25

I have a firewall/router (not doing NAT).

I've googled and seen conflicting answers. It seems UDP 500 is the common one. But the others are confusing. 1701, 4500.

And some say I need to also allow gre 50, or 47, or 50 & 51.

Ok, which ports are the correct ones for IPSec/L2TP to work in a routed environment without NAT? i.e. I want to use the built in windows client to connect to a VPN behind this router/firewall.

Perhaps a good answer here is to specify which ports to open for different situations. I think this would be useful for many people.

hookenz
  • 14,132
  • 22
  • 86
  • 142

3 Answers3

34

Here are the ports and protocols:

  • Protocol: UDP, port 500 (for IKE, to manage encryption keys)
  • Protocol: UDP, port 4500 (for IPSEC NAT-Traversal mode)
  • Protocol: ESP, value 50 (for IPSEC)
  • Protocol: AH, value 51 (for IPSEC)

Also, Port 1701 is used by the L2TP Server, but connections should not be allowed inbound to it from outside. There is a special firewall rule to allow only IPSEC secured traffic inbound on this port.

If using IPTABLES, and your L2TP server sits directly on the internet, then the rules you need are:

iptables -A INPUT -i $EXT_NIC -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i $EXT_NIC -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -i $EXT_NIC -p 50 -j ACCEPT
iptables -A INPUT -i $EXT_NIC -p 51 -j ACCEPT
iptables -A INPUT -i $EXT_NIC -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT

Where $EXT_NIC is your external network interface card name, e.g. ppp0.

slm
  • 7,355
  • 16
  • 54
  • 72
David Lomax
  • 508
  • 4
  • 8
  • 1
    I found I don't need ESP & AH as I'm not using IPSEC directly but IPSEC over L2TP with NAT. So I am able to get away with ports 500,4500,1701. Interesting comment about the special rule for 1701. I'll have to try that as soon as I figure out how to configure it with Mikrotik. – hookenz Sep 18 '14 at 23:08
6

Ipsec needs UDP port 500 + ip protocol 50 and 51 - but you can use NAt-T instead, which needs UDP port 4500. On the other hand L2TP uses udp port 1701. If you trying to pass ipsec traffic through a "regular" Wi-Fi router and there is no such option as IPSec pass-through, I recommend opening port 500 and 4500. At least that is how it works on mine. Hope this helps.

chickenloop
  • 81
  • 2
1

Okay.

Actually - It depends.

I have Ubuntu L2TP\IPSEC server behind NAT.

if your L2TP\ipsec server sits behind NAT , in this case on your gateway (with NAT) you need to make port forward for the following ports and protocols:

500 UDP
4500 UDP
1701 UDP

the point in this case - there is no need to forward ESP or AH.

Also when the server sits behind NAT , windows os clients by default can NOT connect to such server, you need to add to registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
AssumeUDPEncapsulationContextOnSendRule = 2 (type dword32)

If the server sits directly on the internet

UDP 500
UDP 4500

only need to be opened on WAN interface. thats it.

windows os clients do not need to do any regsitry editings in this case.

the information is checked by practice.

===

update(2021.04.23):

if you use ipsec for dynamic vpn then enabling ESP\AH protocls on firewall is NOT needed.

However if you use ipsec for site-to-site tunnels (between two routers with Internet ipaddresses) ---> then you need also enable on firewall

ESP protocol
AH  protocol
Alex
  • 262
  • 3
  • 6