Community discussions

 
looka
just joined
Topic Author
Posts: 20
Joined: Sat Apr 14, 2018 3:33 pm

ikev2 ports

Sat Dec 08, 2018 4:16 pm

I have a working ikev2 vpn connection setup on my ros.
Every tutorial says i need to allow ports 500, 4500 UDP and IPSec ESP on input chain. Some tutorials even say port 1701 UDP needs to be opened on input chain.
Than why is my connection working completely even if I don't allow 1701 nor IPSec esp, but only 500 and 4500? I allow IPSec on forward chain, though.
 
User avatar
JohnTRIVOLTA
Member Candidate
Member Candidate
Posts: 128
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: ikev2 ports

Sat Dec 08, 2018 4:47 pm

I have a working ikev2 vpn connection setup on my ros.
Every tutorial says i need to allow ports 500, 4500 UDP and IPSec ESP on input chain. Some tutorials even say port 1701 UDP needs to be opened on input chain.
Than why is my connection working completely even if I don't allow 1701 nor IPSec esp, but only 500 and 4500? I allow IPSec on forward chain, though.
Port 1701 UDP is for the L2TP ppp connection only !
 
looka
just joined
Topic Author
Posts: 20
Joined: Sat Apr 14, 2018 3:33 pm

Re: ikev2 ports

Sat Dec 08, 2018 4:52 pm

Okay, 50% of mystery solved :)
Why is then my connection working even while I'm not allowing ipsec protocol (50) on input chain?
 
User avatar
JohnTRIVOLTA
Member Candidate
Member Candidate
Posts: 128
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: ikev2 ports

Sun Dec 09, 2018 12:04 am

Okay, 50% of mystery solved :)
Why is then my connection working even while I'm not allowing ipsec protocol (50) on input chain?
Are you sure ? When you are activated IKE (ISAKMP) these protocols /50 and 51/ are allowed automatically /unless you explicitly disallow them/ !
 
looka
just joined
Topic Author
Posts: 20
Joined: Sat Apr 14, 2018 3:33 pm

Re: ikev2 ports

Sun Dec 09, 2018 9:43 pm

Okay.... never easy with MT.
There are two ways of letting ipsec connections through. Allow protocol 50 or connections with in ipsec policy.
When I'm trying with the first option, vpn connects but connections somehow do not get through. If i do it with second type rule, then everything is fine... any ideas why this happens?
 
User avatar
JohnTRIVOLTA
Member Candidate
Member Candidate
Posts: 128
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: ikev2 ports

Mon Dec 10, 2018 12:07 am

Okay.... never easy with MT.
There are two ways of letting ipsec connections through. Allow protocol 50 or connections with in ipsec policy.
When I'm trying with the first option, vpn connects but connections somehow do not get through. If i do it with second type rule, then everything is fine... any ideas why this happens?
I can not understand exactly what you are trying to setup - sorry for that.
Find out what you want first ! IPSec have two modes and two formats basically - tunnel or transport mode with ESP or AH format . Just understand the principle of working in each of the four types.
 
nostromog
newbie
Posts: 41
Joined: Wed Jul 18, 2018 3:39 pm

Re: ikev2 ports  [SOLVED]

Tue Dec 11, 2018 2:04 pm

Okay, 50% of mystery solved :)
Why is then my connection working even while I'm not allowing ipsec protocol (50) on input chain?
IPsec works as follow:

* IKE (Internet Key Exchange) protocol is used to set up a security association (SA) by agreeing in short term crypto parameters. IKE requires UDP port 500
* Packets are then exchanged used protocol some ip protocols like ESP, AH and/or IPCOMP
$ egrep "(-ESP|AH|IPCOM)" /etc/protocols 
esp	50	IPSEC-ESP	# Encap Security Payload [RFC2406]
ah	51	IPSEC-AH	# Authentication Header [RFC2402]
ipcomp	108	IPCOMP		# IP Payload Compression Protocol

As you can see, esp is protocol 50, ah is 51 and ipcomp is 108. I have never seen any one to use ipcomp. Re: ah, it is usually used when you want to guarantee integrity without caring for confidentiality, again not often.

As in the small IPv4 world adreeses and ports are scarce, and existing infrastructure cannot often deal with opening protocols, the standard have NAT traceversal provisions: if the machines sees that protocols are not working, they encapsulate every proto 50,51 or 108 packet in a UDP packet using port 4500. There are good techniques for "punching holes" in firewalls and traversing NAT servers using UDP.
$ grep nat-t /etc/services 
ipsec-nat-t	4500/udp			# IPsec NAT-Traversal [RFC3947]

So, for a working IPsec you need either UDP port 500 and protocol 50 or UDP ports 500 and 4500.

I'm using both approaches:
* naked IPsec for hosts on public IPs that allows protocol 50
* NAT-Traversed IPsec for road warriors and other connections.

Who is online

Users browsing this forum: Rey68, TomjNorthIdaho, tricksol and 83 guests