Skip to main content

How do you port forward a VPN?

Periodically, I encounter documents on the internet that indicate you can port forward from an internet modem in order to establish a VPN.  Typically, internet modems can port forward Ports like TCP and UDP Ports but they cannot normally forward IP Protocol IDs.  A Virtual Private Network consists of TCP Ports, UDP Ports and IP Protocol IDs.  

L2TP over IPSec uses ESP (IP Protocols ID 50), AH (IP Protocol ID 51), IKE (UDP Port 500), L2F/L2TP (UDP 1701) and NAT-T (UDP Port 4500) .
 
IPSec uses ESP (IP Protocol ID 50) and AH (IP Protocol ID 51).  For IKE Phase 1 and 2 negotiations, IKE (UDP Port 500).  For NAT-T IKE Phase 1 and 2 negotiations, IKE (UDP Port 500) and NAT-T (UDP Port 4500).

PPTP uses (TCP Port 1723) and GRE (IP Protocol ID 47).

IPSec Passthrough

Some internet modems are capable of enabling IPSec Passthrough which is also called IPSec NAT Traversal which allows an IPSec VPN to be established.

IP Passthrough & Bridge Mode

Another option is to configure an internet modem to use IP Passthrough which assigns a Public IP Address to the External NIC of the device being accessed.  You could also configure an internet modem to use Bridge Mode which also assigns a Public IP Address to the External NIC of the device being accessed.  However, this would would only be secure if you have a firewall between the internet and the device being accessed.  Without a hardware firewall, the device is open on the internet.  Software firewalls are not recommended as they can be compromised.  It is also recommended that the device being accessed is inside a DMZ meaning your Internal LAN is on a separate subnet on a separate LAN port of your hardware firewall.

Curiously, not all Internet Service Providers truly provide IP Passthrough.  ClearWire for example provides true IP Passthrough while Comcast Business does not.

Conclusion

The easiest and most straight-forward solution for establishing a VPN is with the use of a firewall.  I recommend the Watchguard XTM.  I also recommend the use of L2TP over IPSec versus other VPN Protocols such as IPSec or PPTP.  L2TP over IPSec is secure and the Client Protocol is native to the Windows Operating System.

Notes

  • Client-side computers often connect to a VPN using a dynamically assigned outbound port.

  • Firewalls can be configured with policies which handle IP Protocol ID destinations which is similar to port forwarding.
Labels:

Comments

Post a Comment

Popular posts from this blog

Access Denied (policy_denied). Your system policy has denied access to the requested URL. For assistance, contact your network support team.

While browsing the internet, you may encounter the message: "Access Denied (policy_denied).  Your system policy has denied access to the requested URL.  For assistance, contact your network support team."   This message indicates the internet traffic is being filtered.  The most common source of an internet traffic filter is in corporate environments that use a proxy server or a firewall appliance designed to filter web traffic.  Some businesses are configured as satellite locations using a VPN tunnel.  In these configurations, the VPN may be configured to filter internet traffic.  In rare instances, the Internet Service Provider is filtering internet traffic.  Typically though, your IT Department or a Network Management Team has configured your internet traffic to be filtered.  Isolating Source of Web Filtering In an environment that is unmanaged and the source of the filtering is unknown, following are some steps you may wish to peform: Th...
3 comments
Read more

How do you stop an unstoppable Windows Service?

You may encounter a Windows Service in Services that has the buttons for Start, Stop, Pause and Resume greyed out.  If you attempt to stop the Service using sc stop [servicename], you encounter the error message: "The requested control is not valid for this service."  To resolve this issue, please perform the following steps: Click Start - Control Panel - Administrative Tools - Services. Double-click the relevant Service. Change the Service Start-Up Type to Disabled. Click Apply. Click OK. Hit CTRL-ALT-DEL on your keyboard. Select Task Manger. Perform an End Task on the relevant Service. This issue has been resolved. http://www.smartnetadmin.com
Post a Comment
Read more

The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.

You may encounter the following error message when using the L2TP/IPSec VPN Client that is native to the Windows Operating System: "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer."  This error message typically occurs when you are using the wrong Pre-Shared Key for your L2TP VPN.  This error message can occur when other components of your configuration are incorrect but the first thing to confirm is that you are using the correct Pre-Shared Key. If you are using the wrong Pre-Shared Key, the L2TP VPN connection will say Connecting for a long period of time and then display the error message: "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer." If you are using the wrong username or password, the L2TP VPN will immediately respond with: "The remote connection was denied b...
1 comment
Read more