Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Site to Site requires port 500 open on WAN?

    Scheduled Pinned Locked Moved IPsec
    4 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      drkrieger
      last edited by

      Hello!

      I'm currently testing a site-to-site IPSec to replace our Fortinet routers, and I ran into an issue when configuring a simple VPN. I did the basic setup, followed a tutorial from here: [https://www.ceos3c.com/pfsense/pfsense-site-to-site-vpn/](link url)

      I'm running pfSense 2.4.3 on both ends for testing, but ran into an issue with the VPN traffic being blocked (port 500). The tunnels report active, but no traffic passes.

      I also read several other tutorials from older versions (pre 2.4), and none of them specify that a WAN rule needs to be set up- several listed a NAT rule which I tried, but still did not work. I figured out how to track the traffic using the firewall logs, and found all of the port 500 traffic from the external site being blocked by the 'default deny' rule. I used the quick create function from the logs to open up the ports temporarily, which worked instantly as my IPSec rule was already set to allow all.

      Is this normal, or was something missed on the tutorial? The reason I ask is, one side of the test connection uses dynamic dns, and I can't program that in even via an alias in the firewall rules source field.

      I'm just confused by the fact that I had to troubleshoot this when none of the guides show that port 500 needs to be open to initiate the IKE connection. Is this a bug?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Rules that pass IKE traffic (udp/500), ESP, and NAT-T (udp/4500) traffic are automatically created when a tunnel exists and is enabled.

        You'll have to provide more information about what exactly you were seeing blocked, from where, the tunnel configs, etc.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        GrimsonG 1 Reply Last reply Reply Quote 0
        • GrimsonG
          Grimson Banned @Derelict
          last edited by

          @derelict said in IPSec Site to Site requires port 500 open on WAN?:

          Rules that pass IKE traffic (udp/500), ESP, and NAT-T (udp/4500) traffic are automatically created when a tunnel exists and is enabled.

          Unless he turned it off in the advanced settings.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            That would be information I would expect to be provided. If not, then that's OP's problem and will only delay assistance.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.