IPsec Firewall: Difference between revisions

Revision as of 19:48, 30 July 2015

If there is no NAT involved, you need:

UDP port 500 for the IKE control channel
IP protocol ESP (50) for the data channel.

If NAT has been detected, or you force IKE to believe NAT is present (see below) you need:

UDP port 4500 only (no need for protocol ESP).
You may need UDP port 500 too, to allow the initial contact to be made - though as soon as NAT is detected (or it has been forced) IKE switches to 4500.
UDP 4500 for IKE

The config force-NAT option [Note the capitalisation ] can be used to force IKE to treat the connection as if it was NATed. This is in the top-level ipsec-ike config item and you need "Show all" on the UI.

@@ Line 1: / Line 1: @@
 <indicator name="Tunnels">[[File:Menu-IPsec.svg|link=:Category:FireBrick_IPsec|30px|Back up to the FireBrick IPsec Tunnels Category Page]]</indicator>
-If there is no NAT involved, you need UDP port 500 for the IKE control channel, and IP protocol ESP (50) for the data channel.
+If there is no NAT involved, you need:
+*UDP port 500 for the IKE control channel
+*IP protocol ESP (50) for the data channel.
-If NAT has been detected, or you force IKE to believe NAT is present (see below) you need UDP port 4500 only (no need for protocol ESP).  You may need UDP port 500 too, to allow the initial contact to be made - though as soon as NAT is detected (or it has been forced) IKE switches to 4500.
+If NAT has been detected, or you force IKE to believe NAT is present (see below) you need:
+*UDP port 4500 only (no need for protocol ESP).
+*You may need UDP port 500 too, to allow the initial contact to be made - though as soon as NAT is detected (or it has been forced) IKE switches to 4500.
+*UDP 4500 for IKE
 The config force-NAT option [Note the capitalisation  ] can be used to force IKE to treat the connection as if it was NATed.  This is in the top-level ipsec-ike config item and you need "Show all" on the UI.