Packet filters for L2TP/IPSec

Separate input and output packet filters can be configured on the Internet interface and the perimeter network interface.

Filters on the Internet interface

Configure the following input packet filters on the Internet interface of the firewall to allow the following types of traffic:

• Destination IP address of the VPN server's perimeter network interface and UDP destination port of 500 (0x1F4).
  
  This filter allows IKE traffic to the VPN server.
  
• Destination IP address of the VPN server's perimeter network interface and UDP destination port of 4500 (0x1194).
  
  This filter allows IPSec NAT-T traffic to the VPN server.
  
• Destination IP address of the VPN server's perimeter network interface and IP Protocol ID of 50 (0x32).
  
  This filter allows IPSec ESP traffic from the VPN client to the VPN server.
  

Configure the following output packet filters on the Internet interface of the firewall to allow the following types of traffic:

• Source IP address of the VPN server's perimeter network interface and UDP source port of 500 (0x1F4).
  
  This filter allows IKE traffic from the VPN server.
  
• Source IP address of the VPN server's perimeter network interface and UDP source port of 4500.
  
  This filter allows IPSec NAT-T traffic from the VPN server.
  
• Source IP address of the VPN server's perimeter network interface and IP Protocol ID of 50 (0x32).
  
  This filter allows IPSec ESP traffic from the VPN server to the VPN client.
  

There are no filters required for L2TP traffic at the UDP port of 1701. All L2TP traffic at the firewall, including tunnel maintenance and tunneled data, is encrypted as an IPSec ESP payload.

Important

• An IPSec NAT-T deployment for Windows that includes VPN servers that are located behind network address translators is not recommended. When a server is behind a network address translator, and the server uses IPSec NAT-T, unintended behavior might occur because of the way network address translators translate network traffic.
  

Filters on the perimeter network interface

Configure the following input packet filters on the perimeter network interface of the firewall to allow the following types of traffic:

• Source IP address of the VPN server's perimeter network interface and UDP source port of 500 (0x1F4).
  
  This filter allows IKE traffic from the VPN server.
  
• Source IP address of the VPN server's perimeter network interface and UDP source port of 4500.
  
  This filter allows IPSec NAT-T traffic from the VPN server.
  
• Source IP address of the VPN server's perimeter network interface and IP Protocol ID of 50 (0x32).
  
  This filter allows IPSec ESP traffic from the VPN server to the VPN client.
  

Configure the following output packet filters on the perimeter network interface of the firewall to allow the following types of traffic:

• Destination IP address of the VPN server's perimeter network interface and UDP destination port of 500 (0x1F4).
  
  This filter allows IKE traffic to the VPN server.
  
• Destination IP address of the VPN server's perimeter network interface and UDP destination port of 4500 (0x1194).
  
  This filter allows IPSec NAT-T traffic to the VPN server.
  
• Destination IP address of the VPN server's perimeter network interface and IP Protocol ID of 50 (0x32).
  
  This filter allows IPSec ESP traffic from the VPN client to the VPN server.
  

There are no filters required for L2TP traffic at the UDP port of 1701. All L2TP traffic at the firewall, including tunnel maintenance and tunneled data, is encrypted as an IPSec ESP payload.

Important

• An IPSec NAT-T deployment for Windows that includes VPN servers that are located behind network address translators is not recommended. When a server is behind a network address translator, and the server uses IPSec NAT-T, unintended behavior might occur because of the way network address translators translate network traffic.