Routing and Remote Access Blog

VPN articles - straight from Windows development team

Which ports to unblock for VPN traffic to pass-through?

Which ports to unblock for VPN traffic to pass-through?

  • Comments 9
  • Likes

Little Background: Microsoft RRAS server and VPN client supports PPTP, L2TP/IPSec, SSTP and IKEv2  based VPN connection. PPTP control path is over TCP and data path over GRE. L2TP tunnel traffic is carried over IPSec transport mode and IPSec protocol internally has a control path through IKE and data path over ESP. SSTP control and data path is over TCP. IKEv2 control path is over IKE and data path over ESP.

So now coming back to original question. There are multiple scenarios:

1) If RRAS based VPN server is behind a firewall (i.e. a firewall is placed between Internet and RRAS server), then following ports need to be opened (bidirectional) on this firewall to allow VPN traffic to pass through: -

  • For PPTP:
    • IP Protocol=TCP, TCP Port number=1723   <- Used by PPTP control path
    • IP Protocol=GRE (value 47)   <- Used by PPTP data path
  • For L2TP:
    • IP Protocol Type=UDP, UDP Port Number=500    <- Used by IKEv1 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=4500   <- Used by IKEv1 (IPSec control path)
    • IP Protocol Type=ESP (value 50)   <- Used by IPSec data path
  • For SSTP:
    • IP Protocol=TCP, TCP Port number=443   <- Used by SSTP control and data path
  • For IKEv2:
    • IP Protocol Type=UDP, UDP Port Number=500    <- Used by IKEv2 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=4500   <- Used by IKEv2 (IPSec control path)
    • IP Protocol Type=ESP (value 50)   <- Used by IPSec data path

2) If RRAS server is directly connected to Internet, then you need to protect RRAS server from the Internet side (i.e. only allow access to the services on the public interface that isaccessible from the Internet side). This can be done using RRAS static filters or running Windows Firewall on the public interface (or the interface towards the Internet side). In this scenario following ports need to be opened (bidirectional) on RRAS box to allow VPN traffic to pass through

  • For PPTP:
    • IP Protocol=TCP, TCP Port number=1723  <- Used by PPTP control path
    • IP Protocol=GRE (value 47)  <- Used by PPTP data path
  • For L2TP:
    • IP Protocol Type=UDP, UDP Port Number=500   <- Used by IKEv1 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=1701  <- Used by L2TP control/data path
    • IP Protocol Type=50  <- Used by data path (ESP)
  • For SSTP:
    • IP Protocol=TCP, TCP Port number=443   <- Used by SSTP control and data path
  • For IKEv2:
    • IP Protocol Type=UDP, UDP Port Number=500   <- Used by IKEv2 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv2 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=1701  <- Used by L2TP control/data path
    • IP Protocol Type=50 <- Used by data path (ESP)

Note: Please DO NOT configure RRAS static filters if you are running on the same server RRAS based NAT router functionality. This is because RRAS static filters are stateless and NAT translation requires a stateful edge firewall like ISA firewall.

Do not forget: If you enable Windows firewall or RRAS static filters on the public interface and only enable VPN traffic to pass-through, then all the other traffic may be dropped. For example, if the same server is running as a mail server facing internet or a DNS server or a reverse web proxy server, then you need to enable the ports used by those services explicitly. For further details, refer to this article: http://blogs.technet.com/rrasblog/archive/2006/07/06/enabling-rras-drops-all-other-traffic-except-vpn-traffic.aspx

References:

http://technet2.microsoft.com/WindowsServer/en/Library/ac14405b-3802-4ae0-bcd5-5c33bb7db5311033.mspx?mfr=true

Ports affecting the VPN connectivity

RRAS Server in Windows server 2008: Which one to use - Windows firewall or RRAS filters  

Samir Jain
Lead Program Manager
RRAS, Windows Enterprise Networking

 

[This posting is provided "AS IS" with no warranties, and confers no rights.]

Comments
  • I have seen this a common customer query: My 2K, 2K3 server was working as DNS, DHCP, AD etc and stopped...

  • Hi Folks,
    I have seen a lot of IP addressing,&amp;nbsp;NIC, NAT&amp;nbsp;related queries&amp;nbsp;in different newsgroups....

  • Hello, As you know in Windows server 2008 (WS08) we have removed “Basic Firewall” functionality in RRAS

  • Hello Customers, In this post, I will highlight on various placement requirements related to RAS server.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment