What specific network configuration is required for ESP to work?

For ESP (Encapsulating Security Payload) to function properly, port 4500 must be open on all firewalls. This is because ESP is used primarily in conjunction with IPsec (Internet Protocol Security) to provide secure communication over IP networks. Port 4500 specifically supports NAT-T (Network Address Translation Traversal), which allows IPsec traffic to successfully traverse NAT devices.

When IPsec is implemented, it initially uses port 500 for Internet Key Exchange (IKE) negotiation. However, once a NAT device is in the communication path, ports 500 and 4500 come into play. Port 4500 is essential since it encapsulates ESP packets in UDP to ensure they can be properly routed through NAT. This is a critical step because NAT modifies packets in ways that can disrupt standard IPsec communications; by using port 4500, the ESP packets can be effectively communicated without losing security properties, allowing secure connections to be established.

Understanding this network requirement is crucial for ensuring that your IPSec VPN connections can be set up without issues, especially when NAT is present in the network topology. This knowledge assists in troubleshooting connectivity issues effectively.