Chapter 2 explains in detail the IPsec protocols used to permit secure communication between hosts. From the firewall perspective, this comes down to:
Protocol |
Port |
Description |
---|---|---|
ESP (50) |
N/A |
ESP (Encrypted Secure Payload) |
AH (51) |
N/A |
AH (Authentication Header) |
UDP (17) |
500 |
IKE |
UDP (17) |
4500 / high port |
IKE, ESPinUDP encapsulation |
For IPsec to establish a full tunnel, you will need to permit both ESP and UDP port 500 traffic between peers. If you have IPsec peers behind NAT devices, you will also need to permit UDP port 4500, which is used by both IKE and ESPinUDP encapsulation to pass through the NAT device. Authentication Header (AH) is rarely used these days. It only provides authentication without encryption, and has come under recent attack by crypto experts as a possible vulnerability in the IPsec specification.
The rules that need to be added to the firewall rules to allow IPsec packets are shown below...