Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Port 500 Blocked.

    Scheduled Pinned Locked Moved IPsec
    6 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TomT
      last edited by

      Hi.

      I've got some IPSEC VPNs that have been running fine.

      This morning we found they were down and looking at the IPSEC Log we couldn't see the IP Address for the remote ends.Looking at the system firewall log I can see both IP Address on port 500 are blocked.

      I've cleared the states and restarted racoon, I've also tried applying easyRules.. still the VPN's are down.

      Any ideas how I can resolve this ?
      Thanks

      1 Reply Last reply Reply Quote 0
      • C
        conor
        last edited by

        Obvious question what is the device uptime, i.e was there a restart?

        Apart from the basic stuff when you run a tcpdump on either end do you see traffic arriving on port 500?

        200+ pfSense installs - best firewall ever.

        1 Reply Last reply Reply Quote 0
        • T
          TomT
          last edited by

          Pfsense is running and hasn't restarted.
          Without the easyrules I see traffic from the two IP addresses being blocked in the firewall log.

          If I add the easyrules the traffic isn't marked as blocked and I do see states set up, but no IPSEC VPN is established.

          I'm at a loss as to why pfsense was blocking in the first place and why after the rules and racoon restart this isn't working.

          Thanks

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            racoon? How old is this version of pfSense that is giving you IPsec trouble?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • T
              TomT
              last edited by

              Hi

              pfSense is 2.3.5-RELEASE (i386)

              We seem to have had some luck.
              One VPN is up and connected for 18 hours.

              The other two come up and then disconnect after 20 seconds.
              Any idea what would cause that ?

              Thanks

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                pfSense is 2.3.5-RELEASE (i386)

                You are not running racoon. You are running strongswan (charon). i386? It's 2018.

                I would guess the phase 1 is succeeding then the phase 2 is failing and one side or the other is subsequently deleting the phase 1.

                Impossible to tell without looking at the IPsec logs.

                Guidance:

                https://doc.pfsense.org/index.php/IPsec_Troubleshooting

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.