Unable to access work VPN via Vodafone Echolife HG556a

Forums › One New Zealand (including Vodafone, WxC, Farmside) › Unable to access work VPN via Vodafone Echolife HG556a

Philbert

58 posts

Master Geek

#78803 8-Mar-2011 18:12

Hi,

I have a work laptop running Windows XP Pro and use Nortel Contivity to access work via a VPN. The laptop always worked fine on the TCL cable connection and still works fine via my vodafone 3G mobile (tethered) and random WiFi hotspots e.g. koru clubs around the country.

Since signing up to Vodafone Naked ADSL at my new address (Schnapper Rock, Albany, Auckland) I have had no joy connecting via my home connection which uses the vodafone supplied Echolife HG556a ADSL modem/wireless router. I can still access the e-mail fine and can still access the work VPN via mobile etc but no luck at all via the home modem/router. Neither my work helpdesk (only supports the laptop) or the vodafone helpdesk ("VPN is unsupported by our helpdesk - talk to your work helpdesk") were able/willing to help beyond suggesting the normal things i.e. DMZ and/or NAT/Virtual Server/Port forwarding etc.

Things I have tried:

1. Opened the ports as recommended by work (and portforward.com). This did not work so I closed them again.

2. Used the built in 'applications' feature from the router configuration page (and the VNC application). This opened the exact same ports as those I had previously opened manually as recommended by work so I was not surprised when this did not work. I closed them again.

3. Set up my laptop as being in the DMZ. To my mind this should have been a fool-proof solution but again did not work.

4. Set up my laptop with a static IP rather than DHCP assigned (although this is not something I do when connecting via public wireless obviously). I then re-tried all of the above again without success.

5. Connected my laptop to the router both via wireless and Cat 5 - again, no joy.

Looking online it would appear that the router supports VPN pass-through so I am at a loss. I did also find online a few comments from other pers that could not access their VPN using the vodafone supplied router so I wonder if it is a common problem (although am sure that there would have been sufficient backlash by now for vodafone to have done something about it if it effects all users).

Finally I should note that while I have Vodafone Naked DSL I am not in the 'Red Zone' so one assumes that I am provisioned through someone else's cabinet/exchange. Not sure how/why this might be a problem but thought it worth mentioning.

If anyone can help or offer some advice it would be most appreciated. Final fallback seems to be buying another wireless modem/router but this is obviously not a step I want to take, particularly with no guarantee that this will work either due to the issue being somewhere in the link rather than the echolife router.....

Thanks

Philbert

tigercorp

668 posts

Ultimate Geek

#446721 8-Mar-2011 18:36

Have you tried comparing ping/tracert results to your VPN server, using your 3G connection vs the adsl?

Philbert

58 posts

Master Geek

#446804 8-Mar-2011 21:18

via DSL

ping: 4/4, min 31ms, max 37ms, av 34ms
tracert: 9 hops, all successful, straight to an ihig server, av response times between 4 @ 33 ms

via 3G (or actually GSM in this case as reception lousy in lounge hence desire to sort home router)

ping: 4/4, min 518ms, max 882ms, av 670ms
tracert: took 6 hops to get to ihug server via 3 x 172.26.xx.xx.xx servers and a core.vf server (av response times all greater than 600ms) and then everything else timed out up to hop 30.

when connected via contivity (GSM - despite low ping rates and time outs in tracert) no ping or tracert requests work - am assuming this is as expected as establishing the secure link via contivity (and RAS token) 'locks down' internet access for everything except the secure login webpage.

Screen shot of my successful contivity connection (IP blanked out is below)

https://cdn.geekzone.co.nz/imagessubs/blog4669f408113d06092bcc76fc900730fa.jpg

From my contivity log file I get the following for a successful connection:

