VPN and Ports

Hi all,

my question is about ports. I had set up a MsWin2003 VPN server and
configured firewall.
My firewall and ports :
Client Ports <-> VPN Server Ports

UDP 500 <-> UDP 500
UDP 4500 <-> UDP 4500
UDP 1701 <-> UDP 1701
Protocol 50 <-> Protocol 50

VPN is working fine. But several our users are behind some routers that are
changing theirs source ports.
So when they wan't connect to our VPN server their source ports are changed
from e.g UDP 4500 to UDP 32532 and my firewall is blocking their
connections. My question is, if I change my firewall to this, is this a
security risk, or is it safe ?

Client Ports <-> VPN Server

UDP whatever <-> UDP 500
UDP whatever <-> UDP 4500
UDP whatever <-> UDP 1701
Protocol 50 <-> Protocol 50


Thanks for reply.

Setup whatever to the port is normal and yes, port to port is more secure.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Richard Hrubizna" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
Hi all,

my question is about ports. I had set up a MsWin2003 VPN server and
configured firewall.
My firewall and ports :
Client Ports <-> VPN Server Ports

UDP 500 <-> UDP 500
UDP 4500 <-> UDP 4500
UDP 1701 <-> UDP 1701
Protocol 50 <-> Protocol 50

VPN is working fine. But several our users are behind some routers that are
changing theirs source ports.
So when they wan't connect to our VPN server their source ports are changed
from e.g UDP 4500 to UDP 32532 and my firewall is blocking their
connections. My question is, if I change my firewall to this, is this a
security risk, or is it safe ?

Client Ports <-> VPN Server

UDP whatever <-> UDP 500
UDP whatever <-> UDP 4500
UDP whatever <-> UDP 1701
Protocol 50 <-> Protocol 50


Thanks for reply.

"Richard Hrubizna" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi all,
>
> my question is about ports. I had set up a MsWin2003 VPN server and
> configured firewall.
> My firewall and ports :
> Client Ports <-> VPN Server Ports
>
> UDP 500 <-> UDP 500
> UDP 4500 <-> UDP 4500
> UDP 1701 <-> UDP 1701
> Protocol 50 <-> Protocol 50
>
> VPN is working fine. But several our users are behind some routers that
are
> changing theirs source ports.

Source ports are always random and are different with every connection, that
isn't something you can do anything about. You can not do things the way
you are trying.

Assuming the users are on the Outside, the VPN Server is on the Inside,..and
the firewall is between them....

You have to use Static NAT on the firewall to make the VPN Server available
to the users. You also need to enable "VPN Passthrough" or whatever your
particular brand of router calls it, (some can't do it at all)...without
that it will not pass the GRE packets (Protocol 47, not 50). The Static NAT
should be done with 1701 unless your particular firewall automatically takes
care of that when you enable "VPN Passthrough". Not all firewall devices
are capable of doing this,...and I also see no point in fooling with 500 and
4500 or Protocol 50.

The bottom line it that you have to read the Docs for your Firewall and do
it *their way* and your firewall may limit your choices by its design.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

I'm using L2TP/IPSEC VPN and not PPTP VPN.
Therefore ports 500,4500,1701,and protocol 50.
And it is not true that source ports are always random espescialy with
L2TP/IPSEC.

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> "Richard Hrubizna" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Hi all,
>>
>> my question is about ports. I had set up a MsWin2003 VPN server and
>> configured firewall.
>> My firewall and ports :
>> Client Ports <-> VPN Server Ports
>>
>> UDP 500 <-> UDP 500
>> UDP 4500 <-> UDP 4500
>> UDP 1701 <-> UDP 1701
>> Protocol 50 <-> Protocol 50
>>
>> VPN is working fine. But several our users are behind some routers that
> are
>> changing theirs source ports.
>
> Source ports are always random and are different with every connection,
> that
> isn't something you can do anything about. You can not do things the way
> you are trying.
>
> Assuming the users are on the Outside, the VPN Server is on the
> Inside,..and
> the firewall is between them....
>
> You have to use Static NAT on the firewall to make the VPN Server
> available
> to the users. You also need to enable "VPN Passthrough" or whatever your
> particular brand of router calls it, (some can't do it at all)...without
> that it will not pass the GRE packets (Protocol 47, not 50). The Static
> NAT
> should be done with 1701 unless your particular firewall automatically
> takes
> care of that when you enable "VPN Passthrough". Not all firewall devices
> are capable of doing this,...and I also see no point in fooling with 500
> and
> 4500 or Protocol 50.
>
> The bottom line it that you have to read the Docs for your Firewall and do
> it *their way* and your firewall may limit your choices by its design.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>

