Important note regarding VPN use via Cable Modems, DSL (or other forms of persistent digital connections): This information has been provided to me by the network topology group, to try to assist users who are using these persistent digital connections. Most of your VPN connection difficulties stem from personal Firewall software/devices at your home location. The VPN communicates using a method known as IPSec. IPSec communications must be allowed to pass in and out of your firewall in order for the VPN to work. Make sure that your firewall software/device is set to "Allow IPSec passthrough" and/or see the Microsoft document [see below] in order to enable the specific ports. There are many, many personal firewall solutions available, and support for them is outside of scope. Please consult the documentation that came with your firewall solution on how to properly configure your firewall. Also you can consult with the IS resources provided by your department (or an independent contractor) for assistance in configuring your home computers, firewalls and networks.
Remote Account Requests ========================================= Remote Account Requests - HUP Information Services Division RemoteRequests@uphs.upenn.edu http://www.med.upenn.edu/network/remote/ Open UDP Port 500 (NAT-Detection). Allow traffic to flow in both directions. Transport Protocol (TCP) ID 50 (ESP) and ID 51 (AH) should be allowed. The above traffic should be allowed to flow in both directions to the UPHS vpn switch “vpn.uphs.upenn.edu” 165.123.243.30.
-
========================================================================= The VPN switch's external Internet IP address is: 165.123.243.30 for anyone who needs to specify that address in their firewall configuration. ========================================================================= Microsoft TID 233256
How to Enable IPSec Traffic Through a Firewall (Q233256)
The information in this article applies to: Microsoft Windows 2000 , Advanced Server Microsoft Windows 2000 , Datacenter Server Microsoft Windows 2000 , Professional Microsoft Windows 2000 , Server
SUMMARY
IP Security (IPSec) is used to securely transmit data between computers. It is implemented at the Networking layer (Layer 3) of the Open Systems Interconnection (OSI) model. This provides protection for all IP and upper-layer protocols in the TCP/IP protocol suite. The primary benefit of securing information at Layer 3 is that all programs and services using IP for data transport can be protected.
�MORE INFORMATION
IPSec does not disturb the original IP header and can be routed as normal IP traffic. Routers and switches in the data path between the communicating hosts simply forward the packets to their destination. However, when there is a firewall or gateway in the data path, IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports: IP Protocol ID 50: For both inbound and outbound filters. Should be set to allow Encapsulating Security Protocol (ESP) traffic to be forwarded. IP Protocol ID 51: For both inbound and outbound filters. Should be set to allow Authentication Header (AH) traffic to be forwarded. UDP Port 500: For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded.
L2TP/IPSec traffic looks just like IPSec traffic on the wire. The firewall just has to allow IKE (UDP 500) and IPSec ESP formatted packets (IP protocol = 50). It may be necessary to allow Kerberos traffic through the firewall, if so then UDP port 88 and TCP port 88 would also need to be forwarded. For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
Q253169 Traffic That Can--and Cannot--Be Secured by IPSec Q254949 Client-to-Domain Controller and Domain Controller-to-Domain Controller IPSec Support Q254728 IPSec Does Not Secure Kerberos Traffic Between Domain Controllers
Published May 28 1999 5:21AM Issue kbinfo Type Additiona l Query Words
Last Modifed Mar 3 2001 8:41AM Keywords kbenv kbnetwork
