Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Implications of Removing Port 500 (ISAKNP) NAT Rule

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 5 Posters 935 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      guardian Rebel Alliance
      last edited by

      Hi I'm hoping somebody who has a good understanding of networking can help me.

      Is UDP port 500 (ISAKMP) necessary for anything other than IPSEC? (That's all I've been able to find with my research).

      If the NAT entries for Port 500 are removed what breaks?

      Is Port 500 necessary for OPENVPN remote access or OPENVPN Peer-to-Peer (SSL/TLS)?

      Any assistance would be much appreciated - Thanks.

      If you find my post useful, please give it a thumbs up!
      pfSense 2.7.2-RELEASE

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Mobile IPsec connections from inside your network.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • K
          kpa
          last edited by

          It has absolutely nothing to do with OpenVPN which uses either an UDP connection or a TCP connection without an assisting tunneling protocol so it doesn't need any static port tricks on NAT points.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Not only is it only for IPsec, it's only for IPsec clients which are incapable of using alternate source ports or NAT-T. Thankfully, those are less and less common now than when the feature was introduced.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              What is the reasoning for having an IPSec tunnel defined but disabled by default, along with the complimentary IPSec rules that almost nobody needs?  Why not keep the rules clean with nothing predefined, and add the special IPSec rules when someone creates a tunnel?

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                The rules are still needed by some, and they don't hurt anything for the vast majority of users, so they are still beneficial even if they are a little outdated.

                As for tunnels, we don't ship with any predefined or disabled.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  Thanks, Jim.

                  My install has been upgraded many times since 2.1.x, and I've got a tunnel defined but disabled.  We don't use IPSec at all and never have.  I thought it was there by default, but most likely I created it while playing years ago and forgot about it.  Why I would disable it instead of deleting it is a mystery.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.