The answer is: it depends upon how your VPN Client is configured.
(1) You will need to allow Internet Key Exchange (IKE) to occur, which uses UDP port 500. You will also see the term ISAKMP (Internet Security Association and Key Management Protocol) which refers to the protocol that allows IKE to occur.
(2) You will need to allow IPSec traffic:
Option (a): Allow native IPSec traffic (un-encapsulated). This will typically be IP protocol numbers 50, for ESP (Encapsulated Security Payload). Very rarely an organization will use IP protocol number 51 for AH (Authenticated Header). In general, if AH is being used then data is not being encrypted.
Option (b): IPSec over UDP: Tunneling IPSec traffic over UDP port numbers. Historically, the Cisco VPN default for IPSec over UDP is UDP port number 10000.
Option (c): IPSec over TCP: Tunneling IPSec traffic over TCP port numbers. Historically, the Cisco VPN default for IPSec over TCP is TCP port number 10000.
Option (d): IPSec over UDP (Standard-based): Relatively new (several years old now) is NAT-T (Network Address Translation - Traversal) uses UDP port 4500 to negotiate IPSec.
Assumption: I assumed from your question that you do not allow inside devices unrestricted access to the Internet.
Recommendation: Allow Options (a) and (d) -- insure that the VPN clients are configured to support NAT-T. NAT-T should detect if IPSec encapsulation over UDP is needed, if not then it will run native IPSec in order to avoid the unnecessary overhead of encapsulation.
Common misconfiguration: It is very common for firewall rules to allow more ports for VPN access than what is truly required. Most often the IP protocol number 51 (for AH) is a misconfiguration and should be removed.
Commonly deployed Cisco Firewall feature: An easy way 'out' is to deploy the 'sysopt connection permit-ipsec' feature. This allows UDP port 500, and IP protocol numbers 50 and 51. This permits IPSec traffic to pass through the Cisco firewall without a check of access-list command statements. If you are running PIX/ASA code 7.1(1) or later then the command is 'sysopt connection permit-vpn'.
P.S.: Many companies allow unrestricted access from the inside of their networks to the outside. The IKE (isakmp) exchanges create two uni-directional tunnels. IKE sets up a single IPSec bi-directional tunnel. The point being that you may need to allow UDP 500 in from the outside.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :