Client VPN access in hotels

BEagle
Here to help

Client VPN access in hotels

Hi,

 

We are evaluating turning on the Client VPN feature on our MX450 (we currently use watchguard.  Some concerns being brought forward is that the IPSec ports are often blocked at hotels.  Could I get some shares on your successes and roadblocks in using this feature for clients "on the road"?

 

Thanks!

11 Replies 11
BlakeRichardson
Kind of a big deal
Kind of a big deal

@BEagle most hotels I have stayed in seem to block VPN access and I have resorted to using cellular for VPN access. These are hotels in NZ I am referring to. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal

Also some dumb home routers don't correctly NAT IPSec and break it.  Maybe 5% of home routers are broken like this (IMHO).

BlakeRichardson
Kind of a big deal
Kind of a big deal

@BEagle given what @PhilipDAth and I have said that doesn't mean you cant give it a go, set it up, trial it for a few months and make a decision. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
BEagle
Here to help

Thanks for the info Black and Philip....

The plan is to test with a small amount of users and see how it works out. Time to find some guinea pigs!
BlakeRichardson
Kind of a big deal
Kind of a big deal

Nice one, good luck!

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
jdsilva
Kind of a big deal

Hotels block VPN? Really? 

 

As someone who has traveled all over my home country, numerous times, for work, I have never encountered that. It never occurred to me that could possibly be a thing. 

 

I would suggest your company deals with a hotel chain that is more friendly to business travelers. And provide feedback to those hotels you encounter that block this. In my mind that's totally unacceptable. 

BlakeRichardson
Kind of a big deal
Kind of a big deal

@jdsilva I dont travel often for work, I have found this while travelling in my own time. I am a keen photographer and have a VPN connection setup for accessing my storage at home. I have found a lot of hotels but not all block VPN access for some reason.

 

I have no idea why as its no risk to them having those ports open for outbound traffic. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
jdsilva
Kind of a big deal

@BlakeRichardson Do you think that's a NZ thing? I've never encountered that, and I've done a healthy amount of work travel in the last 10 years covering most provinces here in Canada. I can't think of once I've ever had my VPN blocked...

 

Though I'm not sure I've had an IPsec VPN for work in a very long time. Maybe it's an IPsec vs SSL thing? I remember "back in the old days" NAT-T wasn't always automatic which caused all kinds of issues. 

 

Anyway, none of this is helping the OP. I'll end my ranting 🙂

BlakeRichardson
Kind of a big deal
Kind of a big deal

@jdsilva I think it depends on the hotel.

 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Mr_IT_Guy
A model citizen

We have people that are constantly travelling for work at my company (myself included). I don't think I've ever encountered an issue where I am unable to connect via VPN. 

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't think Hotels specifically block client VPN (at least none that I have ever been involved with).

 

IPSec when running through NAT tunnels traffic through UDP ports.  UDP is stateless.  So the NAT device needs to be the tiniest bit smarter about handling this, because it can't tell when the sessions are finished.  Most NAT UDP implementations implement an idle session timer and a max session lifetime timer.  Some implementations choose stupid values for these, like a 5s idle timer (which is enough to make DNS work, but not much else).  Some implement annoying max duration session times like 30 minutes.

It is in these cases that an IPSec based client VPN will fail, or only run for set periods of time before failing.

 

In my experience, the number of these bad NAT devices is reducing.  I only tend to run into them in a small number of home domestic routers these days.

 

 

SSL VPN however uses TCP.  TCP has a clear start and end of session, and can be easily tracked.  SSL VPN tends to have no issues as a result.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels