Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.


Unanswered Question
Jul 18th, 2002
User Badges:

I am trying to connect to a VPN 3000 concentrator thru my isp. I want to use the cisco client and IPSEC. The isp router is doing address translation. The ISP tells me that the have opened the ports on the router to allow the VPN connection. When I try to connect I get a message that says the VPN protocol is not supported by the remote host, which I assume to be the ISP router. What protocols and or ports need to be open for this to work and ultimately I want to establish a lan to lan connection so are there any other protocols/ports that would need to be open for that?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
paqiu Thu, 07/18/2002 - 16:01
User Badges:

Standard IPSEC need UDP port 500 (ISAKMP) , protocol 50 (ESP) , protocol AH (51) for LAN to LAN IPSEC tunnel and normal VPN client connection.

If you are using Cisco unity VPN client, it support "IPSEC over UDP" and " IPSEC over TCP" features as well.

For IPSEC over UDP, it needs UDP 500 and UDP 10000 (default)

For IPSEC over TCP, it needs TCP 10000 (default, can be change to anything).

If you are doing Client and lan to lan IPSEC tunnel, please ask them open all above ports and protocol depening which IPSEC policy you are using.

Best Regards,

s5umdj Mon, 08/12/2002 - 07:35
User Badges:

I have comcast cable customers that are unable to establish their tunnels. I suspect this is because comcast is blocking udp 10000. I tried using tcp 1450 and set it on both the client and the concentrator. But I am not sure if I set it right. How do I tell?

paqiu Mon, 08/12/2002 - 21:21
User Badges:

The key point is the concentrator end woking fine or not.

If you have enabled tcp 1450, you should be able to telnet to that port from the internet, although you will be allowed to type in any command , at least you can verify the port 1450 is opening in the concentrator end.

If the client end, normally it should allow all tcp traffic to going out.

When you trying VPN out, start your sniffer trace, you might see all the deatils of the source and destination TCP port details ( not the encypted traffic of cause).

Best Regards,


This Discussion