Re: L2TP port?

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Jason McClellan (jason_mcc_at_obsfucated.myrealbox.com)
Date: 06/10/04

• Next message: Jason McClellan: "Re: L2TP port?"
• Previous message: precision: "Error 800 on long distance VPN through ISA"
• In reply to: Steve Riley [MSFT]: "Re: L2TP port?"
• Next in thread: Jason McClellan: "Re: L2TP port?"
• Messages sorted by: [ date ] [ thread ]

---

Date: Wed, 9 Jun 2004 21:25:40 -0400

I have pretty much come to the conclusion that I'm screwed as well. Thanks
for your input.

I'm sure it's not arbitrary, they want you to use their VPN client - this is
in fact a 'feature' of this model. I'm just surprised that turning off this
feature doesn't free up the port for pass-through. I will most certainly
complain! The firewall behaves as if it's ipsec services receive the
connection attempts, even when it's ipsec feature is disabled. The firewall
logs even have entries for the connection attempts being blocked. The
strange thing is, even though they say this is a known issue, the 'virtual
server' setup still has an ipsec option - but it doesn't work!

Thanks
Jason

"Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
news:ORZ31YeTEHA.504@TK2MSFTNGP11.phx.gbl...
> Looks like you might have to change firewalls. :)
>
> Like Stephen Cartwright said in another post, the ports for IKE are
> unchangeable. IKE will always use 500/udp (per IETF specifications). There
> is no workaround to change that.
>
> And even if you did try to get NAT-T to work, it won't help you here.
Sure,
> NAT-T encapsulates IPsec traffic inside UDP (port 4500/udp; again not
> alterable), it doesn't encapsulate IKE. IKE even with NAT-T will still use
> 500/udp.
>
> I suggest complaining loudly to Symantec. They are, in effect, making an
> arbitary decision to block the port even if you've shut off their IPsec
and
> created a hole for 500/udp.
>
> --
> Steve
> steriley@microsoft.com
>
>
>
> "Jason McClellan" <jason_mcc@obsfucated.myrealbox.com> wrote in message
> news:Ob2GklQSEHA.2332@TK2MSFTNGP10.phx.gbl...
> >
> > I'm not sure what you intended this information to mean.
> >
> > The problem I have is that I cannot redirect port 500 through my
firewall.
> >
> > My setup is simple, there is no ISA server in the way, just
> > W2K3 RRAS box -> Symantec 200r Firewall appliance -> Internet ->W2K DUN
> > Client
> >
> > I know certificates et al are all good, because;
> > 1- L2TP clients on the LAN connect fine.
> > 2-my home client will connect L2TP fine, IF I connect a PPTP tunnel
first.
> > This tells me I have a firewall issue, especially since my firewall logs
> > complain about port 500 scans, even if I map port 500 through to the
RRAS
> > server. Symantec's knowledge base addresses this problem, and says
'tough
> > ***'.
> >
> >
> > "blue_1994" <blue_1994@sina.com.discuss> wrote in message
> > news:eCX6EDQSEHA.3716@TK2MSFTNGP09.phx.gbl...
> >>
> >> กค Destination IP address of the VPN server's Internet
interface,
> >> subnet mask of 255.255.255.255, and UDP destination port of 500.
> >>
> >> This filter allows Internet Key Exchange (IKE) traffic to the VPN
server.
> >>
> >> กค Destination IP address of the VPN server's Internet
interface,
> >> subnet mask of 255.255.255.255, and UDP destination port of 1701.
> >>
> >> This filter allows L2TP traffic to the VPN server
> >> "Pat (MSFT)" <pfetty@online.microsoft.com> wrote in message
> >> news:40be5d86$1@news.microsoft.com...
> >> > Port 500 is used for IKE (Internet Key Exchange) and not necessarily
> >> > for
> >> > L2TP (I believe 1729 is the port required for L2TP, but don't quote
> >> > me).
> >> >
> >> > What VPN client are you using?
> >> >
> >> > --
> >> > Pat Fetty
> >> > Microsoft Windows Networking Division
> >> >
> >> > This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >> > "Jason McClellan" <jason_mcc@obsfucated.myrealbox.com> wrote in
message
> >> > news:%236MRrlFSEHA.1396@TK2MSFTNGP12.phx.gbl...
> >> > >
> >> > > Does anyone know if it is possible to change the port number that
> >> > > IPSEC/L2TP
> >> > > works over?
> >> > >
> >> > > I believe the default is 500.
> >> > >
> >> > > The geniouses at Symantec decided that since their firewall/vpn
> >> appliance
> >> > > supports ipsec itself, they shouldn't allow you to pass it through,
> > even
> >> > > if
> >> > > their feature is disabled! So, anything coming in on port 500 dies
> >> > > at
> >> the
> >> > > firewall, regardless of any port forwarding settings or even DMZ.
> >> > > So
> > I
> >> > > would like to try to work around this by using another port. Of
> > course,
> >> > > Symantec's support site basically just says 'you can't do it',
which
> > is
> >> > > just
> >> > > stupid.
> >> > >
> >> > > Any ideas are appreciated!
> >> > >
> >> > >
> >> >
> >> >
> >>
> >>
> >
> >
>
>

---

• Next message: Jason McClellan: "Re: L2TP port?"
• Previous message: precision: "Error 800 on long distance VPN through ISA"
• In reply to: Steve Riley [MSFT]: "Re: L2TP port?"
• Next in thread: Jason McClellan: "Re: L2TP port?"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > ISA  > microsoft.public.isa.vpn  > 2004-06