Jump to content
RESET Forums (homeservershow.com)

a LAN switch interferes with ipsec vpn ?


nrf
 Share

Recommended Posts

A recent change in my ISP setup forced me to deal with an issue I have been keeping on the back burner. A while back, I had to change to a new VPN client for work. I had difficulty connecting as it told me a firewall must be blocking IPSEC or UDP. Blaming it on the router I had circled thru several with some initial success but ultimately failure. Having no choice now, I have narrowed it down to my network switch. the VPN is IPsec to a cisco vpn server (port 4500 and all).

 

Bottom line, with switches like GS108Tv2 and GS-1100-5 between my work pc and router (currently Sophos UTM 9) no problem. But my fancy tplink t1600g-28ts, no go. it validates the password ok but can't connect the vpn itself. 

 

Any seasoned veterans out there have an idea how this switch could be messing it up?

thanks in advance!

nrf

Edited by nrf
Link to comment
Share on other sites

A recent change in my ISP setup forced me to deal with an issue I have been keeping on the back burner. A while back, I had to change to a new VPN client for work. I had difficulty connecting as it told me a firewall must be blocking IPSEC or UDP. Blaming it on the router I had circled thru several with some initial success but ultimately failure. Having no choice now, I have narrowed it down to my network switch. the VPN is IPsec to a cisco vpn server (port 4500 and all).
 
Bottom line, with switches like GS108Tv2 and GS-1100-5 between my work pc and router (currently Sophos UTM 9) no problem. But my fancy tplink t1600g-28ts, no go. it validates the password ok but can't connect the vpn itself. 
 
Any seasoned veterans out there have an idea how this switch could be messing it up?
thanks in advance!
nrf


Hi

How have you configured the switch? VLANS, QOS, Port prioritise etc?

I’d try removing any of these features and run it as a dumb switch then later back on any tweaks you’ve made to see which one is causing the issues.

Matt
Link to comment
Share on other sites

no vlan, no touching of priorities, not much to turn off - should any of it even inhibit IPsec/UDP?

 

dos defend - on

dhcp snooping - on

lldp - on

 

Link to comment
Share on other sites

Probably not the issue you are having, but on the two switches that work, are they IPV4 only or is IPV6 enabled? If they are IPV4 only, I would try disabling IPV6 on the TS1600g.

Also have you upgraded the switch to the latest firmware?

 

Link to comment
Share on other sites

good questions. do switches know/care about ipv6 if you don't try to access their admin page that way? the only ipv6 in my network is the link local stuff that comes on by default. one of the switches that works seems to have ipv6 in it, one doesn't, and I don't see anything in the bad one about ipv6...

 

and of course I always start with firmware updates if the company cares to provide any...which they haven't.

Link to comment
Share on other sites

resolved. solution: in Network Security -> Dos Defend -> Dos Defend,

turn off both "Ping Flooding" and 'Blat Attack'.

  • Like 1
Link to comment
Share on other sites

 

resolved. solution: in Network Security -> Dos Defend -> Dos Defend,

turn off both "Ping Flooding" and 'Blat Attack'.

 

What led you to the discovery?

Link to comment
Share on other sites

turning off remaining features and turning them back one by one.


Tried and tested best approach!!

Glad it’s sorted. Looks like TP-Links’ implementation of DoS and Blat protections have impacts on other services as well - eg Bonjour for Apple devices and SIP.
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...