VPN and IPtables
Henry Spencer
henry-lqW1N6Cllo0sV2N9l4h3zg at public.gmane.org
Wed Sep 15 22:52:44 UTC 2004
On Wed, 15 Sep 2004, Lennart Sorensen wrote:
> > ...the thing to note is that's PROTOCOL 50/51, not PORT 50/51. IPSEC
> > VPN packets aren't transmitted over TCP OR UDP, but use IP protocol
> > numbers 50 and 51.
>
> The key exchange and data go over those protocols, the encrypted data is
> transfered over udp on port 500.
Contrariwise. Protocol 50 is ESP, for encryption, or encryption plus
authentication, of packets. Protocol 51 is AH, for just crypto-grade
authentication of packets. These are both UDP-style protocols, with
unreliable unsequenced uncontrolled delivery, but their contents are
complete packets -- each including a header specifying another protocol,
like TCP and UDP -- not just data. UDP port 500 is used for key
negotiation, with the IKE protocol.
There are some optional wretched kludges, still in draft form last time I
checked, which carry both IKE and ESP over a single UDP port, for use in
traversing NAT gateways. Mostly this uses UDP port 4500, although some
older versions tried to just pile everything onto 500.
Henry Spencer
henry-lqW1N6Cllo0sV2N9l4h3zg at public.gmane.org
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list