Setting up ipsec on wan routed subnet



  • Not sure how to do this, It seems like a nat rule on UDP port 500 applies to all incoming traffic, not the specific routed IP. Maybe this is by design? Maybe my ISP has some funny routing in their routed subnet in regards to VPN traffic? Probably my lack of understanding is asking for some help :)

    I have a wan connection with a routed /29 I am referring to this here as (primary IP) and (ip address number 1-8)

    I have a ( lan windows vpn server) that I have forwarded ports (including udp500) to from wan (ip address number 5)
    so the nat rule basically says forward packets to (ip address 6) udp 500 to (windows vpn server). As I think about this I recall I am not sure this acually worked, as the clients needed to enable nat-t.

    The issue is with this rule in place I cant get phase2 ipsec vpn to connect from wan (primary ip address)

    All the other natting and port forwarding is working as expected, eg port pfsense can listen on port 443 on the (primary IP) while sending port 443 on (ip address number 5) to any server on the lan.

    As soon as I disable this nat rule the ipsec VPN starts working correctly.

    I would of hoped that like the other traffic only the packets to (ip address number 5 UDP 500) should go to the server, and packets to (primary ip address) UDP 500 should be received by the firewall.

    Not sure how to go about diagnosing this, any help is much appreciated.


  • LAYER 8 Netgate

    IPsec requires:

    UDP 500
    UDP 4500
    Protocol ESP

    You might or might not need protocol ESP based on NAT Traversal.

    Probably just want to post your NAT settings and WAN rules.


Log in to reply