On 14 sep 2010, at 19:01, Kok-Yong Tan wrote:
> However, I have a physically separate hardware firewall in between
> the endpoints (a L2TP-over-IPsec client and a L2TP-over-IPsec server)
> and I've discovered that the L2TP-over-IPsec VPN will only
> successfully connect if UDP port 1701 is open on the firewall.
What do you mean by successfully connect? If that means the L2TP-over-IPsec client and the L2TP-over-IPsec server can communicate with each other? Did you check whether there is actually a tunnel formed? If not, it's just a L2TP connection and that will work, but it will not be encrypted.
It seems like the L2TP tunnel just does not trigger the IPsec encapsulation to kick in. What does a network trace say? Only traffic on UDP port 1701, no UDP-500, no ip proto 50 and no UDP port 4500? That would be in sync with the above.
What type of L2TP-over-IPsec client and L2TP-over-IPsec server are involved?
Cheers,
Sake