L2TP over IPSec

[ol jeb]

Hey all,

I am trying to configure a VPN solution using L2TP over IPSec. Can anyone tell me what ports I need to open on the firewall to allow this traffic? Unless I'm mistaken I think that I need 1701 UDP, but what else? TIA

[t2k2]

Hey Jeb. I did a little searching on the MS Knowledge Base (assuming you are using Windoze ) and found the following article that might help:

Microsoft Knowledge Base Article

If that doesn't help, you may find something else more interesting in the search results I got on the site:

Search Results


Hope this helps Buddy.


t2k2

[iNViCTuS]

If I am correct in assuming that you are trying to encapsulate L2TP with an IPSEC connection, there are some ports you will need to open. They are as follows:

IKE (UDP-500) *Assuming you are using IKE*
ESP (IP Protocol 50)
AH (IP Protocol 51)

**PLEASE NOTE: IP protocol 50 and 51 for ESP and AH respectively do not represent a TCP or UDP port they are completely different protocols, and the most common mistake is to try to open up TCP-51 and TCP-51. Let me know what kind of firewall you are using, and I will try to help out. You should also be aware that if you are using a SOHO type firewall, it may not support this!!

[thehorse13]

Also, be aware that if you try to NAT with AH, it will fail. This is obviously because NAT changes the packet headers and AH authenticates based on the header :-) ESP will be the only protocol type that you can use if you plan to NAT traffic. One more thing worth noting, most people think that port 500 is the default port for IPSec but this is not entirely true. As the post above indicates, this is for the IKE component. IPSec will traverse whatever port is available as long as the proper protocols are allowed through. Again, ESP and AH as mentioned above.

[Shrekkie]

Hi,

Indeed L2TP over IPSec uses port UDP 1701.
Following link can make a few things clear, especially on this topic.

http://adsl.cutw.net/l2tp/w2k-info.html

Enjoy,

Greetz.