Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Nat-t udp port

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jason0
      last edited by

      Hello,

      Reading up on the racoon program, I see that it binds to udp port 4500 in addition to 500 for Nat-traversal.  Does this mean a firewall rule that allows ISAKMP will automagically allow access to port 4500?  If not, how does communication begin to/from port 4500?

      Thanks!

      –jason

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        If you have NAT-T enabled it will allow access to udp/4500 the same as it will for udp/500.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • J
          jason0
          last edited by

          Hello,

          Or, in this case, not at all unless I explicitly define an inbound rule.  (I just tested it…)

          Thank you!

          --jason

          1 Reply Last reply Reply Quote 0
          • J
            jason0
            last edited by

            It has occurred to me my own response to this thread could have been interpreted as "snarky".  I hereby retract that tone, and I will clarify what I meant.

            My question stemmed from seeing "ISAKMP" on the predefined destination port range of the firewall rules.  It was clear to me I needed to allow access to ISAKMP in order to even begin an incoming ipsec session.  It just wasn't clear if that included the nat-t port.  I have since seen the nat-t entry in the port range list as "ipsec nat-t".  ONce I defined this rule, the sessions started up immediately.

            This is clearly something I could have tested before I opened this thread.  I was able to verify using tcpdump at the pfsense command line.

            –jason

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.