by SilverZipppo Investigator
Investigator

IPSEC VPN

Hi all, 

 

I've just taken delivery of a new EE SIM and a Huawei B525 4G Router.   I have this sitting in front of a Sophos Firewall, everything works fine with great speeds except that I cannot get a VPN to terminate on the Firewall.   

 

I got the EE connection to replace a fixed line solution based on Bonded ADSL, and the VPN (which originates from a Draytek modem in my flat), connects fine if I use this connection, but if switch to the EE 4G connection, it just won't connect.  

 

I've tired putting the Firewall in the Huawei's DMZ, but that didn't work, and I then tired it in Bridge Mode, and that also failed to fix the problem.  I have tried a completly different router (a D-link AC100), but it doesn't work on that either.  

 

I've been on to EE's second line support, but they basically said this kind of thing was beyond thier capabilites to address (which is pretty disappointing!). 

 

I've read a few posts in these formus about this issue, and some people said they had solved it by switching off the content blocker. I've done that, and it didn't help. 

 

Has anybody found a way to fix this or work around this issue ?  

 

Any pointers would be gartefully received .....

 

 

 

 

1 SOLUTION

Accepted Solutions
by Grand Master
Grand Master
Solution

Re: IPSEC VPN

Maybe, but I'm gaining knowledge of where you're at. You spoke earlier that there could be something going on that's invisible to the user on the EE mobile network. Well, there is!

 

The EE mobile network uses Carrier Grade NAT (CGNAT), which means that you don't get your own public IP address but share it with other users. So you can't be uniquely id'ed on the Net & therefore your LAN cannot be addressed from outside for unsolicited accesses. This is unlike fixed BB. You are up against that limitation of EE's mobile network.

 

213.205.194.xxx is the public IP that everyone else outside sees but it is not unique to you.

100 .119.xxx.xxx is the private IP within the EE mobile network that EE assigns to you to distinguish you from everyone else sharing the same public IP.

 

You are effectively sitting behind a double NAT; EE's CGNAT & your router's own NAT.

 

For that reason a DDNS isn't going to be effective. Therefore any VPN originating from outside (your flat) is bound to fail. OTOH, a VPN originating from this system based around the EE MBB router to outside should work. What BB & kit do you have at your flat?

__________________________________________________________________________________________
If you think I helped please feel free to hit the "Star" button below.
To phone EE: The local rate landline number +44 207 362 0200 or Freephone +44 800 079 8586 - Option 1 for Mobiles; Option 2 for 4G WiFi; Option 3 for Home Broadband & EE TV.

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC
15 REPLIES 15
by Grand Master
Grand Master

Re: IPSEC VPN

Don't understand your situation but just guessing  Does changing the APN Protocol to IPv4 only help? 

__________________________________________________________________________________________
If you think I helped please feel free to hit the "Star" button below.
To phone EE: The local rate landline number +44 207 362 0200 or Freephone +44 800 079 8586 - Option 1 for Mobiles; Option 2 for 4G WiFi; Option 3 for Home Broadband & EE TV.

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC
by SilverZipppo Investigator
Investigator

Re: IPSEC VPN

Good thought but it's IPv4 end to end.  

by Grand Master
Grand Master

Re: IPSEC VPN

4GEE isn't usually.

__________________________________________________________________________________________
If you think I helped please feel free to hit the "Star" button below.
To phone EE: The local rate landline number +44 207 362 0200 or Freephone +44 800 079 8586 - Option 1 for Mobiles; Option 2 for 4G WiFi; Option 3 for Home Broadband & EE TV.

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC
by SilverZipppo Investigator
Investigator

Re: IPSEC VPN

I am using an IPv4 address on the EE network, and the other end of the connection I am trying to make is also IPv4, plus the router says it's IPv6 address is unknown, so I am pretty sure everything I can control is IPv4.  

 

Of course there may be something going on that's invisible to me as it passes through EE's network, but unfortunately thier support folk didn't seem to know much about it!

by Grand Master
Grand Master

Re: IPSEC VPN


@SilverZipppo wrote:

I am using an IPv4 address on the EE network


How do you know? Where do you see it? What are the 1st 3 parts of it?

 

 

__________________________________________________________________________________________
If you think I helped please feel free to hit the "Star" button below.
To phone EE: The local rate landline number +44 207 362 0200 or Freephone +44 800 079 8586 - Option 1 for Mobiles; Option 2 for 4G WiFi; Option 3 for Home Broadband & EE TV.

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC
Highlighted
by SilverZipppo Investigator
Investigator

Re: IPSEC VPN

The Ip type in my connection profile is set to "IPv4".  

by SilverZipppo Investigator
Investigator

Re: IPSEC VPN

and the Public IP is 213.205.194.xxx

by Grand Master
Grand Master

Re: IPSEC VPN

Is 213.205.194.xxx the public IP as seen by the router or reported by some Web "What's My IP?". If the latter what is the former?

