dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
61507
share rss forum feed

tiger9

join:2005-08-01
Ont,Canada

PPTP/L2TP ports to forward

I have a VPN server sitting behind a NAT [S2K3]. It's running L2TP/IPSec and PPTP. I'd just like to double check that to enable users to connect to the VPN, I have to port forward :
TCP/1723 + IP/47 [GRE] for PPTP
UDP/500 [IKE] + IP/50 [ESP] for L2TP

Thanks.


rjs1003

join:2002-12-04
united kingd

Your PPTP port/protocol combination is correct.

For L2TP/IPSec... well, if you didn't have NAT involved you'd be correct, but the mode of IPSec used by L2TP/IPSec connections doesn't work naturally through NAT, so Microsoft use NAT-Traversal (NAT-T) which puts the ESP packet inside another UDP packet, and usually transmits this on port 4500.
So in other words, for L2TP/IPSec you probably just want UDP ports 500 and 4500.

Just to emphasize what I'm saying:
if you run L2TP/IPSec on the NAT box (firewall/gateway/router) you'd want to open UDP 500 + ESP.
If the VPN server is _behind_ the NAT box you want UDP 500 + UDP 4500.

Bob


tiger9

join:2005-08-01
Ont,Canada

1 edit

Really? I thought I could just forward IP/50 [ESP] on to the server. Thanks, though.

EDIT - Isn't IPSec ESP compatible with NAT? I know that IPSec AH [51] isn't, but my sources say that ESP is OK with it.



Matt3
All noise, no signal.
Premium
join:2003-07-20
Jamestown, NC
kudos:12

said by tiger9:

Really? I thought I could just forward IP/50 [ESP] on to the server. Thanks, though.

EDIT - Isn't IPSec ESP compatible with NAT? I know that IPSec AH [51] isn't, but my sources say that ESP is OK with it.
Microsoft doesn't recommend IPSec NAT-T (UDP 4500) for a VPN server behind NAT: »support.microsoft.com/kb/885348

You're likely to experience problems with clients behind NAT with IPSec/L2TP if you can't enable it though.
--
Linux Haters Unite!