Wireshark-users: Re: [Wireshark-users] L2TP-over-IPsec (may be off topic)

From: Kok-Yong Tan <ktan@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 14 Sep 2010 14:06:31 -0400
Let me clarify one point:

When I said "UDP port 1701 is open on the firewall," what I meant is that a firewall rule allowing UDP traffic from the WAN zone to LAN zone (no specific device IPs are listed, just a zone-to-zone rule) at port 1701 must be created. Interestingly, there is *NO* corresponding NAT rule that port forwards from port 1701 at the firewall to the L2TP-over-IPsec server on the back end!!!

I've spoken to the manufacturers of the firewall and their Level 1 techs are even more confused than I am. They claim that the reason for it working is that "L2TP packets are also flowing" but that's impossible because without a corresponding NAT port forwarding rule, any packets arriving at port 1701 are just going to be discarded by the firewall. Yet it works!

The only thing I can think of is that without the abovementioned WAN to LAN rule, the firewall is somehow squelching L2TP packets once they unfurl from within the encrypted IPsec packets as it is also the router for the LAN subnet. Although why an L2TP packet would need to leave the NIC when it should be handled by the networking stack within the L2TP-over-IPsec server puzzles me... And even though I've set the logs on the firewall to "debug" level, no blocking of packets to port 1701 when the firewall rule isn't activated shows up in the logs--the VPN just doesn't complete and the client complains that the "L2TP server is not responding."

Comments?

On Sep 14, 2010, at 13:01, Kok-Yong Tan wrote:

 From what I've read here (especially figures 54 and 55):

<http://www.juniper.net/techpubs/software/erx/junose53/swconfig-
routing-vol1/html/l2tp-over-ipsec-config4.html#1028288>

it appears that the L2TP payload is encapsulated within the IPsec
structure.  As such, UDP port 1701 shouldn't need to be opened on any
device in between the end points of an L2TP-over-IPsec VPN tunnel,
only UDP ports 500 for IKE and 4500 for NAT-T. Also, Wireshark should
only see IPsec packets if located anywhere except at the endpoints
regardless of whether pure IPsec or L2TP-over-IPsec VPNs are operating.

However, I have a physically separate hardware firewall in between
the endpoints (a L2TP-over-IPsec client and a L2TP-over-IPsec server)
and I've discovered that the L2TP-over-IPsec VPN will only
successfully connect if UDP port 1701 is open on the firewall.

Can anyone explain why UDP port 1701 needs to be opened on the
hardware firewall if the L2TP payload is encapsulated within the
IPsec packet and thus hidden?

--
Reality Artisans, Inc.             #   Network Wrangling and Delousing
P.O. Box 565, Gracie Station       #   Apple Certified Consultant
New York, NY 10028-0019            #   Apple Consultants Network member
<http://www.realityartisans.com>   #   Apple Developer Connection member
(212) 369-4876 (Voice) # My PGP public key can be found at <https://keyserver.pgp.com>