cancel
Showing results for 
Search instead for 
Did you mean: 

Client VPN access in hotels

Here to help

Client VPN access in hotels

Hi,

 

We are evaluating turning on the Client VPN feature on our MX450 (we currently use watchguard.  Some concerns being brought forward is that the IPSec ports are often blocked at hotels.  Could I get some shares on your successes and roadblocks in using this feature for clients "on the road"?

 

Thanks!

11 REPLIES 11
Kind of a big deal

Re: Client VPN access in hotels

@BEagle most hotels I have stayed in seem to block VPN access and I have resorted to using cellular for VPN access. These are hotels in NZ I am referring to. 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Kind of a big deal

Re: Client VPN access in hotels

Also some dumb home routers don't correctly NAT IPSec and break it.  Maybe 5% of home routers are broken like this (IMHO).

Kind of a big deal

Re: Client VPN access in hotels

@BEagle given what @PhilipDAth and I have said that doesn't mean you cant give it a go, set it up, trial it for a few months and make a decision. 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Highlighted
Here to help

Re: Client VPN access in hotels

Thanks for the info Black and Philip....

The plan is to test with a small amount of users and see how it works out. Time to find some guinea pigs!
Kind of a big deal

Re: Client VPN access in hotels

Nice one, good luck!

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Kind of a big deal

Re: Client VPN access in hotels

Hotels block VPN? Really? 

 

As someone who has traveled all over my home country, numerous times, for work, I have never encountered that. It never occurred to me that could possibly be a thing. 

 

I would suggest your company deals with a hotel chain that is more friendly to business travelers. And provide feedback to those hotels you encounter that block this. In my mind that's totally unacceptable. 

Kind of a big deal

Re: Client VPN access in hotels

@jdsilva I dont travel often for work, I have found this while travelling in my own time. I am a keen photographer and have a VPN connection setup for accessing my storage at home. I have found a lot of hotels but not all block VPN access for some reason.

 

I have no idea why as its no risk to them having those ports open for outbound traffic. 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Kind of a big deal

Re: Client VPN access in hotels

@BlakeRichardson Do you think that's a NZ thing? I've never encountered that, and I've done a healthy amount of work travel in the last 10 years covering most provinces here in Canada. I can't think of once I've ever had my VPN blocked...

 

Though I'm not sure I've had an IPsec VPN for work in a very long time. Maybe it's an IPsec vs SSL thing? I remember "back in the old days" NAT-T wasn't always automatic which caused all kinds of issues. 

 

Anyway, none of this is helping the OP. I'll end my ranting Smiley Happy

Kind of a big deal

Re: Client VPN access in hotels

@jdsilva I think it depends on the hotel.

 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
A model citizen

Re: Client VPN access in hotels

We have people that are constantly travelling for work at my company (myself included). I don't think I've ever encountered an issue where I am unable to connect via VPN. 

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Kind of a big deal

Re: Client VPN access in hotels

I don't think Hotels specifically block client VPN (at least none that I have ever been involved with).

 

IPSec when running through NAT tunnels traffic through UDP ports.  UDP is stateless.  So the NAT device needs to be the tiniest bit smarter about handling this, because it can't tell when the sessions are finished.  Most NAT UDP implementations implement an idle session timer and a max session lifetime timer.  Some implementations choose stupid values for these, like a 5s idle timer (which is enough to make DNS work, but not much else).  Some implement annoying max duration session times like 30 minutes.

It is in these cases that an IPSec based client VPN will fail, or only run for set periods of time before failing.

 

In my experience, the number of these bad NAT devices is reducing.  I only tend to run into them in a small number of home domestic routers these days.

 

 

SSL VPN however uses TCP.  TCP has a clear start and end of session, and can be easily tracked.  SSL VPN tends to have no issues as a result.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.