Tuesday, 14 July 2015

How do you port forward a VPN?

Periodically, I encounter documents on the internet that indicate you can port forward from an internet modem in order to establish a VPN.  Typically, internet modems can port forward Ports like TCP and UDP Ports but they cannot normally forward IP Protocol IDs.  A Virtual Private Network consists of TCP Ports, UDP Ports and IP Protocol IDs.  

L2TP over IPSec uses ESP (IP Protocols ID 50), AH (IP Protocol ID 51), IKE (UDP Port 500), L2F/L2TP (UDP 1701) and NAT-T (UDP Port 4500) .
 
IPSec uses ESP (IP Protocol ID 50) and AH (IP Protocol ID 51).  For IKE Phase 1 and 2 negotiations, IKE (UDP Port 500).  For NAT-T IKE Phase 1 and 2 negotiations, IKE (UDP Port 500) and NAT-T (UDP Port 4500).

PPTP uses (TCP Port 1723) and GRE (IP Protocol ID 47).

IPSec Passthrough

Some internet modems are capable of enabling IPSec Passthrough which is also called IPSec NAT Traversal which allows an IPSec VPN to be established.

IP Passthrough & Bridge Mode

Another option is to configure an internet modem to use IP Passthrough which assigns a Public IP Address to the External NIC of the device being accessed.  You could also configure an internet modem to use Bridge Mode which also assigns a Public IP Address to the External NIC of the device being accessed.  However, this would would only be secure if you have a firewall between the internet and the device being accessed.  Without a hardware firewall, the device is open on the internet.  Software firewalls are not recommended as they can be compromised.  It is also recommended that the device being accessed is inside a DMZ meaning your Internal LAN is on a separate subnet on a separate LAN port of your hardware firewall.

Curiously, not all Internet Service Providers truly provide IP Passthrough.  ClearWire for example provides true IP Passthrough while Comcast Business does not.

Conclusion 

The easiest and most straight-forward solution for establishing a VPN is with the use of a firewall.  I recommend the Watchguard XTM.  I also recommend the use of L2TP over IPSec versus other VPN Protocols such as IPSec or PPTP.  L2TP over IPSec is secure and the Client Protocol is native to the Windows Operating System.

Notes 

  • Client-side computers often connect to a VPN using a dynamically assigned outbound port.

  • Firewalls can be configured with policies which handle IP Protocol ID destinations which is similar to port forwarding.