__________________________________________________________________________________________
If you think I helped please feel free to hit the "Star" button below.
To phone EE: The local rate landline number +44 207 362 0200 or Freephone +44 800 079 8586 - Option 1 for Mobiles; Option 2 for 4G WiFi; Option 3 for Home Broadband & EE TV.

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC
by SilverZipppo Investigator
Investigator

Re: IPSEC VPN

That what "What's my IP" tells me (and also NOIP.COM which I use for dynamic IP).   The internal addresses are different depending on if I am running in Bridge Mode or 'Normal' mode but they are the usual sorts of private addresses such as 100 .119.xxx.xxx when in Bridge Mode or 192.168.xxx.xxx in 'NAT/DHCP' mode - I am interested to know what you can deduce from these !

 

 

 

by Grand Master
Grand Master

Re: IPSEC VPN

Sorry, we're not getting to my point. The 192.168.xxx.xxx IPs are just your private LAN IPs given out by the router to your devices. I'm after the public IP seen by the router when it is acting as a 4GEE modem on the mobile WAN. You will probably see this in it under "Connection Status". Is that 100.119.xxx.xxx ? It is similar to my MBB router.

__________________________________________________________________________________________
If you think I helped please feel free to hit the "Star" button below.
To phone EE: The local rate landline number +44 207 362 0200 or Freephone +44 800 079 8586 - Option 1 for Mobiles; Option 2 for 4G WiFi; Option 3 for Home Broadband & EE TV.

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC
by SilverZipppo Investigator
Investigator

Re: IPSEC VPN

When it was in bridge mode it was saying 100.119.xxx.xxx - looking through the settings now I have switched it back to 'DHCP/NAT' mode, it's also asying 100.119.xxx.xxx.  I am not sure what is to be gained by knowing this though? 

by Grand Master
Grand Master
Solution

Re: IPSEC VPN

Maybe, but I'm gaining knowledge of where you're at. You spoke earlier that there could be something going on that's invisible to the user on the EE mobile network. Well, there is!

 

The EE mobile network uses Carrier Grade NAT (CGNAT), which means that you don't get your own public IP address but share it with other users. So you can't be uniquely id'ed on the Net & therefore your LAN cannot be addressed from outside for unsolicited accesses. This is unlike fixed BB. You are up against that limitation of EE's mobile network.

 

213.205.194.xxx is the public IP that everyone else outside sees but it is not unique to you.

100 .119.xxx.xxx is the private IP within the EE mobile network that EE assigns to you to distinguish you from everyone else sharing the same public IP.

 

You are effectively sitting behind a double NAT; EE's CGNAT & your router's own NAT.

 

For that reason a DDNS isn't going to be effective. Therefore any VPN originating from outside (your flat) is bound to fail. OTOH, a VPN originating from this system based around the EE MBB router to outside should work. What BB & kit do you have at your flat?

__________________________________________________________________________________________
If you think I helped please feel free to hit the "Star" button below.
To phone EE: The local rate landline number +44 207 362 0200 or Freephone +44 800 079 8586 - Option 1 for Mobiles; Option 2 for 4G WiFi; Option 3 for Home Broadband & EE TV.

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC
by SilverZipppo Investigator
Investigator

Re: IPSEC VPN

Ah - I wasn't aware of CGNAT until now.  That certainly explains the behaviour - thanks!!!

 

I have a Draytek in the flat and it is a model which only has an 'initiate' mode for the VPN which is why I  it set up to kick off the connection rather than the other way around.  

 

I can't remember the model off-hand, but I must admit I was suprised about it's limited functionality compared to the many other Drayteks I have come across over the years. 

 

The carrier at the flat is Virgin Media, so provided they are not using CGNAT on thier fibre network, I should be able to swap the modem out for one which can host a connection.  

 

Given the amount I will be saving migrating from a bonded ADSL solution, it'ss lapy for itself within a month or two!

by Grand Master
Grand Master

Re: IPSEC VPN

Thanks! You're welcome :)! Glad I could be of assistance.

 

A VM fixed BB network won't be running CGNAT.

 

Out of interest, to understand your set-up, if the Draytek is originating the VPN connection from your flat, where elsewhere is the 4GEE router's LAN? Is that to work?

__________________________________________________________________________________________
If you think I helped please feel free to hit the "Star" button below.
To phone EE: The local rate landline number +44 207 362 0200 or Freephone +44 800 079 8586 - Option 1 for Mobiles; Option 2 for 4G WiFi; Option 3 for Home Broadband & EE TV.

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC
by SilverZipppo Investigator
Investigator

Re: IPSEC VPN

According to ISP Review, they are thinking about it!  https://www.ispreview.co.uk/index.php/2018/06/cable-isp-virgin-media-start-uk-customer-trial-of-ipv6...  

 

The flat is where I stay when I have business in London.  The other location is my place in the country where I try to be as much as possible - as you can probably tell from my complicated broadband arrangements, its along way from the nearest Openreach cabinet, and even further from the nearest Fibre Agrregation Point!

Let's get started

Join the EE Community to ask, answer, learn and share.