From 13442af85c144da1eff00cf193db118eb9afb498 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Mon, 6 Jul 2020 20:43:05 -0400 Subject: [PATCH 39/45] improvement(service): IPsec: Update description and add TCP port 4500 IKE and IPsec over TCP is defined in RFC 8229. It specifically mentions no ports to allow administrators to configure any port to prevent being blocked by networks. However, most IKE/IPsec blocking seems to come from unwanted accidental UDP blocks, so any TCP would usually ensures IPsec can still work on such networks. The default is therefor to pick the same TCP port as IKE and IPsec over UDP uses, port 4500. (cherry picked from commit 8c4fb4f658719cfb58bacae9e6e82c8e82c3465d) (cherry picked from commit 0e2733a5b052a4a1d5e1f6f34bca1ff3760948f1) --- config/services/ipsec.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config/services/ipsec.xml b/config/services/ipsec.xml index 9e70acb40003..824f1f3e539f 100644 --- a/config/services/ipsec.xml +++ b/config/services/ipsec.xml @@ -1,9 +1,10 @@ IPsec - Internet Protocol Security (IPsec) incorporates security for network transmissions directly into the Internet Protocol (IP). IPsec provides methods for both encrypting data and authentication for the host or network it sends to. If you plan to use a vpnc server or FreeS/WAN, do not disable this option. + Internet Protocol Security (IPsec) is the standarized IETF VPN architecture defined in RFC 4301. IPsec is negotiated using the IKEv1 (RFC 2409) or IKEv2 (RFC 7296) protocol, which in itself uses encryption and authentication. IPsec provides Internet Protocol (IP) packet encryption and authentication. Both IKE and IPsec can be encapsulated in UDP (RFC 3948) or TCP (RFC 8229 to make it easier to traverse NAT. Enabling this service will enable IKE, IPsec and their encapsulation protocols and ports. Note that IKE and IPsec can also be configured to use non-default ports, but this is not common practise. + -- 2.27.0