Tue Mar 08 20:22:19 2011 | Isakmp | I | Contivity VPN Client V05_11.021
Tue Mar 08 20:22:19 2011 | Isakmp | I | Logging subsystem initialized.
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2 mode is enabled.
Tue Mar 08 20:22:19 2011 | Isakmp | I | Extranet
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2: Hash verification OK for file: C:\Program Files\Nortel Networks\extranet.exe
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2: Hash verification OK for file: C:\Program Files\Nortel Networks\certal.dll
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2: Hash verification OK for file: C:\WINDOWS\system32\drivers\ipsecw2k.sys
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2: Hash verification OK for file: C:\WINDOWS\system32\drivers\eacfilt.sys
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2: Triple DES KAT passed.
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2: AES (128 Bits) KAT passed.
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2: AES (256 Bits) KAT passed.
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2: SHA1 KAT passed.
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2: HMAC-SHA1 KAT passed.
Tue Mar 08 20:22:19 2011 | FIPS | I | FIPS 140-2: Diffie-Hellman Group 2 KAT passed.
Tue Mar 08 20:22:20 2011 | FIPS | I | FIPS 140-2: Diffie-Hellman Group 5 KAT passed.
Tue Mar 08 20:22:20 2011 | FIPS | I | FIPS 140-2: PRNG KAT passed.
Tue Mar 08 20:22:20 2011 | FIPS | I | FIPS 140-2: Eacfilt driver HMAC-SHA1 KAT and Integrity test passed.
Tue Mar 08 20:22:20 2011 | FIPS | I | FIPS 140-2: Ipsec driver Triple DES, AES(128 Bits and 256 Bits), SHA1, HMAC-SHA1 KAT passed.
Tue Mar 08 20:22:20 2011 | Isakmpd | I | Session End Notification setup for XP :
Tue Mar 08 20:43:51 2011 | Isakmpd | I | Connection initiated to xxx.xx.x.xx [IP blanked] using Diffie-Hellman group 5.
Tue Mar 08 20:43:56 2011 | ConfMode | S | Authentication successful.

It then goes on to track the various stages of the session.

The log file is identical for the failed connection except the last line which is instead:
Tue Mar 08 21:05:55 2011 | Failover | W | Client failover invoked to "xxx.xx.x.xx" [alternate IP blanked]

It then goes through the authentication process for the alternate IP before returning:
Tue Mar 08 21:16:15 2011 | Isakmpd | F | Login Failure due to: Remote host not responding

snnet

1410 posts

Uber Geek

#446811 8-Mar-2011 21:50

Have you checked with your work's IT dept about firewalling your assigned vodafone ip range? A lot of companies will blacklist ranges that were not assigned to prevent spoofing (but with the runout of addresses, these have been assigned)

tigercorp

668 posts

Ultimate Geek

#447056 9-Mar-2011 19:07

Philbert: ...

It then goes through the authentication process for the alternate IP before returning:
Tue Mar 08 21:16:15 2011 | Isakmpd | F | Login Failure due to: Remote host not responding

The authentication us failing so possibly something is going wrong with isakmp (port 500) being routed back to your laptop.

With the port forwarding stuff you've tried already, did you test it? You can try this tool - http://www.portforward.com/help/portcheck.htm

Philbert

58 posts

Master Geek

#447361 10-Mar-2011 17:44

Thanks for the replies. In response:

1. Work helpdesk has re-iterated no problem at their end but they will "investigate further". We are a very large company with hundreds if not thousands that RAS in so they should know what they are doing......

2. Portforward checker
- I downloaded and used the tool and it said that the ports were not open.
- Long story short, no combinations of software firewalls/different clients etc made one bit of difference until I put the static IP laptop back into DMZ at which stage it did a lot of random things including telling me some were open, some were open on another computer in my network and none were open. I then took my laptop out of DMZ and ever since then the tool tells me that all VNC necessary ports (plus port 500) are open from my laptop.

Good news, problem solved you are thinking? Alas no, still no authentication from the remote host with the exact same log file as previously reported.

Sigh.

Philbert

58 posts

Master Geek

#448080 14-Mar-2011 00:09

Quick update - am waiting on a return call from the work helpdesk who are going to go through some more detailed diagnostics at their end to try and work out why it is not authenticating.

In the meantime I have also shelled out $99 to get "Sure Signal" so that I can at least connect in via the mobile phone at 3G speeds rather than GSM - it will be interesting to see if routing my 3G connection back through my ADSL modem all of a sudden shuts down connection to the VPN via my mobile....if so I I will be returning "Sure Signal" and asking for my money back!

Philbert

58 posts

Master Geek

#461071 20-Apr-2011 20:31

Have got a different laptop through work and it connects through to my VPN fine when using either my tethered phone or the Vodafone router - the laptop does use a later version of Nortel Contivity which may be the reason although it also has a different modem/drivers/firewall from the original laptop so could be any combination of things......all in all I am just happy that I am able to connect via my adsl rather than my mobile (a little bit cheaper and a damn sight faster!)