Ethan Butterfield [mailto:primus@veris.org] wrote:
From: Jim Mercer <jim@reptiles.org>
as i understand it, ipsec doesn't use ports.
Yes and no. IPSec uses UDP port 500 for the ISAKMP key exchange and the tunnel setup, but all other traffic is IP Protocol 50 (ESP) or 51 (AH). Most firewalls I've seen block wierd (i.e., just about everything that's not standard TCP or IP Protocol 1 (ICMP)) by default, or at least flag it as strange.
interestingly enough, ICSA firewall certification requires port 500 (ISAKMP) to be closed, so in theory, you cannot have an ICSA Firewall that also does standards conforming IPSec. there is a loophole, however. ICSA will let you off the hook if your manuals explain how to turn off port 500 in your IPSec capable firewall (or firewall capable IPSec box.) richard