I have A IPsec vpn that is running between 2 SRX’s, One SRX is connected to A 4G router and behind CG-NAT.
The link is to provide a backup management access.
The VPN is up but SSH connection access the VPN are really poor and constantly disconnecting
I have deduced with testing the issues is this
The NAT device in the service provider is timing out the UDP sessions really quickly, I have tested by setting up a OSPF adjacency across this tunnel and enabling BFD, I believe this BFD packets constant transmitting from the each end keep the session alive on this carrier firewall. This problem is this chews thought my bandwidth costing me.
Is it possible to establish a VPN over TCP in some way between 2 SRX’s
The NAT device in the service provider is timing out the UDP sessions really quickly,
This is not the only trick which can be played on You by certain SP(s).
Another common trick is to drop non-initial fragments for "security/protection" so when You decide to use IPSec with long keys (greater than 2048bits) and/or certificates, Your IKEv1 or IKEv2 without fragmentation support won't establish.
Get another SIM from a different SP but do Your research first.
Thanks Alex, I have tried a few, because this basically using providers like GiffGaff and EE , i do not really know what they are doing to my traffic, I've posted on their forums but no one knows anything techical, becuase the router behind the CG-NAT is making a connection through that back to a fix address I cannot really use a remote access vpn. What a pain I wish there was a better solution. At the remote location if I leave something like Teamvier runnng on the laptop this works but I really do not want to do this I was hoping for a Network Layer solution. Maybe Leaving OSPF running with BFD is my only option.
Maybe Leaving OSPF running with BFD is my only option.
You need to figure out what is the inactvity-timeout in Your SP network and set DPD keepalives, or NAT keepalives interval slighly below this number.
ISP are always trying to conserve resources, specifically free ports in their NAT pools, and RAB (radio access bearer) channels, so the most user-unfriendly ones typically set the RAB channel idle time to aggressive number like 10-20 seconds and CGNAT inactivity-timeout around that number as well.
It helps their KPIs but (a) drains battery faster on the phones and (b) creates unwarranted timeouts for applications.
The only way to counter it is to figure out the timer and use keepalives with slightly shorter interval.
But be vigilant for other tricks with Your traffic.
You may also strike lucky if You manage to come across a SP with sane timeout settings, or get an unlimited data SIM