IPSEC VPN

WinRoute Pro 4.1 supports IPSEC in so called "Tunnel mode". The "Tunnel mode" should support any IPSEC client that will allow for the transport IP address to be changed.

Note about IPsec: Some IPsec clients have a specific policy to close all IP traffic except that which is carried over the tunnel. For obvious reasons, IPsec clients of this nature must be run on a computer other than WinRoute.

WinRoute settings:

Create mapped port for ESP:

Protocol: Other 50

Listen IP: <unspecified>

Destination IP: the private IP address of the client PC

Create mapped port for AH:

Protocol: Other 51

Listen IP: <unspecified>

Destination IP: the private IP address of the client PC

We also suggest creating a mapped port for IKE. This is not necessary in cases where the communication is initiated FROM behind WinRoute to the Internet, however certain implementations of IPSEC may require this setting:

IKE port mapping:

Protocol: UDP

Listen IP: <Unspecified>

Listen port: 500

Destination IP: the private IP address of the client PC

Destination port: 500

Some IPsec clients may also use the General Routing and Encapsulation protocol (GRE)

GRE port mapping:

Protocol: Other 47

Listen IP: <unspecified>

Destination IP: the private IP address of the client PC

General information about IPSEC

IPSec is a security encryption protocol used for secure communication between two computers.

IPSec uses either AH (Authentication Header) or ESP (Encapsulating Security Payload). AH verifies the identity of the sender and the content of the packet only. Data is not encrypted.

ESP encrypts the data. ESP allows for the use of a so-called "Tunnel Mode" that is similar to the PPTP protocol. The packet then includes the IP header (necessary for transport) that is not encrypted and the data portion that includes the whole encrypted original packet.

The protocol IKE (sometimes called ISAKMP) is used for authentication (exchange of security keys). IKE runs on protocol UDP port 500. This port is used as source and destination.

AH uses protocol 51, ESP uses protocol 50. IPSec may further communicate with the entire certification authority using other protocols that do not interfere with NAT.