Re: Firewalls + IPSEC
From: Mark Swift [MSFT] (mswift_at_online.microsoft.com)
Date: 04/26/03
- Next message: Mike: "Re: Account keeps locking out !!"
- Previous message: jubilee: "Explorer Property tab and Sharing tab won't show up for folders"
- In reply to: Martin O'Leary: "Re: Firewalls + IPSEC"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 25 Apr 2003 15:19:23 -0700
It really depends on the vendor's implementation of "IPSec passthrough".
What holes does the vendor say they open up? For basic firewalls, if they
don't allow specifying protocols, then you are correct that you can't go
through them. If the firewall is also a NAT, then that is quite different.
You will need the upcoming NAT Traversal package for W2K or WinXP to cross
the NAT (Windows Server 2003 supports it already). You will then need to
allow UDP ports 500 and 4500 for all IPSec traffic.
-- Mark Swift Microsoft/Windows/Networking/Secure Network Services/IP Security Software Test Engineer ---------------------------------------------------------------------------- --------------------------------------- This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm" ---------------------------------------------------------------------------- --------------------------------------- "Martin O'Leary" <martin@networx911.com> wrote in message news:02fa01c30875$9475f4a0$a501280a@phx.gbl... > I take it basic firewalls will not be able to open these > holes. If the firewalls says it will perform IPSEC > passthrough these protocol holes should already be opened? > > >-----Original Message----- > >You need to open up holes for Protocol 50 for ESP and/or > Protocol 51 for AH. > >Also UDP port 500 for the IKE negotiation (negotiating > the Security > >Association between the two IPSec endpoints). > > > >VPN using L2TP will need the same holes opened up. > > > >-- > >Mark Swift > >Microsoft/Windows/Networking/Secure Network Services/IP > Security > >Software Test Engineer > > > >--------------------------------------------------------- > ------------------- > >--------------------------------------- > >This posting is provided "AS IS" with no warranties, and > confers no rights. > >Use of included script samples are subject to the terms > specified at > >http://www.microsoft.com/info/cpyright.htm" > >--------------------------------------------------------- > ------------------- > >--------------------------------------- > > > > > > > >"Martin" <martin@networx911.com> wrote in message > >news:04b901c302ad$5dd69e90$3001280a@phx.gbl... > >> I have recently secured my terminal server using IPSEC > >> and a preshared key. Currently I have one external NIC > >> and one internal. The server is not behind a firewall > at > >> this time. When I sit down at a computer behind a > >> firewall and try to connect to the external NIC with TS > >> the connection is not made. If I unassign the IPSEC > >> policy on both server and workstation I can connect. > The > >> firewall is not passing the IPSEC traffic correctly. > The > >> only thing I can think of is creating a VPN tunnel. Is > >> this the only way to make this work? I am not aware of > >> any IPSEC ports that need to be open. > >> > >> Thanks for the help. > >> > >> > > > > > >. > >
- Next message: Mike: "Re: Account keeps locking out !!"
- Previous message: jubilee: "Explorer Property tab and Sharing tab won't show up for folders"
- In reply to: Martin O'Leary: "Re: Firewalls + IPSEC"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