In news:(E-Mail Removed),
Richard Hrubizna <(E-Mail Removed)> stated, which I commented on below:
> I'm using L2TP/IPSEC VPN and not PPTP VPN.
> Therefore ports 500,4500,1701,and protocol 50.
> And it is not true that source ports are always random espescialy with
> L2TP/IPSEC.

Actually with Windows clients, the UDP empherical response port is a random
port above 1024. It's the way Windows works. You can force it to a specific
port if you like. But what's confusing is a VPN should go across those ports
you specified, however, I have never used UDP 1701 or 4500 for L2tp/IPSec,
and your also missing one. Maybe because you're stipulating UDP is why the
empherical response port comes back over a random UDP port. The ones I've
opened up in my Cisco access list and works fine for me without allowing
anything UDP above 1024 (unless I'm running some other app that has nothing
to do with VPNs) were:

1701 TCP (L2TP Tunnel)
500 UDP (IPSec Security Association)
Protocol ID 50 (IPSec ESP)
Protocol ID 51 (IPSec AH)

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Assimilation Imminent. Resistance is Futile
Infinite Diversities in Infinite Combinations

"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy.

Could the NAT-T & IPSec be involved here as well? Wouldn't the IPSec
require NAT-T?

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@ho tmail.com> wrote in
message news:e%(E-Mail Removed)...
> In news:(E-Mail Removed),
> Richard Hrubizna <(E-Mail Removed)> stated, which I commented on below:
> > I'm using L2TP/IPSEC VPN and not PPTP VPN.
> > Therefore ports 500,4500,1701,and protocol 50.
> > And it is not true that source ports are always random espescialy with
> > L2TP/IPSEC.
>
> Actually with Windows clients, the UDP empherical response port is a
random
> port above 1024. It's the way Windows works. You can force it to a
specific
> port if you like. But what's confusing is a VPN should go across those
ports
> you specified, however, I have never used UDP 1701 or 4500 for L2tp/IPSec,
> and your also missing one. Maybe because you're stipulating UDP is why the
> empherical response port comes back over a random UDP port. The ones I've
> opened up in my Cisco access list and works fine for me without allowing
> anything UDP above 1024 (unless I'm running some other app that has
nothing
> to do with VPNs) were:
>
> 1701 TCP (L2TP Tunnel)
> 500 UDP (IPSec Security Association)
> Protocol ID 50 (IPSec ESP)
> Protocol ID 51 (IPSec AH)
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Having difficulty reading or finding responses to your post?
> Instead of the website you're using, I suggest to use OEx (Outlook Express
> or any other newsreader), and configure a news account, pointing to
> news.microsoft.com. This is a direct link to the Microsoft Public
> Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows
you
> to easily find, track threads, cross-post, sort by date, poster's name,
> watched threads or subject.
>
> It's easy:
> How to Configure OEx for Internet News
> http://support.microsoft.com/?id=171164
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Assimilation Imminent. Resistance is Futile
> Infinite Diversities in Infinite Combinations
>
> "Very funny Scotty. Now, beam down my clothes."
>
> The only thing in life is change. Anything more is a blackhole consuming
> unnecessary energy.
>
>
>

"Phillip Windell" <@.> wrote in message
news:%23KfE$(E-Mail Removed)...
> Could the NAT-T & IPSec be involved here as well? Wouldn't the IPSec
> require NAT-T?
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com

Good point. I went thru and re-read his posts, but I didn't see anywhere
stating he's using NAT, but only a reference was this about a firewall:

"> my question is about ports. I had set up a
> MsWin2003 VPN server and configured firewall."

I guess it's safe to assume NAT is enabled on it, unless it is routing and
not NATing. Win 2003 should support NAT-T. I believe however, NAT-T only
supports ESP and not the AH portion of the tunnel?

