Re: IPSEC through firewall for DC replication
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: Thu, 03 Jun 2004 22:19:05 GMT
ESP uses "protocol 50" as described in the KB below. --- Steve
IPSec does not disturb the original IP header and can be routed as normal IP traffic.
Routers and switches in the data path between the communicating hosts simply forward
the packets to their destination. However, when there is a firewall or gateway in the
data path, IP forwarding must be enabled at the firewall for the following IP
protocols and UDP ports:
a.. IP Protocol ID 50:
For both inbound and outbound filters. Should be set to allow Encapsulating
Security Protocol (ESP) traffic to be forwarded.
b.. IP Protocol ID 51:
For both inbound and outbound filters. Should be set to allow Authentication Header
(AH) traffic to be forwarded.
c.. UDP Port 500:
"tony" <email@example.com> wrote in message
> I am trying to use IPSEC to send Domain Controller
> replication through the firewall for a one-way trust with
> the Domain controllers in the DMZ. However, IPSec (ESP)
> packet dropped keeps occuring at the firewall because the
> destination port is being randomly assigned, the source
> port for IPSEC(ESP) is port 0. Is there a way to force
> the destination port to a specific port number so I can
> allow it in my firewall rules?
> Thank you,