Virtual Private Network: Firewall Requirements

This page lists the firewall requirements (subnet protocols and ports) of our VPN service for LAN administrators and helpdesk staff.

Client to Server Interactions

  • The terminating subnet for the HA pair is

IPsec Clients or Native Configurations

  • 500/UDP for ISAKMP key exchange
  • 50(ESP)/IP for Encrypted Service Payload
  • 51(AH)/IP for Authenticated Header service
  • Some SOHO routers can't support anything other than TCP or UDP
    • 10,000/UDP is available for encapsulating ESP and AH (Cisco) Pre-NAT-T UDP encapsulation)
    • 4,500/UDP is available for industry standard NAT-T encapsulation (new)

L2TP/IPsec Native Configurations

  • 1701/UDP for L2TP
  • 500/UDP for IPsec ISAKMP key exchange

AnyConnect Clients

  • 443(HTTPS)/TCP for SSL tunnels
  • 443/UDP for DTLS tunnels

Client Subnet Allocations

  • Common Good VPN groups
    • UofM General Access Pool
    • UofM General Access Pool (no libraries access)
    • UofM Split Tunnelled General Access Pool
    • 2607:EA00:114:4800::/64 IPv6 for UofM General Access Pool
    • 2607:EA00:114:4801::/64 IPv6 for UofM Split Tunnelled General
    • Access Pool
  • Departmental VPN groups
    • See group owner for specifics