From what I've read here (especially figures 54 and 55):
<http://www.juniper.net/techpubs/software/erx/junose53/swconfig-
routing-vol1/html/l2tp-over-ipsec-config4.html#1028288>
it appears that the L2TP payload is encapsulated within the IPsec
structure. As such, UDP port 1701 shouldn't need to be opened on any
device in between the end points of an L2TP-over-IPsec VPN tunnel,
only UDP ports 500 for IKE and 4500 for NAT-T. Also, Wireshark should
only see IPsec packets if located anywhere except at the endpoints
regardless of whether pure IPsec or L2TP-over-IPsec VPNs are operating.
However, I have a physically separate hardware firewall in between
the endpoints (a L2TP-over-IPsec client and a L2TP-over-IPsec server)
and I've discovered that the L2TP-over-IPsec VPN will only
successfully connect if UDP port 1701 is open on the firewall.
Can anyone explain why UDP port 1701 needs to be opened on the
hardware firewall if the L2TP payload is encapsulated within the
IPsec packet and thus hidden?
--
Reality Artisans, Inc. # Network Wrangling and Delousing
P.O. Box 565, Gracie Station # Apple Certified Consultant
New York, NY 10028-0019 # Apple Consultants Network member
<http://www.realityartisans.com> # Apple Developer Connection member
(212) 369-4876 (Voice) # My PGP public key can be found
at <https://keyserver.pgp.com>