Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec with custom port

    IPsec
    1
    2
    72
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      giulpip
      last edited by

      Hello everyone. I'm experiencing a strange situation:

      • I've 2 premise, under 2 different ISP, both with static public address.
      • ISP router is set to do port-forwarding for the needed ports to each PFSense instance.
      • Setting up an IPSec connection between the 2 premise, works with default ports (500 and 4500).

      Everything works fine: following the ping done on host on SITE B to an host of SITE A.

      SITE A
      a720180c-a045-4a14-b842-96654c4951f3-image.png

      SITE B
      4dd148cf-39e6-4614-941c-7e45ef505eb7-image.png

      PING
      93c35671-5b77-4285-8fe0-7d4dcd06cbb1-image.png

      The problem comes from the fact that port 500 and 4500 are already used by a local service (XBox), so I need to setup the tunnel using custom ports (501 and 4501).
      Doing this, brings to the link to work correctly:

      SITE A
      f1095bc2-f8d6-4148-9e28-510a6a34f64c-image.png
      SITE B
      cf07bd94-007d-4c8b-94c7-562f35ef9667-image.png

      Problem is then, if I try to do the same ping test (from host on SITE B), this is what is looks like:

      SITE A
      Ping request arrives and replied (4 packets in/4 packets out)
      5fe9a6fa-71d2-4e7b-8038-8768a18646eb-image.png

      SITE B
      Ping request:
      779c18fb-2e0d-4b42-992f-2d1c1c1315f9-image.png

      Packets going out (the number is different cause the screenshot was taken after) but no reply:
      4a756360-9ed4-4c11-b3d9-d8569d729bfa-image.png

      What can be the reason for this behavior? NAT should be handled automatically by PFsense, as it happens using the default ports.

      UPDATE: While taking the screenshot, I noticed that the case with the custom ports, the phase1 ports are kind of switched (siteA calling from 501 the 4501 of the remote). This is also strange, and can be the reason...

      1 Reply Last reply Reply Quote 0
      • G
        giulpip
        last edited by

        After taking the screenshot, and recognizing the mismatch between the ports, I've updated the PHASE1 settings on both ends, specifying just the NAT-T port.
        0dbb0d4a-70c8-496a-87dd-bee9fa740865-image.png

        Now, the ports looks coherent.
        SITE A
        5387557b-d330-43ec-a494-e44119f1e484-image.png

        SITE B
        a0791832-6b78-4a3a-a053-f749822d43b5-image.png

        Now ping works :)
        996ddfcd-d96a-4b60-9bb5-f194f3ed1fa9-image.png

        08a81d89-236c-44e0-8ecc-26dc19d27d4e-image.png

        Still open the question on why this port mismatch happened.....I've lost like 40 hours on this

        1 Reply Last reply Reply Quote 0
        • First post
          Last post