IKEv2 / ISAKMP from iOS device behind pfSense / NAT-T not working
-
Sounds like it could possibly be https://redmine.pfsense.org/issues/5819 which is fixed on 2.3. I kind of doubt the referenced commit would apply cleanly against 2.2.x (again, assuming it's related) but it's worth checking for someone hitting the issue.
Nope, that's not it. I don't have two WANs.
-
Did you try it? Don't dismiss it outright because of that one difference.
-
Did I try what? I assume that fix is in the main code, and I'm running 2.2.6 I still periodically see this issue.
-
Look at the commit referenced on the ticket:
https://redmine.pfsense.org/projects/pfsense/repository/revisions/bc3e61c4950740128ef7d2200e6399ada2e0fae9/diff/src/etc/inc/filter.inc
Open up that file on your 2.2.x install and look for the stated lines and make similar edits.
-
Look at the commit referenced on the ticket:
https://redmine.pfsense.org/projects/pfsense/repository/revisions/bc3e61c4950740128ef7d2200e6399ada2e0fae9/diff/src/etc/inc/filter.inc
Open up that file on your 2.2.x install and look for the stated lines and make similar edits.
Cool! I'll give that a try. Is there any way to just download the new filter.inc file instead of making those edits by hand? I don't know the syntax of that file, and I don't want to screw it up.
The other thing is that I won't know for sure if it fixes the problem. It tends to come and go sporadically.
-
It wouldn't work directly since that commit was for pfSense 2.3, not 2.2.x. Would have to be adjusted by hand on 2.2.x.
-
Hello jimp,
i have the same problem in my 2.2.6 after update from 2.2.4.
Do i make the changes via built in editor from the gui? It must look like the green right file?
Greets
-
Just curious - if this is a known bug, why isn't it being addressed in 2.2?
-
Just curious - if this is a known bug, why isn't it being addressed in 2.2?
Because:
1. Nobody has yet confirmed the fix actually fixes this issue on 2.2.x
2. There are not likely to be any further 2.2.x releases with 2.3 being so close -
Found the solution today!
You only have to set a rule under firewall -> nat -> outbound that looks similar to the default rule for port 500. Of course with port 4500 and my lancom behind the pf can digger his tunnels ;D
Hope it helps other people!