Ace

In news:(E-Mail Removed),
Ace Fekay [MVP] <PleaseSubstituteMyActualFirstName&LastNameHere@ho tmail.com>
stated, which I commented on below:
> I guess it's safe to assume NAT is enabled on it, unless it is
> routing and not NATing. Win 2003 should support NAT-T. I believe
> however, NAT-T only supports ESP and not the AH portion of the tunnel?

Ok, I had to verify it and dig up the book. I also read elsewhere concerning
this from a fellow MCT in a private newsgroup. Basically he said, which was
quoted out of the book anyway from MOC courseware, #2277, Infrastructure
Services course, Module 9, p25 :

"IPSec NAT-T can be used only with ESP,", however it also says it can't be
used with AH.

Here's wha windowssecurity.com says about it:

"NAT-T adds a UDP header that encapsulates the ESP header (it sits between
the ESP header and the outer IP header). This gives the NAT device a UDP
header containing UDP ports that can be used for multiplexing IPSec data
streams. NAT-T also puts the sending computer's original IP address into a
NAT-OA (Original Address) payload. This gives the receiving computer access
to that information so that the source and destination IP addresses and
ports can be checked and the checksum validated. This also solves the
problem of the embedded source IP address not matching the source address on
the packet."

NAT Traversal (NAT-T) Security Issues:
http://www.windowsecurity.com/articl...-Security.html

Now does that mean UDP ports are now required? I couldn't find anything on
that portion, but as Deb Shinder says in that article above, it's a security
concern to detune a system to suport IPSec using NAT-T. You might as well
stick with PPTP!

Ace

Port UDP 4500 with L2TP/IPSEC is used when a client is behind a router that
is NAT-ing client.
The IPSec ESP header (IP Protocol 50) is encapsulated inside the UDP port
4500 header. The Windows Server 2003 uses this procedure to determine if the
packet is from an L2TP/IPSec NAT-T client.

Good article :
http://www.microsoft.com/technet/pro.../vpndeplr.mspx

"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@ho tmail.com> wrote in
message news:%(E-Mail Removed)...
> In news:(E-Mail Removed),
> Ace Fekay [MVP]
> <PleaseSubstituteMyActualFirstName&LastNameHere@ho tmail.com> stated, which
> I commented on below:
>> I guess it's safe to assume NAT is enabled on it, unless it is
>> routing and not NATing. Win 2003 should support NAT-T. I believe
>> however, NAT-T only supports ESP and not the AH portion of the tunnel?
>
> Ok, I had to verify it and dig up the book. I also read elsewhere
> concerning this from a fellow MCT in a private newsgroup. Basically he
> said, which was quoted out of the book anyway from MOC courseware, #2277,
> Infrastructure Services course, Module 9, p25 :
>
> "IPSec NAT-T can be used only with ESP,", however it also says it can't be
> used with AH.
>
> Here's wha windowssecurity.com says about it:
>
> "NAT-T adds a UDP header that encapsulates the ESP header (it sits between
> the ESP header and the outer IP header). This gives the NAT device a UDP
> header containing UDP ports that can be used for multiplexing IPSec data
> streams. NAT-T also puts the sending computer's original IP address into a
> NAT-OA (Original Address) payload. This gives the receiving computer
> access
> to that information so that the source and destination IP addresses and
> ports can be checked and the checksum validated. This also solves the
> problem of the embedded source IP address not matching the source address
> on
> the packet."
>
> NAT Traversal (NAT-T) Security Issues:
> http://www.windowsecurity.com/articl...-Security.html
>
> Now does that mean UDP ports are now required? I couldn't find anything on
> that portion, but as Deb Shinder says in that article above, it's a
> security concern to detune a system to suport IPSec using NAT-T. You might
> as well stick with PPTP!
>
> Ace
>
>
>
>

In news:(E-Mail Removed),
Richard Hrubizna <(E-Mail Removed)> stated, which I commented on below:
> Port UDP 4500 with L2TP/IPSEC is used when a client is behind a
> router that is NAT-ing client.
> The IPSec ESP header (IP Protocol 50) is encapsulated inside the UDP
> port 4500 header. The Windows Server 2003 uses this procedure to
> determine if the packet is from an L2TP/IPSec NAT-T client.
>
> Good article :
> http://www.microsoft.com/technet/pro.../vpndeplr.mspx

That explains why the UDP ports!

Thanks for posting that Richard.

I think getting back to the original question about the source ports
changing, what have you tried to handle it? Possibly allowing a UDP range?

Ace