|Find out about how to use a Virtual Private Network.
You are welcome to operate Virtual Private Networks on your Metronet service. Many customers have successfully run IPSec, PPTP and IP-SKIP. However, due to the complexity of VPNs we are unable to provide direct telephone support for their setup.
If you experience problems with your VPN, check the points below to see if any can help.
- Your router needs to support 'VPN pass-through' and be configured to use this. Please consult your manual and speak to your network administrator on how to do this.
- If you have a firewall in place you might not be permitting enough traffic to establish a VPN connection. For example in the case of PPTP you need to enable GRE traffic which is protocol 47 or if you are using 6o4 you will need to permit protocol 41 across your firewall. You should consult your firewall documentation for more specific help.
- The endpoint of your VPN might only accept VPN connections from particular IP addresses. Have you 'registered' your IP address with your network administrator?
- If you are using a router and your router is not VPN-passthrough enabled, plus your network administrator is using IPSec and tells you your equipment is fine, you will need to have NAT-T enabled, with your IPSec implementation. Note that WinXP needs a patch to be able to support this.
- If you are not using a router and a personal firewall then it might be conflicting with your VPN. You should uninstall the personal firewall and retest your VPN.
- If you are using IPSec (with X.509 and/or keyexchange) and have enabled the Metronet Free Firewall on a setting 'higher' than "Block Commonly Abused Ports" then you will run into problems. Try reducing the block to "Block Commonly Abused Ports" or disabling it altogether.
- If you are using IPSec with X.509 certificates, you can set an expiry date on those certificates and/or revoke them. Please make sure they have not been revoked or have expired.
- If you are using IPSec with automatic key exchange and X.509 certificates, and have a firewall running at either end, the firewall might be configured to drop UDP fragments which would result in the session to fail to be established. You should check how your firewall has been setup.
- If IPSec is being used in conjuction with X.509 certificates you might be storing the static IP address of the connecting client as part of the client certificate, you might have distributed the wrong certificate to the client and/or sent out a duplicate one which is actually for a different client with a different IP address.
- If you are using PPTP as well as the Metronet Free Firewall on the setting "Block incoming connections" you experience problems with your VPN. You should lower the setting by at least a notch, to "Block privileged ports" or below, or even disable it altogether.
- You might be experiencing problems with your MTU settings. Try setting your MTU to a lower value, try say 996 and increase in jumps of 48 (but no higher than 1476) until you find a fix.
- You might have an MSS issue, you should force the use of an 'MSS Clamp' to take into account the extra overhead the VPN adds to the header size.
- Clashing of subnets might be a problem for you. If you have a subnet for your LAN (home network) which is in part or wholly the same as the subnet you are connecting to then you will find you're unable to use anything when the VPN is activated.
- Again with IPSec, with pre-shared keys, you might have locked certain keys with particular IP addresses and accidently assigned the wrong ones to the wrong IP addresses.
- Please do not contact us regarding problems with your VPN access, unless you can send logfiles and a 'tcpdump' compatible packet captures that clearly indicate a problem with our network setup.
- Note that using a VPN may greatly reduce the performance of your broadband connection to anywhere other than the other end of the VPN.
|Did this support article help you?
If not, get further help using Contact Us.