Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [almost solved] udp/500 not passing the firewall since change of WAN connection

    IPsec
    2
    5
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Banane
      last edited by

      Hi everybody,

      since the update to 2.3.1_5 an internal AirfyHotSpot-Router (https://s3.amazonaws.com/airfy-static/airfy_Instructions.pdf ) cannot establish IPsec connection through the firewall anymore. I'm banging my head against the wall for 2 days now :(.

      In the firewall logs I can see it`s tcp/443 and udp/53 packets, but not udp/500, udp/4500.

      I've read https://doc.pfsense.org/index.php/Cisco_VPN_pass_through_not_working_when_behind_pfSense and several forum threads. Which means I set outbound NAT to manual and disabled any ISAKMP NAT rules.

      Anyhow I don´t see any packets in the log. I really appreciate any idea for further ways of debugging.

      Many thanks,
      Christian

      1 Reply Last reply Reply Quote 0
      • M
        mannyjacobs73
        last edited by

        Are you sure nothing else has changed?

        I've been setting up pfSense in various scenarios and also came across a point when my CISCO VPN was not working.  Turned out to be the 'Deterministic Network Enhancer' no longer checked in the nic configuration.

        Had another similar issue when installing the latest beta of Nmap, with the addition of the ncap driver.  Solved by uninstalling and re-installing a stable version.

        I can confirm I have CISCO VPN working on v2.3.1_p5.

        I would assume if you are not seeing the packets in the FW, they are being passed?

        Apologies if this info isn't relevant.

        1 Reply Last reply Reply Quote 0
        • B
          Banane
          last edited by

          many thanks for the response!

          I made the update to 2.3.1_5 while changing the WAN interface. It was a PPPoE-DSL-Connection before, now the pfsense receives a an static IP via DHCP from a cable modem. I tested it  with plugging back the PPPoE-Connection -> same result  :(.

          If I directly plug the airfy router to the cable modem, it can establish an IPsec connection.So I guess the packets go out from that device, yes.

          What can I do to further debug this problem ?

          1 Reply Last reply Reply Quote 0
          • B
            Banane
            last edited by

            If I route the subnet's traffic to the former PPPoE WAN connection (firewall rule, gateway set in advanced settings) it works + I also see the traffic in the firewall log.

            So there must be a problem with the cable WAN connection :) Maybe traffic blocked or double NAT, I will contact the ISP.

            Just for my personal technical understanding:
            Why can´t I see the udp/500 traffic passing the firewall, if there is a problem at the WAN site (e.g. NAT).

            1 Reply Last reply Reply Quote 0
            • M
              mannyjacobs73
              last edited by

              Have you enabled the CISCO unity feature? - I think Chris had made a comment about this already.

              You don't see this traffic when you do a packet capture on your interfaces directly from pfsense?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.