LANCOM Support Knowledgebase Dokument-Nr. 1809.1010.1736.RHOO - V1.00

Which ports and protocols must be activated for a VPN connection in a router or firewall?



Description:

If a VPN-Router or VPN-Client (PPTP/IPsec) is behind the firewall in a local area network, the following ports and protocols must be released for the VPN connection to be established and for payload data to be transmitted:


LANCOM VPN-Router:

- IKE negotiation = UDP 500
- ESP encapsulating security payload (protocol 50) or

Optionally:
- AH authentication header (protocol 51)
  • UPD port 4500 must be activated when using NAT-T
  • UPD port 87 must be activated when using Dynamic VPN


LANCOM Advanced VPN Client:

- IKE negotiation = UDP 500
- ESP encapsulating security payload (protocol 50) or

Optionally:
- AH authentication header (protocol 51)
  • UPD port 4500 must be activated when using NAT-T


Windows IPSec/PPTP function:

- PPTP negotiation = TCP 1723 (GRE is forwarded automatically with this entry)
- IKE negotiation = UDP 500

- GRE general routing encapsulation (protocol 47)
- ESP encapsulating security payload (protocol 50)


You can find a summary of ports and protocol numbers under www.iana.org
© LANCOM Systems GmbH