The tool "ike-scan" can be used as a standalone RAP test tool. Get it from www.nta-monitor.com/tools/ike-scan
Example when host does not respond - here we see Google DNS 8.8.8.8 is up but doesn't talk IPSEC
C:\aruba\tools\ike-scan-win32-1.9>ike-scan.exe --nat-t --ikev2 --sport=4501 --dport=4500 --verbose 8.8.8.8
DEBUG: pkt len=296 bytes, bandwidth=56000 bps, int=46285 us
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
--- Pass 1 of 3 completed
--- Pass 2 of 3 completed
--- Pass 3 of 3 completed
Ending ike-scan 1.9: 1 hosts scanned in 2.437 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
C:\aruba\tools\ike-scan-win32-1.9>
Example of DNS resolution error
C:\aruba\tools\ike-scan-win32-1.9>ike-scan.exe --nat-t --ikev2 --sport=4501 --dport=4500 --verbose via3.somewhere.com
WARNING: gethostbyname failed for "via3.somewhere.com" - target ignored: Operation not permitted
ERROR: No hosts to process.
Example when host does respond (in this case i have hidden the IP, but via.somewhere.com needs to be either a controller on the internet, or, a firewall doing 4500/udp port NAT.
C:\aruba\tools\ike-scan-win32-1.9>ike-scan.exe --nat-t --ikev2 --sport=4501 --dport=4500 --verbose via.somewhere.com
DEBUG: pkt len=296 bytes, bandwidth=56000 bps, int=46285 us
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
104.YY.XXX.ZZ Notify message 16390 (COOKIE) HDR=(CKY-R=0000000000000000, IKEv2)
Ending ike-scan 1.9: 1 hosts scanned in 0.346 seconds (2.89 hosts/sec). 0 returned handshake; 1 returned notify
C:\aruba\tools\ike-scan-win32-1.9>
If you see the last example above, where it says it got a NOTIFY, then you can assume there is a working IPSEC path on port 4500 from your machine to the controller.
Note the src port is specified to be 4501 to avoid any conflict with VPN software that may be on your PC, the RAP can also use 4501 as a source IP too. You can try with --sport=4500 as a test too, but it's very rare to see someone enforcing srcip in a firewall rule for UDP.
regards
jeff