Alan
Mon Apr 30 18:21:35 CDT 2007
Hi,
From Technet and the Win2003 Deployment guide.
L2TP/IPSec connections
For an L2TP/IPSec connection, configure the following packet filters on the
Internet and perimeter network interfaces of the firewall.
Internet interface of the firewall On the firewall's Internet interface,
configure the inbound and outbound filters in Table 8.7, specifying that all
packets are dropped except those that are specified by the filters.
Table 8.7 VPN Server Behind a Firewall: L2TP/IPSec Filters on the Firewall's
Internet Interface
Filter Action
Inbound
Destination IP address = Perimeter network interface of VPN server
UDP destination port = 500 (0x1F4)
Allows IKE traffic to the VPN server.
Destination IP address = Perimeter network interface of VPN server
UDP destination port = 4500 (0x1194)
Allows IPSec NAT-T traffic to the VPN server.
Destination IP address = Perimeter network interface of VPN server
IP Protocol ID = 50 (0x32)
Allows IPSec ESP traffic to the VPN server.
Outbound
Source IP address = Perimeter network interface of VPN server
UDP source port = 500 (0x1F4)
Allows IKE traffic from the VPN server.
Source IP address = Perimeter network interface of VPN server
UDP source port = 4500 (0x1194)
Allows IPSec NAT-T traffic from the VPN server.
Source IP address = Perimeter network interface of VPN server
IP Protocol ID = 50 (0x32)
Allows IPSec ESP traffic from the VPN server.
No filters are required for L2TP traffic at UDP port 1701. All L2TP traffic
at the firewall, including tunnel maintenance and tunneled data, is
encrypted as an IPSec ESP payload.
Perimeter network interface of the firewall On the firewall's perimeter
network interface, configure the inbound and outbound filters in Table 8.8,
specifying that all packets are dropped except those that are selected by
the filters.
Table 8.8 VPN Server Behind a Firewall: L2TP/IPSec Filters on the Firewall's
Perimeter Network Interface
Filter Action
Inbound
Source IP address = Perimeter network interface of VPN server
UDP source port = 500 (0x1F4)
Allows IKE traffic from the VPN server.
Source IP address = Perimeter network interface of VPN server
UDP source port = 4500 (0x1194)
Allows IPSec NAT-T traffic from the VPN server.
Source IP address = Perimeter network interface of VPN server
IP Protocol ID = 50 (0x32)
Allows IPSec ESP traffic from the VPN server.
Outbound
Destination IP address = Perimeter network interface of VPN server
UDP destination port = 500 (0x1F4)
Allows IKE traffic to the VPN server.
Destination IP address = Perimeter network interface of VPN server
UDP destination port = 4500 (0x1194)
Allows IPSec NAT-T traffic to the VPN server.
Destination IP address = Perimeter network interface of VPN server
IP Protocol ID = 50 (0x32)
Allows IPSec ESP traffic to the VPN server.
The above should come to 12.
So you are correct 2 Ports (500,4500), 1 protocol (50), 2 directions and 2
interfaces as this scenario is setup as a firewall.
--
Regards,
Alan
This posting is provided "AS IS" with no warranties, and confers no rights.
OR if you wish to include a script sample in your post please add "Use of
included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm"
"Maxim M. Kazachek" <maxim.kazachek@sib.sbrf.ru> wrote in message
news:uJTY060iHHA.2408@TK2MSFTNGP02.phx.gbl...
> Yann ?????:
>> Hello,
>>
>> Can anyone please explain me the answer from the MSPress Book 70-291
>> (page 9-84) for the following question:
>>
>> "You have deployed a Windows Server 2003 computer running the Routing And
>> Remote Access Service router to function as a simple firewall. How many
>> packet filters do you need to create to support remote access to a VPN
>> server through L2TP/IPSec? Assume that you want to provide the strictest
>> security standards."
>>
>> Answer: Twelve
>>
>>
>> Thanks a lot for your answers
>>
> Perhaps 2 ports, 1 protocol number, 2 directions and, at lease, two
> interfaces, i.e. 3*2*2=12?