IPSec VPN Ports/Protocol

Answered Question
Nov 27th, 2008
User Badges:

I want to fine tune our firewall, for that I need to allow IPSec VPN traffic in firewall. Can anyone tell me the exact IPSec Ports & Protocols? Our VPN device resides behind firewall and using IPSec over UDP.


We are using Cisco ASA 5500 series as a VPN server.

Correct Answer by ajagadee about 8 years 6 months ago

Hi,


ISAKMP - UDP 500

ESP - Protocol 50

ISAKMP NAT-Traversal - UDP 4500 (NAT-T)

IPSEC Over UDP - UDP 10000 (Default)

IPSEC Over TCP - TCP 10000 (Default)


Regards,

Arul


*Pls rate if it helps*

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Fernando_Meza Thu, 11/27/2008 - 19:12
User Badges:
  • Gold, 750 points or more

Hi,


For that you might need to allow UDP 500 also you might also need to allow ESP (protocol 50)


Assuming your VPN head end device uses a routable (public) IP address then you only need to allow the above ports, otherwise you will have to use static NAT.


what is your scenario ?



Correct Answer
ajagadee Thu, 11/27/2008 - 21:07
User Badges:
  • Cisco Employee,

Hi,


ISAKMP - UDP 500

ESP - Protocol 50

ISAKMP NAT-Traversal - UDP 4500 (NAT-T)

IPSEC Over UDP - UDP 10000 (Default)

IPSEC Over TCP - TCP 10000 (Default)


Regards,

Arul


*Pls rate if it helps*

Hi,

I have been search for this for a quite long time, but never got a firm answer.


Cisco VPN client on-line help says: IPSec over UDP - this port is negotiated and can not be changed - but never able to find any mention of how it is negotiated.


Looking at Sniffer packets - beside UDP 500, Sometimes UPD 62515, and other time UDP 62514 was used. UDP 10000 was never used.




Thanks







Actions

This Discussion