http://blogs.technet.com/b/rrasblog/archive/2007/06/13/ports-affecting-the-vpn-connectivity.aspxIf you are running firewall infront of your RRAS server (i.e. between internet and RRAS) , then following are the relevant ports which needs to be opened on the firewall for VPN connectivity to be successful: a) PPTP tunnel based VPN uses TCP Porten-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/rrasblog/archive/2007/06/13/ports-affecting-the-vpn-connectivity.aspx#2997013Fri, 14 Mar 2008 08:44:50 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:2997013Routing and Remote Access Blog<p>Hello, As you know in Windows server 2008 (WS08) we have removed “Basic Firewall” functionality in RRAS</p> <img src="http://blogs.technet.com/aggbug.aspx?PostID=2997013" width="1" height="1">http://blogs.technet.com/b/rrasblog/archive/2007/06/13/ports-affecting-the-vpn-connectivity.aspx#1237022Thu, 14 Jun 2007 00:06:30 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1237022Stefaan Pouseele<p>For L2TP/IPsec based VPN's, a firewall will only see IPsec traffic. In other words, the L2TP traffic (UDP Port 1701) is hidden. Thus, only UDP 500 (IKE), UDP 4500 (NAT-T) and IP protocol 50 (ESP) is needed. </p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=1237022" width="1" height="1">http://blogs.technet.com/b/rrasblog/archive/2007/06/13/ports-affecting-the-vpn-connectivity.aspx#1236936Wed, 13 Jun 2007 23:47:14 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1236936Sooner Al [MVP]<p>Users can run the test detailed in the PPTP Ping and VPN Traffic sections in this Cable Guy article to troubleshoot PPTP VPN connection problems.</p> <p><a rel="nofollow" target="_new" href="http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx">http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx</a></p> <p>These tools, ie. pptpsrv and pptpclnt, also run on Vista machines for home users setting up a PPTP VPN server on a Vista PC at home and/or use a remote Vista client.</p> <p><a rel="nofollow" target="_new" href="http://theillustratednetwork.mvps.org/Vista/PPTP/PPTPVPN.html">http://theillustratednetwork.mvps.org/Vista/PPTP/PPTPVPN.html</a></p> <p>Many consumer grade routers have issues passing GRE Protocol 47 traffic.</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=1236936" width="1" height="1">http://blogs.technet.com/b/rrasblog/archive/2007/06/13/ports-affecting-the-vpn-connectivity.aspx#1235305Wed, 13 Jun 2007 20:26:56 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1235305anon<p>What about IPsec NAT-T on 4500/udp? We currently rely on this functionality for Windows 2000 clients connecting to a Windows 2003 Server. If this functionality is changing because of TCP encapsulation solutions like SSTP, then it would be great to know.</p> <p>Thanks</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=1235305" width="1" height="1">