January 14th, 2003 04:12 PM
L2TP over IPSec
I am trying to configure a VPN solution using L2TP over IPSec. Can anyone tell me what ports I need to open on the firewall to allow this traffic? Unless I'm mistaken I think that I need 1701 UDP, but what else? TIA
just making some minor adjustments to your system....
January 14th, 2003 04:49 PM
Hey Jeb. I did a little searching on the MS Knowledge Base (assuming you are using Windoze ) and found the following article that might help:
Microsoft Knowledge Base Article
If that doesn't help, you may find something else more interesting in the search results I got on the site:
Hope this helps Buddy.
Opinions are like
holes - everybody\'s got\'em.
January 14th, 2003 06:05 PM
If I am correct in assuming that you are trying to encapsulate L2TP with an IPSEC connection, there are some ports you will need to open. They are as follows:
IKE (UDP-500) *Assuming you are using IKE*
ESP (IP Protocol 50)
AH (IP Protocol 51)
**PLEASE NOTE: IP protocol 50 and 51 for ESP and AH respectively do not represent a TCP or UDP port they are completely different protocols, and the most common mistake is to try to open up TCP-51 and TCP-51. Let me know what kind of firewall you are using, and I will try to help out. You should also be aware that if you are using a SOHO type firewall, it may not support this!!
January 26th, 2003 07:24 PM
Also, be aware that if you try to NAT with AH, it will fail. This is obviously because NAT changes the packet headers and AH authenticates based on the header :-) ESP will be the only protocol type that you can use if you plan to NAT traffic. One more thing worth noting, most people think that port 500 is the default port for IPSec but this is not entirely true. As the post above indicates, this is for the IKE component. IPSec will traverse whatever port is available as long as the proper protocols are allowed through. Again, ESP and AH as mentioned above.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
January 26th, 2003 09:38 PM
Indeed L2TP over IPSec uses port UDP 1701.
Following link can make a few things clear, especially on this topic.