Linux – Which ports for IPSEC/LT2P

firewallipseciptablesl2tplinux

I have a firewall/router (not doing NAT).

I've googled and seen conflicting answers. It seems UDP 500 is the common one. But the others are confusing. 1701, 4500.

And some say I need to also allow gre 50, or 47, or 50 & 51.

Ok, which ports are the correct ones for IPSec/L2TP to work in a routed environment without NAT? i.e. I want to use the built in windows client to connect to a VPN behind this router/firewall.

Perhaps a good answer here is to specify which ports to open for different situations. I think this would be useful for many people.

Best Answer

Here are the ports and protocols:

Protocol: UDP, port 500 (for IKE, to manage encryption keys)
Protocol: UDP, port 4500 (for IPSEC NAT-Traversal mode)
Protocol: ESP, value 50 (for IPSEC)
Protocol: AH, value 51 (for IPSEC)

Also, Port 1701 is used by the L2TP Server, but connections should not be allowed inbound to it from outside. There is a special firewall rule to allow only IPSEC secured traffic inbound on this port.

If using IPTABLES, and your L2TP server sits directly on the internet, then the rules you need are:

iptables -A INPUT -i $EXT_NIC -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i $EXT_NIC -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -i $EXT_NIC -p 50 -j ACCEPT
iptables -A INPUT -i $EXT_NIC -p 51 -j ACCEPT
iptables -A INPUT -i $EXT_NIC -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT

Where $EXT_NIC is your external network interface card name, e.g. ppp0.

Best Answer

Related Solutions

OpenSwan (IPSEC) on Fedora 13 with Snow Leopard as a client

Firewall – Watchguard L2TP over IPsec passthrough

Related Topic