IPsec tunnelling

‎12-28-2017 11:54 AM

Protocols and Ports used: esp 50, ah 51, udp 500 and 4500.

My question is, if protocol 51 is blocked on an ACL, what all will be shown having a filter setup on the circuit?

scenerio; filter shows udp 500, but not 4500 traffic.

Obviously the tunnel will not work without adjusting the ACL. I am looking for a specific sequence of events.

There are many explanations of the phases establishing connections, but what there is a lack of is a straight forward explanation of how the ports/protocols interact in phase 2. ie, what will be seen first on the distant end, and what are the sequence of events (by port/protocol) during phase 2?


Re: IPsec tunnelling

‎01-02-2018 05:04 PM

Move this question over to SRX Security.

FYI - IPSec will use UDP port 500 by default. When you configure your IKE gateway, your end devices will use that address to set up the tunnel. If there is a device between them that is performing NAT, then the address will be changed and the IKE will drop hte packet so the VPN will not come up. If you configure NAT-T, the whole entire packet will be wrapped in a UDP packet using port 4500. The other endpoint will then no longer drop the packet, but will simply strip the UDP header and find the correct IP and establish the VPN session. So if NAT-T is not configured, then you would not see port 4500.

This should also help in understanding the questions you asked while awaiting an answer.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]