> -----Original Message-----
> From: Amit Kaushal [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 23 August 2000 10:21 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re[2]: When to NAT
>
>
>
>
> Hey list,
> I have a couple of questions for the list. Any
> answers will be
> appreciated.
>
> 1) I would like to know what ports i would have to open in
> order to allow PPTP,
> L2TP and IPSEC through the firewall ( in general) or what
> default TCP ports
> do these services use?
Here's a brief overview - references are provided for you to look up the
fine detail yourself.
L2TP has the registered port 1701 tcp and udp. The standard encapsulation
method for IP transports is UDP. The RFC allows for another transport
(perhaps over TCP) to be negotiated, but that would be a vendor specific
option. Since most people run a reliable transport (TCP, SPX etc)inside the
tunneled PPP connection UDP is enough (the tunneled session can recover from
dropped packets). The RFC explicity allows the use of callbacks (incoming
data from a previously unused source port) which does terrible things to
both NAT and firewalls. Implementors are urged to _not_ pick a different
source port for the reply, but who knows how many took that advice? [1]
IPSec uses UDP port 500 for IKE (key negotiation). For IPSec to work a
firewall _also_ needs to pass IP protocols 50 and 51 (ESP and AH). IPSec
hates NAT. [2]
PPTP uses TCP port 1723 for authentication and IP protocol 47 (GRE) for the
tunneled data.
[3]
If you're looking at VPN solutions then it's likely that you don't actually
want "raw" L2TP. That's really only used for dial-up cost reduction. You
probably actually want L2TP over IPSec. The L2TP/IPSec flag is being carried
most strongly by Microsoft - essentially, an L2TP packet is carried as the
payload in an IPSec packet - this allows for various good things to happen.
This means that you can ignore the L2TP ports because that's all inside the
IPSec payload.[4]
>
> 2) PPTP is a standard for windows clients and is used widely
> with other
> Operating systems as well.
Widely used on non-M$ boxen? Uh....maybe not. PPTP is unpretty, crypto-wise.
The one good thing is that it works fine through NAT.
> What are the alternatives for UNIX boxes?
Anything. There's some new fancy-pants VPN solution popping up every second
week. In terms of ones I "trust", SSH works well in many cases but has
limitations. IPSec is the best all-around IP level VPN (IMO) but the
protocol is complicated and baroque. There are free implementations of
IPSec.
>
> Thanks for the answers in advance?
>
Cheers,
[1] http://www.ietf.org/rfc/rfc2661.txt
[2] http://www.ietf.org/html.charters/ipsec-charter.html
[3] http://www.ietf.org/rfc/rfc2637.txt
[4] http://www.microsoft.com/technet/win2000/win2ksrv/technote/msppna.asp
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
