What do I need to configure in order to make sure the VPN works with our corporate firewall? Are there special considerations for making VPNs work with firewalls?
A virtual private network (VPN) is typically initiated from the outside. Since you are asking about your corporate firewall, I'll assume this case for the purposes of this answer. There are many SOHO firewalls that must be configured for VPN passthrough to allow VPN operation from the inside. Consequently, corporate firewalls must be configured to allow the relevant ports and protocols that are being used to initiate the VPN connection and to allow the transport of the VPN traffic to its relevant concentrator. It's important to note, placing the VPN gateway on the outside of the network perimeter is not recommended. This is different from standard stateful firewall operation with connections initiated from inside the perimeter. In this case, the firewall creates the required conduits for the return traffic on the fly. Therefore, for VPN operation the required ports and protocols must be noted and configured correctly. For SSL VPN, for example, you must ensure the SSL port is open for access to the SSL VPN gateway. This is typically Port 443 and operates over TCP, Protocol 6. For IPsec, however, you need to do a little more work and allow for IKE (for the initial key exchange), which operates via UDP on Port 500, as well as for NAT Traversal (in most cases), which operates via UDP Port 4500. Then, you must ensure that Protocol 50 for ESP and/or Protocol 51 for AH are open to allow the IPsec traffic to pass. There are other less commonly used VPN technologies that all have different unique requirements, for example PPTP, L2TP, L2F. Ultimately, the key is making sure you understand the requirements that are applicable to the security protocol that is being used.
For more information on how a VPN works:
- See what IPsec VPN protocols are used today.
- Learn about the pros and cons of disabling VPN passthrough.
- Understand which ports should be opened when IPsec filters are used.
This was first published in July 2012