Wireshark-users: [Wireshark-users] L2TP-over-IPsec (may be off topic)
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Kok-Yong Tan <ktan@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 14 Sep 2010 13:01:11 -0400
From what I've read here (especially figures 54 and 55):
<http://www.juniper.net/techpubs/software/erx/junose53/swconfig- routing-vol1/html/l2tp-over-ipsec-config4.html#1028288>
it appears that the L2TP payload is encapsulated within the IPsec structure. As such, UDP port 1701 shouldn't need to be opened on any device in between the end points of an L2TP-over-IPsec VPN tunnel, only UDP ports 500 for IKE and 4500 for NAT-T. Also, Wireshark should only see IPsec packets if located anywhere except at the endpoints regardless of whether pure IPsec or L2TP-over-IPsec VPNs are operating.
However, I have a physically separate hardware firewall in between the endpoints (a L2TP-over-IPsec client and a L2TP-over-IPsec server) and I've discovered that the L2TP-over-IPsec VPN will only successfully connect if UDP port 1701 is open on the firewall.
Can anyone explain why UDP port 1701 needs to be opened on the hardware firewall if the L2TP payload is encapsulated within the IPsec packet and thus hidden? 
--
Reality Artisans, Inc.             #   Network Wrangling and Delousing
P.O. Box 565, Gracie Station       #   Apple Certified Consultant
New York, NY 10028-0019            #   Apple Consultants Network member
<http://www.realityartisans.com>   #   Apple Developer Connection member
(212) 369-4876 (Voice) # My PGP public key can be found at <https://keyserver.pgp.com>