IPSec and L2TP


G

Guest

Hello,

When following article Q240262 I came across a question. If you specify the IP-Sec filters as described (i.e. exactly the same on both source and destination), this would allow only an L2TP connection to be initiated from the destination to the source machine. Mirroring of the IPSec rules only accounts for answers but, as far as I know, does not mirror the ports (i.e. if source port 1701 is allowed from machine A, the mirror rule will specify that machineA can be used as a destination for port 1701, NOT that machine A will allow all ports). Howcome that the configuration still works, even when the L2TP tunnel is set up from the other side then specified in the policy?

Thanks,

Martin
 
Ad

Advertisements

D

David Beder [MSFT]

It works because in the case of L2TP, both source and dst ports are 1701. In
one direction you'll hit your 1701 filter, in the other you'll hit the Any
filter.
The author of the article appears to have attempted to make a few
simplifications to the steps which is probably fine for a novice just trying
to get the job done, but does pose some head-scratchers for those attempting
to really get a handle on the intricacies of an ipsec policy.
Additionally, I think there are some performance enhancements invoked by
using the Any filter which would be trivial for a client, but might be
important for an RRAS server.

--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.


Martin Vl said:
Hello,

When following article Q240262 I came across a question. If you specify
the IP-Sec filters as described (i.e. exactly the same on both source and
destination), this would allow only an L2TP connection to be initiated from
the destination to the source machine. Mirroring of the IPSec rules only
accounts for answers but, as far as I know, does not mirror the ports (i.e.
if source port 1701 is allowed from machine A, the mirror rule will specify
that machineA can be used as a destination for port 1701, NOT that machine A
will allow all ports). Howcome that the configuration still works, even when
the L2TP tunnel is set up from the other side then specified in the policy?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

L2TP/IPSec 1
L2TP IPSec requirements 3
L2TP/IPSec The Sequal 1
VPN-> L2TP & IPSec 2
VPN L2TP/IPSEC 2
L2TP/IPSEC - error 678 15
L2TP/IPSec and RRAS server 1
Certificates Usage and L2TP/IPSec 1

Top