Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is it possible to change the listening port of IPsec VTI?

    Scheduled Pinned Locked Moved IPsec
    16 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gabacho4 Rebel Alliance @NogBadTheBad
      last edited by

      @nogbadthebad oh wow. Then that suggests you can change the ports? He could set both sides to use say 51820 and 51821?

      NogBadTheBadN 1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad @gabacho4
        last edited by NogBadTheBad

        @gabacho4 Yup, I didn't think you could till I used google and found the following redmine:-

        https://redmine.pfsense.org/issues/11518

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        G 1 Reply Last reply Reply Quote 0
        • G
          gabacho4 Rebel Alliance @NogBadTheBad
          last edited by

          @nogbadthebad that is wicked. I’ll have to play with my policy IPsec setup just for the wow factor. That’s freaking great!

          1 Reply Last reply Reply Quote 0
          • U
            Upper Deck @NogBadTheBad
            last edited by

            @nogbadthebad said in Is it possible to change the listening port of IPsec VTI?:

            @upper-deck That's actually NAT-T & ISAKMP not VTI, but as @gabacho4 says that sucks and try WireGuard or OpenVPN.

            Otherwise look in the advanced section, not sure what you'd do with the clients :-

            Screenshot 2022-11-20 at 14.35.55.png

            That is "UDP port for remote gateway", right? Should I change the UDP ports on remote gateway first then change these settings?

            NogBadTheBadN 1 Reply Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad @Upper Deck
              last edited by NogBadTheBad

              @upper-deck Not a clue to be honest as just had a look at my mobile client phase 1 setting, fortunately I have a sensible ISP.

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              G 1 Reply Last reply Reply Quote 0
              • G
                gabacho4 Rebel Alliance @NogBadTheBad
                last edited by gabacho4

                @nogbadthebad on my site to site policy routed IPSec I have fields to change the local ports. How are you seeing remote ports? Which version pfsense and what kind of IPSec connection?

                NogBadTheBadN U 2 Replies Last reply Reply Quote 0
                • NogBadTheBadN
                  NogBadTheBad @gabacho4
                  last edited by

                  @gabacho4 I use IPsec for a mobile road warrior type connection not site to site.

                  Andy

                  1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                  1 Reply Last reply Reply Quote 0
                  • U
                    Upper Deck @gabacho4
                    last edited by

                    @gabacho4

                    Would you mind to share a screen shot of the local ports changing fields? I can only find remote gateway ports options. Thank you.

                    G 1 Reply Last reply Reply Quote 0
                    • G
                      gabacho4 Rebel Alliance @Upper Deck
                      last edited by gabacho4

                      @upper-deck sure thing. Again I am running a policy routed IPsec connection. When I got to VPN -> IPsec -> Advanced Settings, I have:

                      cd1726a6-95a7-46a5-bef8-80943332a421-image.png

                      EDIT: I am running PfSense Plus 22.05 on this particular box.

                      G 1 Reply Last reply Reply Quote 0
                      • G
                        gabacho4 Rebel Alliance @gabacho4
                        last edited by

                        OOOOOH I get what we're missing. You are looking at the Advance Settings on the P1. I was looking at the advanced settings for IPsec writ large. lightbulb! So that means you need to go to the IPsec advanced settings on the router that is having IPsec UDP/500 UDP/4500 blocked (not P1) and set the alternate ports. Then on the other end, you would need to set those ports in the P1 for the connection. I'd probably do the same thing for both sides just so that things are standardized.

                        NogBadTheBadN U 2 Replies Last reply Reply Quote 0
                        • NogBadTheBadN
                          NogBadTheBad @gabacho4
                          last edited by

                          @gabacho4 I think so

                          Andy

                          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                          1 Reply Last reply Reply Quote 0
                          • U
                            Upper Deck @gabacho4
                            last edited by

                            @gabacho4 @nogbadthebad

                            Confirmed. It works.

                            Thank you guys. Made my day.

                            G 1 Reply Last reply Reply Quote 0
                            • G
                              gabacho4 Rebel Alliance @Upper Deck
                              last edited by

                              @upper-deck that is awesome. I’ll play with mine later but this was a cool learning moment to me.

                              1 Reply Last reply Reply Quote 1
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.