We are evaluating turning on the Client VPN feature on our MX450 (we currently use watchguard. Some concerns being brought forward is that the IPSec ports are often blocked at hotels. Could I get some shares on your successes and roadblocks in using this feature for clients "on the road"?
@BEagle most hotels I have stayed in seem to block VPN access and I have resorted to using cellular for VPN access. These are hotels in NZ I am referring to.
Also some dumb home routers don't correctly NAT IPSec and break it. Maybe 5% of home routers are broken like this (IMHO).
Hotels block VPN? Really?
As someone who has traveled all over my home country, numerous times, for work, I have never encountered that. It never occurred to me that could possibly be a thing.
I would suggest your company deals with a hotel chain that is more friendly to business travelers. And provide feedback to those hotels you encounter that block this. In my mind that's totally unacceptable.
@jdsilva I dont travel often for work, I have found this while travelling in my own time. I am a keen photographer and have a VPN connection setup for accessing my storage at home. I have found a lot of hotels but not all block VPN access for some reason.
I have no idea why as its no risk to them having those ports open for outbound traffic.
@BlakeRichardson Do you think that's a NZ thing? I've never encountered that, and I've done a healthy amount of work travel in the last 10 years covering most provinces here in Canada. I can't think of once I've ever had my VPN blocked...
Though I'm not sure I've had an IPsec VPN for work in a very long time. Maybe it's an IPsec vs SSL thing? I remember "back in the old days" NAT-T wasn't always automatic which caused all kinds of issues.
Anyway, none of this is helping the OP. I'll end my ranting 🙂
We have people that are constantly travelling for work at my company (myself included). I don't think I've ever encountered an issue where I am unable to connect via VPN.
I don't think Hotels specifically block client VPN (at least none that I have ever been involved with).
IPSec when running through NAT tunnels traffic through UDP ports. UDP is stateless. So the NAT device needs to be the tiniest bit smarter about handling this, because it can't tell when the sessions are finished. Most NAT UDP implementations implement an idle session timer and a max session lifetime timer. Some implementations choose stupid values for these, like a 5s idle timer (which is enough to make DNS work, but not much else). Some implement annoying max duration session times like 30 minutes.
It is in these cases that an IPSec based client VPN will fail, or only run for set periods of time before failing.
In my experience, the number of these bad NAT devices is reducing. I only tend to run into them in a small number of home domestic routers these days.
SSL VPN however uses TCP. TCP has a clear start and end of session, and can be easily tracked. SSL VPN tends to have no issues as a result.