Outsourced IT Support Services

From the blog

PPTP and L2TP Port Forwarding

logo-itsupport

PPTP and L2TP Port Forwarding | VPN and NAT-T

A recent VPN project for two customers required configuration of Port Address Translation through a NAT Devices (one Cisco ASA and one Sonicwall) onto Windows Remote Access Servers (RRAS with NPS)

We decided to post some information regarding port forwarding of PPTP and L2TP Ports, specifically when the RAS is behind a NAT Device, so here goes:

PPTP

PPTP tunnel maintenance – TCP 1723
GRE – Protocol ID 47

L2TP over IPSec

L2TP traffic – UDP 1701
Internet Key Exchange (IKE) – UDP 500
IPSec Network Address Translation (NAT-T) – UDP 4500

The port forwarding setup is quite straightforward, as long as you know how to configure your NAT Device.  However one thing to consider is Windows Vista, Windows 7 and the Windows Server 2008 operating system do not support NAT-T security associations to remote access servers that are located behind a NAT Device by default (it’s not recommended).  Also, as far as we can tell from recent experience, neither does Windows Server 2012 and Windows 10.

A small registry fix has to be applied, you can find further information about this, plus the necessary steps on the Microsoft Support Site:

How to configure L2TP/IPsec in Windows Vista, Windows 7 and Windows Server 2008