Skip to main content
Beantwoord

VPN Cisco does not work on Odido WiFi


Hello,

I’m experiencing an issue where a Cisco VPN client fails to connect over my home Wi-Fi, but works fine over a mobile hotspot or work internet network. After extensive troubleshooting, here’s what I’ve confirmed:


 - VPN works on the same laptop over 4G hotspot

 - VPN fails only on home Wi-Fi

 - UDP ports 500 and 4500 are reachable from my home network

 - TCP port 443 is open

 - With Windows Firewall completely disabled on the laptop the issue persists

- Other VPNs work fine on different laptops (e.g., Norton Secure VPN, Citrix Workspace), indicating the network is generally VPN-capable

 

This points to a problem related to:

 - ESP (IP protocol 50) being blocked or not forwarded correctly

 - Lack of IPSec passthrough or broken NAT-T support on the router

Router with versterking points ZYXEL, installed in January 2025.

 

Could you please confirm:

 - Does my router and/or ISP block ESP (IP protocol 50)?

 - Is IPSec passthrough and NAT traversal (UDP 4500) supported?

Are these settings user-configurable? (I logged into my router did not find them) 

If not, can you enable them remotely?

 

One more detail:
Could you please check if my internet connection is using CGNAT (Carrier Grade NAT)?
I understand that CGNAT can interfere with VPN protocols such as ESP (IP protocol 50) and IPSec passthrough.

If I am on CGNAT, could you assign a public IPv4 address instead?

 

Thank you in advance for your help. Let me know what else needed from my side. 

A
 

Beste antwoord door Tommie van Odido

Hi ​@AliceInternetGebruiker, welcome to our community!

Thanks for your clear message, that really helps in troubleshooting. To answer your questions:

  • We don’t block any ports on our network, including ESP (IP protocol 50).

  • IPSec passthrough and NAT-T (UDP 4500) are supported by default on our routers. These settings aren’t visible or adjustable in the router’s interface, but they are enabled by default.

Also, to clarify — we don’t use CGNAT (Carrier Grade NAT) on our fixed internet connections. Every customer is assigned a unique public IPv4 address. Since you’ve confirmed ports 500, 4500 and 443 are reachable, and other VPN services work fine, it could be worthwhile to check if your Cisco VPN client can be forced to use NAT-T (over UDP 4500) only, to bypass ESP.

 

Bekijk origineel

4 reacties

Tommie van Odido
Moderator
Forum|alt.badge.img+11
  • Moderator | Internet + TV
  • 14854 reacties
  • Antwoord
  • 9 juli 2025

Hi ​@AliceInternetGebruiker, welcome to our community!

Thanks for your clear message, that really helps in troubleshooting. To answer your questions:

  • We don’t block any ports on our network, including ESP (IP protocol 50).

  • IPSec passthrough and NAT-T (UDP 4500) are supported by default on our routers. These settings aren’t visible or adjustable in the router’s interface, but they are enabled by default.

Also, to clarify — we don’t use CGNAT (Carrier Grade NAT) on our fixed internet connections. Every customer is assigned a unique public IPv4 address. Since you’ve confirmed ports 500, 4500 and 443 are reachable, and other VPN services work fine, it could be worthwhile to check if your Cisco VPN client can be forced to use NAT-T (over UDP 4500) only, to bypass ESP.

 


GebruikersnaamRandomTekst

@Tommie van Odido Let’s be honest.

We don’t block any ports on our network, including ESP (IP protocol 50).

Yes, you do. You block the standard, logical ones that most internet providers block, meaning port 25 (SMTP) and I bet some 137-139 ports (I’ve not checked.)

But you also block UDP 5060 incoming, but not for all customers. Which is a matter of misconfiguration, that’s not something you expect to be blocked.

So if you happen to know that protocol 50 (ESP) isn’t blocked, then that’s very useful info, but if you start with “we don’t block any ports” then it’s very difficult to take whatever comes after, seriously.

Edit: a different thread (in Vast Bellen) mentioned that TMNT thought he read something about UDP5060 finally not being blocked anymore. It’s a bit off-topic for this thread, but can you confirm whether Odido reversed that policy or whether it’s a misunderstanding? (As mentioned elsewhere, Odido only blocking it on part of the customer base is not helping with getting clarity on this.)


rvk01
Forum|alt.badge.img+3
  • is een legendarische user
  • 1525 reacties
  • 10 juli 2025
GebruikersnaamRandomTekst schreef:

Edit: a different thread (in Vast Bellen) mentioned that TMNT thought he read something about UDP5060 finally not being blocked anymore. It’s a bit off-topic for this thread, but can you confirm whether Odido reversed that policy or whether it’s a misunderstanding? (As mentioned elsewhere, Odido only blocking it on part of the customer base is not helping with getting clarity on this.)

Nope. According to my python script incoming 5060 UDP is still blocked on my line.

 


GebruikersnaamRandomTekst

Thanks for the feedback. I had done the logging of UDP 506x packets manually, and I was a bit too lazy to start that up again. 😁


Reageer


Cookiebeleid

Wij gebruiken cookies om uw bezoekers ervaring te verbeteren en te personaliseren. Ga je akkoord, of ga je door op de website dan ga je akkoord met ons cookiebeleid. Meer informatie.

 
Cookie instellingen