Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
656
Views
0
Helpful
1
Replies

Windows firewall IPSEC bypass accross remote Client VPN?

johnstone_cisco
Beginner
Beginner

‎06-16-2011 01:51 AM - edited ‎02-21-2020 05:24 PM

Hi,

I am trying to implement IPSec Authenticated Firewall Bypass on windows vista clients within my microsoft domain to avoid implementing numerous windows firewall port exceptions for each client.

This is working internally on our network, between services servers (i.e AV server), and desktop clients. However i am having a problem when the clients are remotly accessing the domain via the VPN client.

I have open traffic ports (IKE - UDP500, ESP - IP Prot 50, AH - IP Prot 51) bidirectionally between the remote vpn clients subnet and the services servers, however when the endpoints initiate traffic to the services server, the IKE traffic is unencrypted?

Is this configuration possible, any pointers on the way forward would be great!

Thanks

Brian

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎06-16-2011 09:00 AM

Brian,

let me start by pointing out that typical IPsec traffic is: UDP/500 for IKE, UDP/4500 (for IKE+ Encrypted traffic) NAT-travsersal, Protocol 50 and 51 as you pointed out.

If users are remotely behind NAT they will always use UDP/4500 and UDP/500.

IKE starts to be encrypted as soon as we perform DH exchnage - i.e. from message 5.

Now how this fits into overall scenario I'm not sure :-)

Marcin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents