VPN and Ports

Discussion in 'Server Networking' started by Richard Hrubizna, Mar 8, 2006.

  1. Hi all,

    my question is about ports. I had set up a MsWin2003 VPN server and
    configured firewall.
    My firewall and ports :
    Client Ports <-> VPN Server Ports

    UDP 500 <-> UDP 500
    UDP 4500 <-> UDP 4500
    UDP 1701 <-> UDP 1701
    Protocol 50 <-> Protocol 50

    VPN is working fine. But several our users are behind some routers that are
    changing theirs source ports.
    So when they wan't connect to our VPN server their source ports are changed
    from e.g UDP 4500 to UDP 32532 and my firewall is blocking their
    connections. My question is, if I change my firewall to this, is this a
    security risk, or is it safe ?

    Client Ports <-> VPN Server

    UDP whatever <-> UDP 500
    UDP whatever <-> UDP 4500
    UDP whatever <-> UDP 1701
    Protocol 50 <-> Protocol 50


    Thanks for reply.
     
    Richard Hrubizna, Mar 8, 2006
    #1
    1. Advertisements

  2. Source ports are always random and are different with every connection, that
    isn't something you can do anything about. You can not do things the way
    you are trying.

    Assuming the users are on the Outside, the VPN Server is on the Inside,..and
    the firewall is between them....

    You have to use Static NAT on the firewall to make the VPN Server available
    to the users. You also need to enable "VPN Passthrough" or whatever your
    particular brand of router calls it, (some can't do it at all)...without
    that it will not pass the GRE packets (Protocol 47, not 50). The Static NAT
    should be done with 1701 unless your particular firewall automatically takes
    care of that when you enable "VPN Passthrough". Not all firewall devices
    are capable of doing this,...and I also see no point in fooling with 500 and
    4500 or Protocol 50.

    The bottom line it that you have to read the Docs for your Firewall and do
    it *their way* and your firewall may limit your choices by its design.
     
    Phillip Windell, Mar 8, 2006
    #2
    1. Advertisements

  3. I'm using L2TP/IPSEC VPN and not PPTP VPN.
    Therefore ports 500,4500,1701,and protocol 50.
    And it is not true that source ports are always random espescialy with
    L2TP/IPSEC.
     
    Richard Hrubizna, Mar 8, 2006
    #3
  4. In
    Actually with Windows clients, the UDP empherical response port is a random
    port above 1024. It's the way Windows works. You can force it to a specific
    port if you like. But what's confusing is a VPN should go across those ports
    you specified, however, I have never used UDP 1701 or 4500 for L2tp/IPSec,
    and your also missing one. Maybe because you're stipulating UDP is why the
    empherical response port comes back over a random UDP port. The ones I've
    opened up in my Cisco access list and works fine for me without allowing
    anything UDP above 1024 (unless I'm running some other app that has nothing
    to do with VPNs) were:

    1701 TCP (L2TP Tunnel)
    500 UDP (IPSec Security Association)
    Protocol ID 50 (IPSec ESP)
    Protocol ID 51 (IPSec AH)

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Having difficulty reading or finding responses to your post?
    Instead of the website you're using, I suggest to use OEx (Outlook Express
    or any other newsreader), and configure a news account, pointing to
    news.microsoft.com. This is a direct link to the Microsoft Public
    Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
    to easily find, track threads, cross-post, sort by date, poster's name,
    watched threads or subject.

    It's easy:
    How to Configure OEx for Internet News
    http://support.microsoft.com/?id=171164

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    Assimilation Imminent. Resistance is Futile
    Infinite Diversities in Infinite Combinations

    "Very funny Scotty. Now, beam down my clothes."

    The only thing in life is change. Anything more is a blackhole consuming
    unnecessary energy.
     
    Ace Fekay [MVP], Mar 8, 2006
    #4
  5. Could the NAT-T & IPSec be involved here as well? Wouldn't the IPSec
    require NAT-T?

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com


    "Ace Fekay [MVP]"
     
    Phillip Windell, Mar 8, 2006
    #5
  6. Good point. I went thru and re-read his posts, but I didn't see anywhere
    stating he's using NAT, but only a reference was this about a firewall:

    "> my question is about ports. I had set up a
    I guess it's safe to assume NAT is enabled on it, unless it is routing and
    not NATing. Win 2003 should support NAT-T. I believe however, NAT-T only
    supports ESP and not the AH portion of the tunnel?

    Ace
     
    Ace Fekay [MVP], Mar 9, 2006
    #6
  7. In
    Ok, I had to verify it and dig up the book. I also read elsewhere concerning
    this from a fellow MCT in a private newsgroup. Basically he said, which was
    quoted out of the book anyway from MOC courseware, #2277, Infrastructure
    Services course, Module 9, p25 :

    "IPSec NAT-T can be used only with ESP,", however it also says it can't be
    used with AH.

    Here's wha windowssecurity.com says about it:

    "NAT-T adds a UDP header that encapsulates the ESP header (it sits between
    the ESP header and the outer IP header). This gives the NAT device a UDP
    header containing UDP ports that can be used for multiplexing IPSec data
    streams. NAT-T also puts the sending computer's original IP address into a
    NAT-OA (Original Address) payload. This gives the receiving computer access
    to that information so that the source and destination IP addresses and
    ports can be checked and the checksum validated. This also solves the
    problem of the embedded source IP address not matching the source address on
    the packet."

    NAT Traversal (NAT-T) Security Issues:
    http://www.windowsecurity.com/articles/NAT-Traversal-Security.html

    Now does that mean UDP ports are now required? I couldn't find anything on
    that portion, but as Deb Shinder says in that article above, it's a security
    concern to detune a system to suport IPSec using NAT-T. You might as well
    stick with PPTP!

    Ace
     
    Ace Fekay [MVP], Mar 9, 2006
    #7
  8. Richard Hrubizna, Mar 9, 2006
    #8
  9. In
    That explains why the UDP ports!

    Thanks for posting that Richard.

    I think getting back to the original question about the source ports
    changing, what have you tried to handle it? Possibly allowing a UDP range?

    Ace
     
    Ace Fekay [MVP], Mar 9, 2006
    #9
  10. I've got a head ache....
     
    Phillip Windell, Mar 9, 2006
    #10
  11. In
    LOL!

    I usually put a bottle of Crown Royal Special Reserve in the freezer. Try
    it. When you pour a shot, it flows almost like syrup. Down it, (smooth as
    silk), then chase it with an ice cold beer of your choosing, and I promise
    you'll be ok after that.

    Doctor's order...

    :)

    Ace
     
    Ace Fekay [MVP], Mar 10, 2006
    #11
  12. In Richard Hrubizna <> stated, which I commented on below:


    So Richard,

    Did you open the UDP range to make it work?

    Ace
     
    Ace Fekay [MVP], Mar 10, 2006
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.