Craig Caughlin wrote:
Close, but not quite.Hi folks, Would it be accurate to say: Whenever you're attempting to set up a VPN, if one of the LAN's that you're attempting to connect to(or even an individual box for that matter) is behind a router (LEAF variation, Cisco, Linksys, etc.), you'll need to confirm that the router will allow traffic to pass through on Ports 500, 50 and 51? As a "generalization", would that be correct? If someone could clarify this for me (or perhaps point me to a web reference?), that would be great. Thanks!
For IPSec, which is what it seems like you're talking about, you need to pass traffic for:
UDP Protocol Port 500
-and one or both of-
ESP Protocol (50)
AH Protocol (51)
UDP port 500 traffic is used to authenticate and setup security associations (SA's). The ESP/AH protocols are actually used to send the encrypted data.
NOTE: Since getting protocols 50 & 51 to traverse masquerading firewalls can be a problem, there are recent versions of IPSec that support "NAT Traversal", by using UDP instead of ESP or AH for the data payloads. IIRC, the same UDP port 500 is typically used, allowing one rule to cover all VPN traffic.
--
Charles Steinkuehler
[EMAIL PROTECTED]
-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
