Solved: Re: General Question on VPN behind a Firewall

sidcracker · ‎02-08-2011

Hello,

I am going to be implementing a Firewall VPN Solution which is behind another Firewall. The termination point will be the second firewall. In this kind of a scenario, what are some of the things that you need to configure, which is different from the common scenario of a Edge Firewall termination point. Most likely this will be a layer 2 type IPSEC VPN

Thanks

Jennifer Halim · ‎02-08-2011

Yes, the protocols advised earlier would be the ones. With L2TP over IPSec, the L2TP tunnel will be encrypted in IPSec so the first firewall will only see IPSec traffic, hence the protocols that I advised earlier will suffice.

View solution in original post

Jennifer Halim · ‎02-08-2011

What do you mean by L2 type IPSec VPN?

For the generic IPSec VPN, it uses UDP/500 and ESP for its protocol (phase 1 and phase 2 respectively). If it's passing through NAT router, then ESP protocol can be encapsulated, and it's called NAT-T (NAT- Traversal) and by default it uses UDP/4500.

Those are the protocols that you would need to open on the firewall to allow the IPSec VPN connection through.

sidcracker · ‎02-08-2011

Hello Jennifer,

I meant Remote access L2TP over IPSec for client access. So if we just open the following ports on the first Firewall, VPN traffic should seamlessly flow through to the second Firewall.

Thanks

Jennifer Halim · ‎02-08-2011

Yes, the protocols advised earlier would be the ones. With L2TP over IPSec, the L2TP tunnel will be encrypted in IPSec so the first firewall will only see IPSec traffic, hence the protocols that I advised earlier will suffice.