DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 233256 - Last Review: February 27, 2007 - Revision: 3.5

This article was previously published under Q233256
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center (http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000) is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy (http://support.microsoft.com/lifecycle/) .

SUMMARY

IP Security (IPSec) is used to securely transmit data between computers. It is implemented at the Networking layer (Layer 3) of the Open Systems Interconnection (OSI) model. This provides protection for all IP and upper-layer protocols in the TCP/IP protocol suite. The primary benefit of securing information at Layer 3 is that all programs and services using IP for data transport can be protected.

MORE INFORMATION

IPSec does not disturb the original IP header and can be routed as normal IP traffic. Routers and switches in the data path between the communicating hosts simply forward the packets to their destination. However, when there is a firewall or gateway in the data path, IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports:
  • IP Protocol ID 50:
    For both inbound and outbound filters. Should be set to allow Encapsulating Security Protocol (ESP) traffic to be forwarded.
  • IP Protocol ID 51:
    For both inbound and outbound filters. Should be set to allow Authentication Header (AH) traffic to be forwarded.
  • UDP Port 500:
    For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded.
L2TP/IPSec traffic looks just like IPSec traffic on the wire. The firewall just has to allow IKE (UDP 500) and IPSec ESP formatted packets (IP protocol = 50).

It may be necessary to allow Kerberos traffic through the firewall, if so then UDP port 88 and TCP port 88 would also need to be forwarded. For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
253169  (http://support.microsoft.com/kb/253169/EN-US/ ) Traffic That Can--and Cannot--Be Secured by IPSec
254949  (http://support.microsoft.com/kb/254949/ ) IPSec support for client-to-domain controller traffic and domain controller-to-domain controller traffic
254728  (http://support.microsoft.com/kb/254728/EN-US/ ) IPSec Does Not Secure Kerberos Traffic Between Domain Controllers

APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Datacenter Server
Keywords: 
kbenv kbinfo kbnetwork KB233256
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support