PPTP/L2TP ports to forward in Virtual Private Networking http://www.dslreports.com/forum/r20970761 en Wed, 11 Nov 2009 12:13:55 EDT Wed, 11 Nov 2009 12:13:55 EDT Re: PPTP/L2TP ports to forward http://www.dslreports.com/forum/remark,21029489 Matt :
said by tiger9 See Profile :

Really? I thought I could just forward IP/50 [ESP] on to the server. Thanks, though.

EDIT - Isn't IPSec ESP compatible with NAT? I know that IPSec AH [51] isn't, but my sources say that ESP is OK with it.
Microsoft doesn't recommend IPSec NAT-T (UDP 4500) for a VPN server behind NAT: »support.microsoft.com/kb/885348

You're likely to experience problems with clients behind NAT with IPSec/L2TP if you can't enable it though.
--
Linux Haters Unite!]]> http://www.dslreports.com/forum/remark,21029489 Fri, 29 Aug 2008 22:16:14 EDT Re: PPTP/L2TP ports to forward http://www.dslreports.com/forum/remark,20973202 tiger9 : Really? I thought I could just forward IP/50 [ESP] on to the server. Thanks, though.

EDIT - Isn't IPSec ESP compatible with NAT? I know that IPSec AH [51] isn't, but my sources say that ESP is OK with it.]]> http://www.dslreports.com/forum/remark,20973202 Tue, 19 Aug 2008 09:42:20 EDT Re: PPTP/L2TP ports to forward http://www.dslreports.com/forum/remark,20972643 rjs1003 : Your PPTP port/protocol combination is correct.

For L2TP/IPSec... well, if you didn't have NAT involved you'd be correct, but the mode of IPSec used by L2TP/IPSec connections doesn't work naturally through NAT, so Microsoft use NAT-Traversal (NAT-T) which puts the ESP packet inside another UDP packet, and usually transmits this on port 4500.
So in other words, for L2TP/IPSec you probably just want UDP ports 500 and 4500.

Just to emphasize what I'm saying:
if you run L2TP/IPSec on the NAT box (firewall/gateway/router) you'd want to open UDP 500 + ESP.
If the VPN server is _behind_ the NAT box you want UDP 500 + UDP 4500.

Bob]]> http://www.dslreports.com/forum/remark,20972643 Tue, 19 Aug 2008 04:33:19 EDT PPTP/L2TP ports to forward http://www.dslreports.com/forum/remark,20970761 tiger9 : I have a VPN server sitting behind a NAT [S2K3]. It's running L2TP/IPSec and PPTP. I'd just like to double check that to enable users to connect to the VPN, I have to port forward :
TCP/1723 + IP/47 [GRE] for PPTP
UDP/500 [IKE] + IP/50 [ESP] for L2TP

Thanks.]]> http://www.dslreports.com/forum/remark,20970761 Mon, 18 Aug 2008 19:18:45 EDT