Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
536
Views
0
Helpful
4
Replies

VPN and ISP

bigrut
Level 1
Level 1

‎07-18-2002 09:37 AM - edited ‎02-21-2020 11:56 AM

I am trying to connect to a VPN 3000 concentrator thru my isp. I want to use the cisco client and IPSEC. The isp router is doing address translation. The ISP tells me that the have opened the ports on the router to allow the VPN connection. When I try to connect I get a message that says the VPN protocol is not supported by the remote host, which I assume to be the ISP router. What protocols and or ports need to be open for this to work and ultimately I want to establish a lan to lan connection so are there any other protocols/ports that would need to be open for that?

Labels:
0 Helpful
4 Replies 4

paqiu
Level 1
Level 1

‎07-18-2002 04:01 PM

Standard IPSEC need UDP port 500 (ISAKMP) , protocol 50 (ESP) , protocol AH (51) for LAN to LAN IPSEC tunnel and normal VPN client connection.

If you are using Cisco unity VPN client, it support "IPSEC over UDP" and " IPSEC over TCP" features as well.

For IPSEC over UDP, it needs UDP 500 and UDP 10000 (default)

For IPSEC over TCP, it needs TCP 10000 (default, can be change to anything).

If you are doing Client and lan to lan IPSEC tunnel, please ask them open all above ports and protocol depening which IPSEC policy you are using.

Best Regards,

0 Helpful

bigrut
Level 1
Level 1
In response to paqiu

‎07-19-2002 12:20 PM

thanks

0 Helpful

s5umdj
Level 1
Level 1

‎08-12-2002 07:35 AM

I have comcast cable customers that are unable to establish their tunnels. I suspect this is because comcast is blocking udp 10000. I tried using tcp 1450 and set it on both the client and the concentrator. But I am not sure if I set it right. How do I tell?

0 Helpful

paqiu
Level 1
Level 1
In response to s5umdj

‎08-12-2002 09:21 PM

The key point is the concentrator end woking fine or not.

If you have enabled tcp 1450, you should be able to telnet to that port from the internet, although you will be allowed to type in any command , at least you can verify the port 1450 is opening in the concentrator end.

If the client end, normally it should allow all tcp traffic to going out.

When you trying VPN out, start your sniffer trace, you might see all the deatils of the source and destination TCP port details ( not the encypted traffic of cause).

Best Regards,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents