ipsec over tcp - required ports

Unanswered Question
Jun 18th, 2009


If I want to use ipsec over tcp do I need to open any ports on my firewall other than the tcp port, for instance 10000?

What I am trying to find out is if I also need ISAKMP, ESP etc..


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
chaitu_kranthi Thu, 06/18/2009 - 06:50


I think you have to allow ISAKMP & ESP

permit udp X.X.X.0 0.0.0.X any eq isakmp

permit esp X.X.X.0 0.0.0.X any

srue Thu, 06/18/2009 - 10:48

you still need udp/500...

the whole point of using tcp/10000 is that you can't use esp in this situation.

"IPsec over TCP enables a Cisco VPN client to operate in an environment in which standard ESP or ISAKMP cannot function, or can function only with modification to existing firewall rules. IPsec over TCP encapsulates both the ISAKMP and IPsec protocols within a TCP-like packet, and enables secure tunneling through both NAT and PAT devices and firewalls. This feature is disabled by default."



This Discussion