It really depends on the implementation.
I think that Cisco uses port 80 by default for NAT transparency. Then for example Checkpoint FW-1 uses UDP 2746. And I think that newest rfc-draft I saw was to use ISAKMP (udp 500) for this one too. However encapsulation isn't enough. You will have to have IKE session before ESP encapsulation so normally you could block UDP 500 to deny Ipsec traffic using IKE. Some implementations allow to change this though. But then we have another VPN protocols such as CIPE http://sites.inka.de/sites/bigred/devel/cipe.html which are quite impossible for ISP's to block. (If you don't block all UDP ports) rgds, Harri -----Original Message----- From: ext Daniel Ashley [mailto:[EMAIL PROTECTED]] Sent: 27 November, 2001 16:16 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: ISPs that don't allow IPSEC protocol thru By using NAT transparency it shoves it out port 80 instead of 1723 & 500. So using NAT transparency as a work-around is relevant to them blocking useful ports. Daniel -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Monday, November 26, 2001 10:55 PM To: [EMAIL PROTECTED] Subject: Re: ISPs that don't allow IPSEC protocol thru I believe it was actually ComCast, a reseller of @home cable service. I believe they block GRE and perhaps also ports used by IKE; this has nothing to do with NAT. They also clearly include VPN usage as prohibited by their AUP, along with bandwidth reselling and other commercial uses. So their network policy of blocking this traffic is enforcement of a written policy by which users are (allegedly) already bound. DG On 26 Nov 2001, at 17:27, Ron DuFresne wrote: > > I recall a year or two ago road runner announcing they prohibit ipsec and > other security tunnels from their user accounts, they consider such > connections other then mere home user accounts and looked to be pucshing > for a tad more cash from those 'business' accounts. > > Thanks, > > Ron DuFresne > > On Mon, 26 Nov 2001 [EMAIL PROTECTED] wrote: > > > Does anyone know where I can find a list of ISP's that DOESN'T let the IPSEC protocol thru? The reason I ask is that my users are asking who they can use for VPN's and who they can't. I am working for a global company, so I can't just check with the local ISP's, cause we have workers all over the world. > > > > Thanks in advance for your help > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." -- Johnny Hart > ***testing, only testing, and damn good at it too!*** > > OK, so you're a Ph.D. Just don't touch anything. > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
