After spending nearly two hours on the phone with virgin media Friday and having no joy with them and with them contanstly pushing Gadget Rescue service to help fix my issue for a fee 🤔 I am struggling to get any sort of reasonable response from anyone at Virgin Media
I work in a i.t department which has recently set up a new ssl vpn connection to replace our old connection. Both use ssl vpn on tcp 443 but different programs.
The old one is routed through a German telecom line and connects fine with virgin media 😃
The new one is routed through a Gamma fibre line but refuses to connect with virgin media 😢
All other isps connect to it fine with no issues (BT,SKY, TalkTalk etc) but not Virgin Media
I have tried turning off the hub 3 firewall and put my work provided laptop in a dmz with no joy
Any suggestions appreciated or contact from someone in Virgin Media tech team, I hate to tell our users the only way to connect to our vpn is to switch to a different isp
Gadget Rescue eh, you've more chance of International Rescue flying in to fix this one!
Not much to go on but what are you using to terminate the SSL VPN tunnels? The reason I ask is that many devices have a web portal so the first thing I would try is to see if you can't simply use a web browser to hit the public IP address / FQDN and see if you get the portal page - you'll need to check the config on your device, it might well use a different port to get to the portal than the one that the tunnel itself uses.
If you can get to the portal page then there isn't a routing issue, and you might see a useful error message which the SSL client wouldn't show. You could also check if your clients have web safe or child safe enabled on their accounts as they can cause havoc with SSL connections sometimes.
Forget about the Hub's firewall or DMZ, they only effect inbound unsolicited connections so won't be blocking the tunnel setup.
I haven't checked to see if I can connect to the tunnel page - I will try and connect later.
I did try pinging the gateway from the laptop and directly from the hub, the ping from the hub worked but from the laptop failed. To double check the laptop I pinged google.com and that worked - same directly from the hub.
As per my orginal post the tunnel works with other isp so the issue is only when connected to Virgin Media.
I'm not sure at the old tunnel as this was managed by our German office but the new connection is provided by Gamma and the firewall is a watchguard.
web safe and child safe are turned off - also tried turning off advanced network error search, how ever this is not possible on all users
I can guarantee you that Watchguard's SSL VPN client works with VM because I use them all the time. They definitely have an SSL portal so you should be able to browse to the public IP address (ignore the cert warnings) and see it - might just need to double check that it is using 443 for the data and config channels - that's in VPN / Mobile VPN / SSL VPN Configuration and then under the Advanced Tab - on the Watchguard web management page or use the offline System Manager.
Usually by IP address and yes via a Hub 3. You really should be able to get the portal page up just by browsing to the public IP address on port 443. By the way you might want to change the Authentication to SHA-256, SHA-1 has been considered insecure for the past ten years or so.
Thank you for that info - sha-1 is what our installer setup and configured. We are looking at changing it soon 😀
However back to the subject at hand.
I am unable to access the portal page when connected to VM, when disconnected from VM and connected to my mobile hotspot (with o2) the portal page loads and I am able to connect to the tunnel. So this really makes me think this is a problem with VM instead of a config issue with the tunnel or our laptops
Our users (my self included are based in the west midlands) so maybe it's a local issue
Might be a local problem, but at least for now we can disregard a config issue with the Firewall itself or the VPN client. So what happens if you just try to ping the Firewall's external address? You might need to temporarily add a rule to enable ping responses from untrusted interfaces. Can you traceroute to it?
If you can't get to the SSL portal's webpage from a browser, then the client is very unlikely to be able to connect either.