Wednesday, August 20, 2008

Ipsecuritas, must allow ICMP, MAC OS X VPN

So we had this box nonstop pinging a server. This IP was private, so it was easy to tell it was from the VPN zone of the firewall, but I could not tell why someone was doing this. So I filtered this out and waited for the calls to come in. Well, the call came in about someone getting time outs from this server when pulling web traffic across the VPN. Surely, web traffic has nothing to do with ICMP that I filtered. Well, I would be WRONG. It turns out that Ipsecuritas VPN client uses a nonstop ping (once every 3 seconds) to a LAN host that it previously had traffic to in order to keep its tunnel open. Otherwise, IPsecuritas (client side) will tear the tunnel down. Game over for the VPN connection. Bunk! Shame on you Ipsecuritas (or Apple), are you so ghetto that you need to do this? It just seems so bush league. From a sysadmin point of view, you can't think of a better way to do this? How about a proper keep alive packet to the firewall?

1 comment:

alex smith said...

Hey vpn service is one of the best i have ever used. I can personally give an ISO cert.:) Your service staff especially "stanua" really really helped and solved my problem, which even my local provider gave up. I really want to thank him and hope your company hires supe good staff like stanua. Thanks man. Love u. Cheers:) Sincere Thanks