The ports used by L2TP (Layer 2 Tunneling Protocol) depend primarily on whether it is configured to use IPSec for security, which is the default and recommended method.
According to documentation from WatchGuard, if IPSec is used (the default configuration), L2TP requires the following:
- UDP Port 500: Used for Internet Key Exchange (IKE), which sets up the secure association for IPSec.
- UDP Port 4500: Used for NAT traversal when IPSec is in use.
- IP Protocol 50 (ESP): The Encapsulating Security Payload protocol, which provides data confidentiality, integrity, and authentication for IPSec traffic.
These ports and protocols are essential for the secure functioning of L2TP when paired with IPSec, providing encryption and authentication for the data transmitted through the tunnel.
L2TP Ports Without IPSec
If IPSec is disabled, the port requirements for L2TP are simpler:
- UDP Port 1701: This is the standard port specifically assigned to L2TP control and data messages when not layered over IPSec.
Disabling IPSec significantly reduces the security of the L2TP connection, as the data transmitted is not encrypted or authenticated by IPSec. Therefore, running L2TP without IPSec is generally not recommended for securing sensitive traffic.
Here's a quick summary table:
| Configuration | Protocol | Port(s) / IP Protocol | Purpose |
|---|---|---|---|
| Default (with IPSec) | UDP | 500 | IKE (IPSec Key Exchange) |
| Default (with IPSec) | UDP | 4500 | NAT Traversal for IPSec |
| Default (with IPSec) | IP Proto | 50 (ESP) | Encapsulating Security Payload (IPSec Data) |
| Without IPSec | UDP | 1701 | L2TP Control and Data Traffic |
Understanding these different port requirements is crucial for configuring firewalls and network devices to allow L2TP VPN connections.
For more details on L2TP configurations, you can refer to the source: Select a Mobile VPN Type - WatchGuard
