Configuring Packet Filters for a VPN Server
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The firewall is configured with rules to filter the packets that a VPN server sends and receives and control intranet traffic to and from VPN clients, based on your network security policies. Packet filtering is based on the fields of inbound and outbound packets.
The Routing and Remote Access Server Setup Wizard for Windows Server 2003 and Windows Server 2000 Service Pack 2 (SP2) or later automatically configures the appropriate packet filters for VPN traffic. Alternatively, you can use the Routing and Remote Access snap-in to configure the packet filters.
The following sections summarize the packet filters that are required when the VPN server is placed behind a firewall or in front of a firewall. For procedures explaining how to enter the packet filter configurations, see "VPN servers and firewall configuration" in Help and Support Center for Windows Server 2003.
Configuring Filters for a VPN Server Behind a Firewall
If the VPN server is behind a firewall, you must configure packet filters for both an Internet interface and a perimeter network interface. In this configuration, the firewall is connected to the Internet, and the VPN server is an intranet resource that is connected to the perimeter network. The VPN server has an interface on both the perimeter network and the Internet.
PPTP connections
For a PPTP connection, configure the following packet filters on the Internet and perimeter network interfaces of the firewall.
Internet interface of the firewall On the firewall’s Internet interface, configure the inbound and outbound filters in Table 8.5, specifying that all packets are dropped except those that are selected by the filters.
Table 8.5 VPN Server Behind a Firewall: PPTP Filters on the Firewall’s Internet Interface
| Filter | Action | |
|---|---|---|
Inbound |
Destination IP address = Perimeter network interface of VPN server TCP destination port = 1723 (0x6BB) |
Allows PPTP tunnel maintenance traffic from the PPTP client to the PPTP server. |
Destination IP address = Perimeter network interface of VPN server IP Protocol ID = 47 (0x2F) |
Allows PPTP tunneled data from the PPTP client to the PPTP server. |
|
Destination IP address = Perimeter network interface of VPN server TCP source port = 1723 (0x6BB) |
Required only when the VPN server is acting as a VPN client (a calling router) in a site-to-site (also known as router-to-router) VPN connection. If you allow all traffic to the VPN server from TCP port 1723, network attacks can emanate from sources on the Internet that use this port. You should only use this filter in conjunction with the PPTP filters that are also configured on the VPN server. |
|
Outbound |
Source IP address = Perimeter network interface of VPN server TCP source port = 1723 (0x6BB) |
Allows PPTP tunnel maintenance traffic from the PPTP server to the PPTP client. |
Source IP address = Perimeter network interface of VPN server IP Protocol ID = 47 (0x2F) |
Allows PPTP tunneled data from the PPTP server to the PPTP client. |
|
Source IP address = Perimeter network interface of VPN server TCP destination port = 1723 (0x6BB) |
Required only when the VPN server is acting as a VPN client (a calling router) in a site-to-site VPN connection. If you allow all traffic from the VPN server to TCP port 1723, network attacks can emanate from sources on the Internet using this port. You should only use this filter in conjunction with the PPTP filters that are also configured on the VPN server. |
Perimeter network interface of the firewall On the firewall’s perimeter network interface, configure the inbound and outbound filters in Table 8.6, specifying that all packets are dropped except those that are specified by the filters.
Table 8.6 VPN Server Behind a Firewall: PPTP Filters on the Perimeter Network Interface
| Filter | Action | |
|---|---|---|
Inbound |
Source IP address = Perimeter network interface of VPN server TCP source port = 1723 (0x6BB) |
Allows PPTP tunnel maintenance traffic from the VPN server to the VPN client. |
Source IP address = Perimeter network interface of VPN server IP Protocol ID = 47 (0x2F) |
Allows PPTP tunneled data from the VPN server to the VPN client. |
|
Source IP address = Perimeter network interface of VPN server TCP destination port = 1723 (0x6BB) |
Required only when the VPN server is acting as a VPN client (a calling router) in a site-to-site VPN connection. If you allow all traffic from the VPN server to TCP port 1723, network attacks can emanate from sources on the Internet using this port. |
|
Outbound |
Destination IP address = Perimeter network interface of VPN server TCP source port = 1723 (0x6BB) |
Allows PPTP tunnel maintenance traffic from the PPTP client to the PPTP server. |
Destination IP address = Perimeter network interface of VPN server IP Protocol ID = 47 (0x2F) |
Allows PPTP tunneled data from the PPTP client to the PPTP server. |
|
Destination IP address = Perimeter network interface of VPN server TCP source port = 1723 (0x6BB) |
Required only when the VPN server is acting as a VPN client (a calling router) in a site-to-site VPN connection. If you allow all traffic to the VPN server from TCP port 1723, network attacks can emanate from sources on the Internet using this port. |
L2TP/IPSec connections
For an L2TP/IPSec connection, configure the following packet filters on the Internet and perimeter network interfaces of the firewall.
Internet interface of the firewall On the firewall’s Internet interface, configure the inbound and outbound filters in Table 8.7, specifying that all packets are dropped except those that are specified by the filters.
