Issues with IKEv2 IPSec VPN on Rogers LTE/3G

Need Help?

That's what we're here for! The goal of the Rogers Community is to help you find answers on everything Rogers. Can't find what you're looking for? Just ask!
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
I Plan to Stick Around
Posts: 14

Re: Issues with IKEv2 IPSec VPN on Rogers LTE/3G

Hey RogersCillio,

 

With all due respect, this is not about supporting VPN. Nobody's asking how to set it up. This is about blocking the ports without any warning. Please do not take this stance. It is not constructive.

 

Rogers must understand that paying customers (individuals as well as small business and enterprise) are relying on this paid service for business. The fact that all of a sudden our VPN connections back into our offices stopped working, creates a huge issues for us. Myself, for example, travel all over the world and run a whole IT department (people and systems) regardless where I find myself at any given time. Can you imagine what challenges this situation creates for me and my company?

 

The fact is that something changed on Rogers' network that blocks one or more of the following TCP ports: 500, 1701, 4500 as well as ESP protocol 50.

 

The more people are wasting their time testing and troubleshooting this situation and posting back, hopefully the more good information is gathered that will help Rogers NOC engineers understand what they've done and fix the issue.

 

And finally, I don't think that anyone is expecting Rogers techs to fix anything in this forum. 

 

My 2 cents,

Adrian

 

I'm Here A Lot
Posts: 6

Re: Issues with IKEv2 IPSec VPN on Rogers LTE/3G

Well said  We provide as much technical details here so that Rogers can look into the issues. Appropriate people can be flagged on Rogers' end. We don't have time to wait on the phone for Level 1 support to tell us to reset our devices. 

VPN is more and more part of everyday communications, and not a "niche" product. These connections must not be impeded. 

I can also confirm it works perfectly with a Telus LTE SIM card. Smiley Wink

 

I Plan to Stick Around
Posts: 12

Re: Issues with IKEv2 IPSec VPN on Rogers LTE/3G

I wonder if this affect Fido network too since Fido is Rogers

I Plan to Stick Around
Posts: 14

Re: Issues with IKEv2 IPSec VPN on Rogers LTE/3G

Here's an interesting read on DSLReports. Different topic, but I think the Rogers is filtering/mishandling the ESP protocol 50 across their core network. Have a read:
http://www.dslreports.com/forum/r30809958-Rogers-throttling-VPN-connections
Highlighted
I Plan to Stick Around
Posts: 12

Re: Issues with IKEv2 IPSec VPN on Rogers LTE/3G

but why would android work but not iphones?

I've Been Here Awhile
Posts: 2

Re: Issues with IKEv2 IPSec VPN on Rogers LTE/3G

But Android doesn't work, I just tested again (same steps as in my previous post in this thread

I Plan to Stick Around
Posts: 214

Re: Issues with IKEv2 IPSec VPN on Rogers LTE/3G

Hi,

 

I have a feeling whats happened here is they have enabled IPv6 ONLY and stopped use of IPV4.

 

It appears they are (or were) only doing this in batches as problems arose with people using PPTP VPNS in 2017. AT the time a NOC engineer explained what happened and suggested users to edit their APN settings to only accept IPV4 IPs. This solved the issue. Since we are on iPhone we can't do such.

 

I confirmed on my Bell LTE device it's also on IPV6 but must also be grabbing an IPV4 IP.

 

I saw this post on DSL forums from 2017

 

In 2016, Rogers started the deployment of IPv6 on our Wireless network. At that point, most recent phones (2015++) started receiving from our LTE network both an IPv4 and an IPv6 address. This was the first phase of our IPv6 deployment plan for the wireless network.

Late last year, we started enabling IPv6-only service (no native IPv4) on some phone models (LG G4, Google Nexus 5 and Samsung Galaxy S4). Recently, we enabled the service on more models (most Samsung Galaxy phones). With IPv6-only service, phones are still able to access the entire IPv4 space through the use of a technology called 464XLAT on the phone itself combined with a DNS64 and a CGN64 in our core network. This transition was necessary as IPv4 resources worldwide are completely exhausted.

With this technology, the transition to IPv6-only service has been transparent for most users and almost nobody noticed that their phone was operating natively on IPv6 without direct IPv4 connectivity. PPTP VPNs however use a very old technology that is not well supported in this configuration. We have also noticed that in some rare cases, L2TP/IPSec VPNs are broken. This last scenario is due to a bug in the Android code and we are actively working with Google to resolve it.

There is however a workaround for users affected (both for the PPTP and L2TP/IPSec issues). Directly on their phone, users can go in their APN settings to change the “PDP Type” to IPv4 (by default it is set to IPv4v6). Depending on the phone model, users may be able to simply change the PDP Type or they may have to create a new APN entry (copying existing settings) and make it default.

Let me know if this helps.

Dave

-----
I am a Rogers Network Architect. I am here to provide production solutions for the specific topics I engage in. For other concerns, please reach out to me on Rogers Community Forums.

 

 

said by LastDon:

I never changed my APN settings nor was it updated from rogers it was always the same, but making the switch makes it work. It was always IPv4v6.
[...]
meanwhile my onePlus3 never stopped working and continues to work, and is currently set at IPv4v6.

 

There is a very technical explanation to that. The PDP Type in the APN settings is essentially what your phone asks from the cellular network. Most of our Android phones have been configured with IPv4v6 since 2014 although at that time we didn't have IPv6 service enabled.

When the phone would connect on the network, it would essentially ask "May I create a data session using APN ltemobile.apn and using IP stack IPv4 and IPv6". The network would then respond with "You are granted access, however you are only authorized to receive an IPv4 address".

After we enabled IPv6 on the network, during the data connection phase, all phones started receiving both an IPv4 and an IPv6 address.

What was done recently is that some phones (it is very model specific and it includes the Samsung Galaxy S7), are only granted an IPv6 address. This internally tells the phone to enable the 464XLAT process which handles the IPv4 --> IPv6 translation. In turn, in our core network we do the reverse translation IPv6 --> IPv4. This enables you to reach IPv4 services without having an actual IPv4 address on your phone.

We you set the PDP Type to "IPv4", the network can't give you only an IPv6 so it has no choice but to give you what you asked for and it re-enables PPTP. Ultimately, you do loose access to IPv6 by doing that however.

We only picked for IPv6-only transition phone models that we extensively tested. The onePlus3 is not a device we sell so we can't confirm if the 464XLAT implementation is done properly and therefore it will remain IPv4+IPv6. All new phones launched on the Rogers Wireless network should be IPv6-only.

Given that IPv4 was always NATed on the wireless network, there is no difference in most cases, except PPTP because it relies on a GRE tunnel which doesn't support well the IPv4 --> IPv6 --> IPv4 translation.

Dave

 

 

Sooooo.. question is... Rogers Dave... Where are you?

 

I Plan to Stick Around
Posts: 214

Re: Issues with IKEv2 IPSec VPN on Rogers LTE/3G

I Plan to Stick Around
Posts: 12

Re: Issues with IKEv2 IPSec VPN on Rogers LTE/3G

Android works #1 for me

Only Iphones doesn<t work
I Plan to Stick Around
Posts: 14

Re: Issues with IKEv2 IPSec VPN on Rogers LTE/3G

We may very well be out of luck.

Let's hope I am wrong.