Implications of Removing Port 500 (ISAKNP) NAT Rule

  • Hi I'm hoping somebody who has a good understanding of networking can help me.

    Is UDP port 500 (ISAKMP) necessary for anything other than IPSEC? (That's all I've been able to find with my research).

    If the NAT entries for Port 500 are removed what breaks?

    Is Port 500 necessary for OPENVPN remote access or OPENVPN Peer-to-Peer (SSL/TLS)?

    Any assistance would be much appreciated - Thanks.

  • LAYER 8 Netgate

    Mobile IPsec connections from inside your network.

  • It has absolutely nothing to do with OpenVPN which uses either an UDP connection or a TCP connection without an assisting tunneling protocol so it doesn't need any static port tricks on NAT points.

  • Rebel Alliance Developer Netgate

    Not only is it only for IPsec, it's only for IPsec clients which are incapable of using alternate source ports or NAT-T. Thankfully, those are less and less common now than when the feature was introduced.

  • What is the reasoning for having an IPSec tunnel defined but disabled by default, along with the complimentary IPSec rules that almost nobody needs?  Why not keep the rules clean with nothing predefined, and add the special IPSec rules when someone creates a tunnel?

  • Rebel Alliance Developer Netgate

    The rules are still needed by some, and they don't hurt anything for the vast majority of users, so they are still beneficial even if they are a little outdated.

    As for tunnels, we don't ship with any predefined or disabled.

  • Thanks, Jim.

    My install has been upgraded many times since 2.1.x, and I've got a tunnel defined but disabled.  We don't use IPSec at all and never have.  I thought it was there by default, but most likely I created it while playing years ago and forgot about it.  Why I would disable it instead of deleting it is a mystery.

Log in to reply