Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2 tunnel kills inbound NAT

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 842 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      EN1GM4
      last edited by

      Background:

      Running pfSense 2.3.1_5 on an HP T5740 thin client.  Has expansion, so three gigabit network ports.

      Have two OpenVPN clients setup for routing most of my internal internet traffic.  One OpenVPN client is also configured for inbound NAT.  It also is listening for an inbound IKEv2 VPN connection.

      So to recap – pfsense is both a dual OpenVPN client and an IKEv2 server.  The IKEv2 server listens on one of the OpenVPN  connections.

      Issue:

      I can connect to the IKEv2 server from outside my network and do what I need to do within the context of the IKEv2 VPN.  However, once I disconnect from the IKEv2 server on the pfsense, within a few minutes ALL of my inbound NAT port forwards stop working.  The only way that I have been able to figure out how to re-enable port forwards is to reboot the device.

      (If I don't use the IKEv2 VPN, or disable it, the NAT port forwards work perfectly fine without reboots.)

      Thoughts on how to 'fix' the issue without creating a chron job to reboot daily to re-enable the port forwards?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Not sure I quite follow how you've got that setup. "IKEv2 server listens on one of the OpenVPN connections" as in you have to connect to IKEv2 through OpenVPN?

        Are the port forwards also on OpenVPN?

        What is your IPsec mobile client network? OpenVPN tunnel network? Any overlaps there?

        It sounds almost like when you disconnect that the firewall's routing table is losing its default gateway or something along those lines.

        Visit /status.php on the firewall and download the file when it works, and then again when it breaks, and compare the various files looking for what changed.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.