IPSec and L2TP

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello,

When following article Q240262 I came across a question. If you specify the IP-Sec filters as described (i.e. exactly the same on both source and destination), this would allow only an L2TP connection to be initiated from the destination to the source machine. Mirroring of the IPSec rules only accounts for answers but, as far as I know, does not mirror the ports (i.e. if source port 1701 is allowed from machine A, the mirror rule will specify that machineA can be used as a destination for port 1701, NOT that machine A will allow all ports). Howcome that the configuration still works, even when the L2TP tunnel is set up from the other side then specified in the policy?

Thanks,

Martin
 
It works because in the case of L2TP, both source and dst ports are 1701. In
one direction you'll hit your 1701 filter, in the other you'll hit the Any
filter.
The author of the article appears to have attempted to make a few
simplifications to the steps which is probably fine for a novice just trying
to get the job done, but does pose some head-scratchers for those attempting
to really get a handle on the intricacies of an ipsec policy.
Additionally, I think there are some performance enhancements invoked by
using the Any filter which would be trivial for a client, but might be
important for an RRAS server.

--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.


Martin Vl said:
Hello,

When following article Q240262 I came across a question. If you specify
Click to expand...
the IP-Sec filters as described (i.e. exactly the same on both source and
destination), this would allow only an L2TP connection to be initiated from
the destination to the source machine. Mirroring of the IPSec rules only
accounts for answers but, as far as I know, does not mirror the ports (i.e.
if source port 1701 is allowed from machine A, the mirror rule will specify
that machineA can be used as a destination for port 1701, NOT that machine A
will allow all ports). Howcome that the configuration still works, even when
the L2TP tunnel is set up from the other side then specified in the policy?
 
Back
Top