Ports And Protocols which need to be open on Firewall

[Dennis van Vroonhoven]

Hi,

I have a W2K server (SP4) with Routing and Remote Access based on L2TP/IPSec
protocol installed. When connecting to the internal network card it's no
problem. When connecting to the external networkcard (inside the firewall)
the connecting is also no problem. When using a connection outside the
firewall (just a dialup connection, a connecting from another company or
from home with a cable connection) connecting is not possible. I have a
managed firewall and the question is which ports and protocol needs to be
open from intern to extern and from extern to intern.

I've asked to open the following ports/protocols:

Protocol 50 bi-directional
UDP 500 bi-directional
UDP 4500 bi-directional
UDP 1701 bi-directional

Can you tell me if this is correct? Or am I missing something?
Do I also need Protocol 51 bi-directional?

Thanks in advance,
Dennis

 

[Sharoon Shetty K [MSFT]]

For L2TP VPN the ports which you have mentioned are sufficient i.e. UDP 500
and UDP 1701 and UDP 4500 for NAT-T. If you are using IPSEC, then protocol
50 (ESP) needs to be open.

What is the error, the VPN client gives?
--

Thanks
Sharoon
(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Dennis van Vroonhoven]

Thanks for the reply,

I'm using L2TP/IPSec with certificates on both machines (just default
Routing and Remote access installation on W2K SP4).
Are there some options which can be set on the server for authentication
(requiring less ports/protocols)?

The VPN Client gives the following error:

Error 792: The L2TP connection attempt failed because security negotiation
timed out.

Thanks,
Dennis

 

[Sharoon Shetty K [MSFT]]

Check the following KB articles
http://support.microsoft.com/default.aspx?scid=kb;EN-US;247231

This KB article is valid in case preshared key are used, however I assume
that is not the case here
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q299307

Also a pointer on installation of certificates
http://support.microsoft.com/default.aspx?scid=kb;EN-US;253498

Let me know if it helps.

--

Thanks
Sharoon
(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Dennis van Vroonhoven]

It's no port/protocol problem anymore at the firewall. It seems to the ADSL
router which is blocking something (port/protocol).
The provider claims the ADSL router should be completely transparent. What
they claim is that the MTU size at the vpn server is too high? Could this
be? I've connected through the same ADSL router (other firewall) over PPTP
instead of L2TP and that worked fine so I have my thoughts about this
suggestion (changing MTU size).

 

[Sharoon Shetty K [MSFT]]

Is the ADSL router blocking any of the ports/protocol which has been
mentioned required for L2TP/IPSEC?
--

Thanks
Sharoon
(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Dennis van Vroonhoven]

That's what I thought. I called to the internet provider and they claim the
router is completely transparant, in other words it should not block
anything. I cannot connect to the router because I have not got the user
credentials and passwords. Is there a way (a tool or something) to test
this?

Thanks,
Dennis

 

[Sharoon Shetty K [MSFT]]

You can use "Network Monitor" tool to sniff the packets sent and receive by
your interface. This would give you an idea if any packets are being
discarded. This KB article give smore details on installing the tool
http://support.microsoft.com/?kbid=243270

--

Thanks
Sharoon
(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.