Table 8.7 VPN Server Behind a Firewall: L2TP/IPSec Filters on the Firewall’s Internet Interface
| Filter | Action | |
|---|---|---|
Inbound |
Destination IP address = Perimeter network interface of VPN server UDP destination port = 500 (0x1F4) |
Allows IKE traffic to the VPN server. |
Destination IP address = Perimeter network interface of VPN server UDP destination port = 4500 (0x1194) |
Allows IPSec NAT-T traffic to the VPN server. |
|
Destination IP address = Perimeter network interface of VPN server IP Protocol ID = 50 (0x32) |
Allows IPSec ESP traffic to the VPN server. |
|
Outbound |
Source IP address = Perimeter network interface of VPN server UDP source port = 500 (0x1F4) |
Allows IKE traffic from the VPN server. |
Source IP address = Perimeter network interface of VPN server UDP source port = 4500 (0x1194) |
Allows IPSec NAT-T traffic from the VPN server. |
|
Source IP address = Perimeter network interface of VPN server IP Protocol ID = 50 (0x32) |
Allows IPSec ESP traffic from the VPN server. |
No filters are required for L2TP traffic at UDP port 1701. All L2TP traffic at the firewall, including tunnel maintenance and tunneled data, is encrypted as an IPSec ESP payload.
Perimeter network interface of the firewall On the firewall’s perimeter network interface, configure the inbound and outbound filters in Table 8.8, specifying that all packets are dropped except those that are selected by the filters.
Table 8.8 VPN Server Behind a Firewall: L2TP/IPSec Filters on the Firewall’s Perimeter Network Interface
| Filter | Action | |
|---|---|---|
Inbound |
Source IP address = Perimeter network interface of VPN server UDP source port = 500 (0x1F4) |
Allows IKE traffic from the VPN server. |
Source IP address = Perimeter network interface of VPN server UDP source port = 4500 (0x1194) |
Allows IPSec NAT-T traffic from the VPN server. |
|
Source IP address = Perimeter network interface of VPN server IP Protocol ID = 50 (0x32) |
Allows IPSec ESP traffic from the VPN server. |
|
Outbound |
Destination IP address = Perimeter network interface of VPN server UDP destination port = 500 (0x1F4) |
Allows IKE traffic to the VPN server. |
Destination IP address = Perimeter network interface of VPN server UDP destination port = 4500 (0x1194) |
Allows IPSec NAT-T traffic to the VPN server. |
|
Destination IP address = Perimeter network interface of VPN server IP Protocol ID = 50 (0x32) |
Allows IPSec ESP traffic to the VPN server. |
Configuring Filters for a VPN Server in Front of a Firewall
When a VPN server is in front of a firewall and connected to the Internet, configure inbound and outbound packet filters on the VPN server to allow only VPN traffic to and from the IP address of the VPN server’s Internet interface. Use this configuration if your VPN server is in a perimeter network, with one firewall positioned between the VPN server and the intranet and another between the VPN server and the Internet.
PPTP connections
For a PPTP connection, configure the VPN server with the inbound and outbound filters in Table 8.9, specifying that all packets be dropped except those that are specified by the filters. These filters are automatically configured when you:
Rrun the Routing and Remote Access Server Setup Wizard and choose the Remote access (dial-up or VPN) option.
Select the correct interface.
Select the Enable security on the selected interface by setting up packet filters option on the VPN Connection page. This setting is enabled by default.
Table 8.9 VPN Server in Front of a Firewall: Packet Filters for PPTP
| Filter | Action | |
|---|---|---|
Inbound |
Destination IP address = Internet interface of VPN server Subnet mask = 255.255.255.255 TCP destination port = 1723 |
Allows PPTP tunnel maintenance to the VPN server. |
Destination IP address = Internet interface of VPN server Subnet mask = 255.255.255.255 IP Protocol ID = 47 |
Allows PPTP tunneled data to the VPN server. |
|
Destination IP address = Internet interface of VPN server Subnet mask = 255.255.255.255 TCP (established) source port = 1723 |
Required only when the VPN server is acting as a VPN client (a calling router) in a site-to-site VPN connection. Accepts TCP traffic only when a VPN server initiates the TCP connection. |
|
Outbound |
Source IP address = Internet interface of VPN server Subnet mask = 255.255.255.255 TCP source port = 1723 |
Allows PPTP tunnel maintenance traffic from the VPN server. |
Source IP address = Internet interface of VPN server Subnet mask = 255.255.255.255 IP Protocol ID = 47 |
Allows PPTP tunneled data from the VPN server. |
|
Source IP address = Internet interface of VPN server Subnet mask = 255.255.255.255 TCP (established) destination port = 1723 |
Required only when the VPN server is acting as a VPN client (a calling router) in a site-to-site VPN connection. Sends TCP traffic only when a VPN server initiates the TCP connection. |
L2TP/IPSec connections
For an L2TP/IPSec connection, configure the VPN server with the inbound and outbound filters in Table 8.10, specifying that all packets be dropped except those that are specified by the filters.
Table 8.10 VPN Server in Front of a Firewall: Packet Filters for L2TP/IPSec
| Filter | Action | |
|---|---|---|
Inbound |
Destination IP address = Internet interface of VPN server Subnet mask = 255.255.255.255 UDP destination port = 500 |
Allows IKE traffic to the VPN server. |
Destination IP address = Internet interface of VPN server Subnet mask = 255.255.255.255 UDP destination port = 1701 |
Allows L2TP traffic from the VPN client to the VPN server. |
|
Destination IP address = Internet interface of VPN server Subnet mask = 255.255.255.255 UDP destination port = 4500 |
Allows IPSec NAT-T traffic from the VPN client to the VPN server. |
|
Outbound |
Source IP address = Internet interface of VPN server Subnet mask = 255.255.255.255 UDP source port = 500 |
Allows IKE traffic from the VPN server. |
Source IP address = Internet interface of VPN server Subnet mask = 255.255.255.255 UDP source port = 1701 |
Allows L2TP traffic from the VPN server to the VPN client. |
|
Source IP address = Internet interface of VPN server Subnet mask = 255.255.255.255 UDP source port = 4500 |
Allows IPSec NAT-T traffic from the VPN server to the VPN client |