IPsec Firewall

Back up to the FireBrick IPsec Tunnels Category Page
From AAISP Support Site
Revision as of 19:48, 30 July 2015 by AA-Andrew (talk | contribs)

If there is no NAT involved, you need:

  • UDP port 500 for the IKE control channel
  • IP protocol ESP (50) for the data channel.

If NAT has been detected, or you force IKE to believe NAT is present (see below) you need:

  • UDP port 4500 only (no need for protocol ESP).
  • You may need UDP port 500 too, to allow the initial contact to be made - though as soon as NAT is detected (or it has been forced) IKE switches to 4500.
  • UDP 4500 for IKE

The config force-NAT option [Note the capitalisation ] can be used to force IKE to treat the connection as if it was NATed. This is in the top-level ipsec-ike config item and you need "Show all" on the UI.

Retrieved from ‘http://support.aa.net.uk/index.php?title=IPsec_Firewall&oldid=10266