A. IPSec is generally invisible to routers since it operates at layer 3 of the OSI layer an dall IP and upper-layer protocols are encrypted.

There is however a requirement for firewalls/gateways in the data path as the following IP protocols and UDP ports must be forwarded and not blocked for IPSec to correctly work.

  • IP Protocol ID 50 - This is used for both inbound and outbound filters and is needed for Encapsulating Security Protocol (ESP) traffic to be forwarded
  • IP Protocol ID 51 - As above but used for Authentication Header (AH) traffic
  • UDP Port 500 - For both inbound and outbound filters and needs to allow ISAKMP (Internet Security Association and Key Management Protocol) traffic to be forwarded

L2TP (layer 2 tunneling protocol)/IPSec traffic looks the same as just IPSec traffic on the wire and you need to open IP Protocol ID 50 and UDP Port 500.