michael.leblanc Tue, 06/17/2008 - 16:12
User Badges:
  • Silver, 250 points or more

The general idea is to provision your interface ACLs to accommodate the VPN Client-to-VPN Server tunnel negotiation, and the resulting tunnel traffic.

If your VPN Client resides behind a NAT firewall, you will configure your VPN Client software to do NAT discovery, and ultimately encapsulate the IPSec tunnel within UDP or TCP (depending on server capabilities, and your personal preferences) to overcome the presence of NAT.

Your client-side router interface will need to accommodate outbound ISAKMP (UDP port 500) to do the discovery, and UDP port 4500 (keyword: non500-isakmp) if you elect to go with UDP encapsulation of IPSec. Likewise, the appropriate TCP port if you go with a TCP encapsulation of IPSec.

Your external router interface should accommodate these same protocols inbound (return traffic).


This Discussion