Pass-through ports configured for L2TP over IPSec on the USG2000 and USG5000

The pass-through ports configured for L2TP over IPSec on the USG2000 and USG5000 are as follows:

1. Port 500 is initially used for IKE negotiation. After the NAT-T capability detection and NAT gateway detection are complete, the number of the UDP port that encapsulate ISAKMP messages is changed to 4500. This port is used for subsequent negotiations and data transmission.
2. L2TP is registered with UDP port 1701. However, this port is only used for initial tunnel establishment. The L2TP tunnel initiator (LAC) selects any idle port (may not necessarily be port 1701) to send packets to port 1701 on the receiver end; upon receiving the packets, the LNS also selects any idle port (may not necessarily be port 1701) to send packets to the specified port of the LAC. Therefore, ports of both ends are specified and remain unchanged within the tunnel connection period.
3. According to the L2TP over IPSec mechanism, packets are encapsulated based on L2TP and then IPSec. Therefore, port 1701 that transmits L2TP packets is used as a matching condition. All encapsulated L2TP packets are transmitted over the IPSec tunnel.
Therefore, if the L2TP over IPSec is configured but no NAT traversal is available, port 500 and port 1701 are configured as pass-through ports.
If the NAT traversal is available, port 500, port 4500, and port 1701 are configured as pass-through ports.

Scroll to top