Port forwarding is a technique used to enable incoming internet connections to reach your device when using a VPN. It is necessary because most VPNs use an NAT firewall to stop users falling victim to malicious incoming connections.
Ports need to be open on the firewall to allow IPSec or VPN through. Solution: Internet Protocol Security (IPSec) uses IP protocol 50 for Encapsulated Security Protocol (ESP), IP protocol 51 for Authentication Header (AH), and UDP port 500 for IKE Phase 1 negotiation and Phase 2 negotiations. If your RRAS based VPN server is behind a firewall (i.e., a firewall is placed between the internet and the RRAS server), the following ports need to be opened (bidirectional) on this firewall to allow VPN traffic to pass through: For PPTP. IP Protocol=TCP, TCP Port number=1723  <- Used by PPTP control path There are no other pre-existing L2RP/IPSec port forward rules or otherwise conflicting port forward rules (e.g.: another rule for ports 500, 1701 or 4500) There was an L2TP port triggering rule enabled, that I toggled on and off with no change; Verified the firewall on VPN server had an exclusion for L2TP, or that the firewall is off. In enabled previously, the 'Automatic Firewall/NAT' checkbox adds the following rules to the iptables firewall in the background:. UBNT_VPN_IPSEC_FW_HOOK Allow UDP port 500 (IKE), UDP port 4500 (NAT-T) and ESP in the local direction.; UBNT_VPN_IPSEC_FW_IN_HOOK Allow IPsec traffic from the remote subnet to the local subnet in the local and inbound direction.
However, if NAT is happening anywhere in between the client and the server, you should be using IPSec NAT Traversal (NAT-T), and you don't have to permit IP proto 50 (and/or 51), you just have to permit UDP/500 (IKE) and UDP/4500 (NAT-T) to the VPN server.
Sophos Firewall: How to establish a Site-to-Site IPsec VPN connection between Cyberoam and Sophos Firewalls using a preshared key
For L2TP/IPSEC VPN connections, you need to open UDP port 500 for Internet Key Exchange (IKE) traffic, UDP port 4500 (IPsec control path) and UDP port 1701 for L2TP traffic. IPsec ESP traffic also uses IP protocol 50. SSTP connections use TCP port 443 (SSTP traffic to/from the VPN server)
Here are the ports and protocols: There are several different ports listed when you Google this topic. In practice I have found that I only need to open UDP 500 and UDP 4500 in order for VPN to work. Protocol: UDP, port 500 (for IKE, to manage encryption keys) Protocol: UDP, port 4500 (for IPSEC NAT-Traversal mode) Protocol: ESP, value 50 (for Client VPN Firewall Ports Hey All, I won't feel bad if you flame me with a RTFM, but does anyone know off hand which ports one would have to open on a firewall sitting in front of a Hub MX to let Meraki ClientVPN traffic (L2TP/IPSEC) through to said Hub? If the connection succeeds after the firewall is disabled, then these steps below will show you how to open the L2TP ports so that you can use VPN with your firewall enabled. Steps for opening L2TP/IPSec VPN ports on Windows 10 firewall. From your Windows desktop locate the Windows taskbar Search Box in the lower left and click in the Search Box.