Home
About
Blog
Media Gallery

VPN Protocol Ports


Copied from technet, mainly for the RRAS (Routing and Remote Access) Service on Windows Server. A list of all ports per security protocol, I thought it might be handy for forwarding and troubleshooting in general when dealing with VPN security protocols.

@technet
-------------------------------------------------------------------------------------
| 1) If RRAS based VPN server is behind a firewall (i.e. a firewall is placed       |
| between Internet and RRAS server), then following ports need to be opened         |
| (bidirectional) on this firewall to allow VPN traffic to pass through:            |
-------------------------------------------------------------------------------------
For PPTP:
  IP Protocol=TCP, TCP Port number=1723	<- Used by PPTP control path
  IP Protocol=GRE (value 47)		<- Used by PPTP data path

For L2TP:
  IP Protocol Type=UDP, UDP Port Number=500	<- Used by IKEv1 (IPSec control path)
  IP Protocol Type=UDP, UDP Port Number=4500	<- Used by IKEv1 (IPSec control path)
  IP Protocol Type=ESP (value 50)			<- Used by IPSec data path

For SSTP:
  IP Protocol=TCP, TCP Port number=443	<- Used by SSTP control and data path

For IKEv2:
  IP Protocol Type=UDP, UDP Port Number=500	<- Used by IKEv2 (IPSec control path)
  IP Protocol Type=UDP, UDP Port Number=4500	<- Used by IKEv2 (IPSec control path)
  IP Protocol Type=ESP (value 50)			<- Used by IPSec data path


-------------------------------------------------------------------------------------
| 2) If RRAS server is directly connected to Internet, then you need to protect     |
| RRAS server from the Internet side (i.e. only allow access to the services on the |
| public interface that isaccessible from the Internet side). This can be done      |
| using RRAS static filters or running Windows Firewall on the public interface     |
| (or the interface towards the Internet side). In this scenario following ports    |
| need to be opened (bidirectional) on RRAS box to allow VPN to pass through:       |
-------------------------------------------------------------------------------------
For PPTP:
  IP Protocol=TCP, TCP Port number=1723	<- Used by PPTP control path
  IP Protocol=GRE (value 47)		<- Used by PPTP data path

For L2TP:
  IP Protocol Type=UDP, UDP Port Number=500	<- Used by IKEv1 (IPSec control path)
  IP Protocol Type=UDP, UDP Port Number=4500	<- Used by IKEv1 (IPSec control path)
  IP Protocol Type=UDP, UDP Port Number=1701	<- Used by L2TP control/data path
  IP Protocol Type=50				<- Used by data path (ESP)

For SSTP:
  IP Protocol=TCP, TCP Port number=443	<- Used by SSTP control and data path

For IKEv2:
  IP Protocol Type=UDP, UDP Port Number=500	<- Used by IKEv2 (IPSec control path)
  IP Protocol Type=UDP, UDP Port Number=4500	<- Used by IKEv2 (IPSec control path)
  IP Protocol Type=UDP, UDP Port Number=1701	<- Used by L2TP control/data path
  IP Protocol Type=50				<- Used by data path (ESP)

	
Note: Please DO NOT configure RRAS static filters if you are running on the same 
server RRAS based NAT router functionality. This is because RRAS static filters are 
stateless and NAT translation requires a stateful edge firewall like ISA firewall.

Do not forget: If you enable Windows firewall or RRAS static filters on the public 
interface and only enable VPN traffic to pass-through, then all the other traffic may 
be dropped. For example, if the same server is running as a mail server facing 
internet or a DNS server or a reverse web proxy server, then you need to enable the 
ports used by those services explicitly.


Original Post: Jan 28th, '22 15:02 CET.
Updated: Jan 28th, '22 15:16 CET.

Tags: Windows Misc