Re: L2TP-over-IPsec (may be off topic)

[Kok-Yong Tan <ktan () realityartisans com>]

Let me clarify one point:

When I said "UDP port 1701 is open on the firewall," what I meant is  
that a firewall rule allowing UDP traffic from the WAN zone to LAN  
zone (no specific device IPs are listed, just a zone-to-zone rule) at  
port 1701 must be created.  Interestingly, there is *NO*  
corresponding NAT rule that port forwards from port 1701 at the  
firewall to the L2TP-over-IPsec server on the back end!!!

I've spoken to the manufacturers of the firewall and their Level 1  
techs are even more confused than I am.  They claim that the reason  
for it working is that "L2TP packets are also flowing" but that's  
impossible because without a corresponding NAT port forwarding rule,  
any packets arriving at port 1701 are just going to be discarded by  
the firewall.  Yet it works!

The only thing I can think of is that without the abovementioned WAN  
to LAN rule, the firewall is somehow squelching L2TP packets once  
they unfurl from within the encrypted IPsec packets as it is also the  
router for the LAN subnet.  Although why an L2TP packet would need to  
leave the NIC when it should be handled by the networking stack  
within the L2TP-over-IPsec server puzzles me...  And even though I've  
set the logs on the firewall to "debug" level, no blocking of packets  
to port 1701 when the firewall rule isn't activated shows up in the  
logs--the VPN just doesn't complete and the client complains that the  
"L2TP server is not responding."

Comments?

On Sep 14, 2010, at 13:01, Kok-Yong Tan wrote:

>  From what I've read here (especially figures 54 and 55):
>
> <http://www.juniper.net/techpubs/software/erx/junose53/swconfig-
> routing-vol1/html/l2tp-over-ipsec-config4.html#1028288>
>
> it appears that the L2TP payload is encapsulated within the IPsec
> structure.  As such, UDP port 1701 shouldn't need to be opened on any
> device in between the end points of an L2TP-over-IPsec VPN tunnel,
> only UDP ports 500 for IKE and 4500 for NAT-T. Also, Wireshark should
> only see IPsec packets if located anywhere except at the endpoints
> regardless of whether pure IPsec or L2TP-over-IPsec VPNs are  
> operating.
>
> However, I have a physically separate hardware firewall in between
> the endpoints (a L2TP-over-IPsec client and a L2TP-over-IPsec server)
> and I've discovered that the L2TP-over-IPsec VPN will only
> successfully connect if UDP port 1701 is open on the firewall.
>
> Can anyone explain why UDP port 1701 needs to be opened on the
> hardware firewall if the L2TP payload is encapsulated within the
> IPsec packet and thus hidden?

--
Reality Artisans, Inc.             #   Network Wrangling and Delousing
P.O. Box 565, Gracie Station       #   Apple Certified Consultant
New York, NY 10028-0019            #   Apple Consultants Network member
<http://www.realityartisans.com>   #   Apple Developer Connection member
(212) 369-4876 (Voice)             #   My PGP public key can be found  
at <https://keyserver.pgp.com>




___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe