explicitely define the forwarding you want for this protocol in the configuration of the router. Sometimes it's not possible at all.

There's always IPSEC over TCP, I think (?) only available with Cisco VPN concentrators. If you use this, then it's painless (but there's a performance hit).

Generally speaking, doing VPN from behind a NAT is a pain. I'm not saying impossible, but painful.

Most ADSL routers do NAT.

--Lannig

[bazmlb]

Nat and port forwading dont really come into it as nearly all VPN's use private IP addessing.

Sorry, that's nonsense . VPN IP addresses (usually private, yes) are inside the encapsulated packet that crosses your ADSL router. They're not used for anything by the ADSL router (not even seen). But the packets still use real IPs on the "outside" to route the packet from the VPN client to the VPN server/concentrator and back.

When such a packet hits your ADSL router, it has to figure out what client behind the NAT should receive it. For "ordinary" IP connections, the router does connection tracking of the HTTP, FTP, whatever connections originated from the client. But for a VPN connection that's using an IP protocol which is neither TCP nor UDP (e.g. GRE for L2TP) many routers don't know how to handle this. At least not automagically. You have to explicitely define the forwarding you want for this protocol in the configuration of the router. Sometimes it's not possible at all.

There's always IPSEC over TCP, I think (?) only available with Cisco VPN concentrators. If you use this, then it's painless (but there's a performance hit).

Generally speaking, doing VPN from behind a NAT is a pain. I'm not saying impossible, but painful.

Most ADSL routers do NAT.

--Lannig

Lannig sorry if seemed as an attack, I was thinking of the most common setups, but things may still be behind overseas a bit here, hence the quotes you make above. I explain below.

When i said what i did it means the ADSL router has inbuilt IPSEC or L2tp capabilites, what you seem to be refering to is having a vpn conentrator behind the ADSL router in which case you would need port forwarding and is a pain as a lot of Routers wont support npn passthrough, does that clear it up?

Maybe he is doing the VPN from the windows client even then yes a real pain.

IPSEC is available from most cheap ADSL routers thesedays and most can do both DES and 3DES encryption without too much overhead as its all done in silicon thesedays rather than having to run a software algorithm in the router.

[Prasert]

There are basically two different types of VPNs. I guess both types are mixed up here and are causing some confusion.

The oldest VPN type is a connection between 2 routers. Data traffic can be encrypted using IPSEC. The most important thing here is that this traffic is not about tcp or udp - it's running on a different protocol number: esp. This kind of VPN has to be configured on both sides of the link.

Most simple adsl-routers are capable of translating udp and tcp port-numbers, but are not capable of translating protocol numbers. Besides that, running a VPN connection of this type over NAT will be really slow.

The second type of VPN is more of a client-server configuration. The connection is always initiated from the client (e.g. a PC) and uses L2TP or PPTP for transport (WindowsXP has this type of VPN connection built-in).

NAT is no problem for this kind of VPN - The central VPN device receiving all VPNtraffic has to be on a public IP address, but the traffic can initiate from a private IP (which is somewhere along the way NATed to a public IP).

The first type of VPN can be considered as a static point-to-point connectio,

the second type of VPN can be considered as a dynamic dial-up connection (but no phone involved!)

@kudroz:

I can help you testing if you can or cannot make a VPN connection over your CAT line - PM me.

Edited August 12, 2006 by Prasert

[Lannig]

Nat and port forwading dont really come into it as nearly all VPN's use private IP addessing.

Sorry, that's nonsense . VPN IP addresses (usually private, yes) are inside the encapsulated packet that crosses your ADSL router. (...)

Lannig sorry if seemed as an attack, I was thinking of the most common setups, but things may still be behind overseas a bit here, hence the quotes you make above. I explain below.

An attack? I certainly didn't take it as such... re-reading it, maybe my own wording was a bit too direct though... solly (any "yim siam" icon?)

When i said what i did it means the ADSL router has inbuilt IPSEC or L2tp capabilites, what you seem to be refering to is having a vpn conentrator behind the ADSL router

Really I meant VPN client behind the ADSL router.

in which case you would need port forwarding and is a pain as a lot of Routers wont support npn passthrough, does that clear it up?

Maybe he is doing the VPN from the windows client even then yes a real pain.

IPSEC is available from most cheap ADSL routers thesedays and most can do both DES and 3DES encryption without too much overhead as its all done in silicon thesedays rather than having to run a software algorithm in the router.

Really? hum... don't think that my TOT-provided ADSL router can work as an IPSEC endpoint, but I'll take your word for this, I haven't checked any other.

--Lannig

[kudroz]

Okay well i fixed it.

It seems that the NAT i am connected to blocks PPTP traffic. So I changed the VPN server we have for an IPSEC, and the NAT isn't blocking it.

To fix my trace route problems, well it was the router that CAT telecom gave me. I bought a Linksys Wireless ADSL router, and it works wonders...