Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting up ipsec on wan routed subnet

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 354 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nick17v
      last edited by

      Not sure how to do this, It seems like a nat rule on UDP port 500 applies to all incoming traffic, not the specific routed IP. Maybe this is by design? Maybe my ISP has some funny routing in their routed subnet in regards to VPN traffic? Probably my lack of understanding is asking for some help :)

      I have a wan connection with a routed /29 I am referring to this here as (primary IP) and (ip address number 1-8)

      I have a ( lan windows vpn server) that I have forwarded ports (including udp500) to from wan (ip address number 5)
      so the nat rule basically says forward packets to (ip address 6) udp 500 to (windows vpn server). As I think about this I recall I am not sure this acually worked, as the clients needed to enable nat-t.

      The issue is with this rule in place I cant get phase2 ipsec vpn to connect from wan (primary ip address)

      All the other natting and port forwarding is working as expected, eg port pfsense can listen on port 443 on the (primary IP) while sending port 443 on (ip address number 5) to any server on the lan.

      As soon as I disable this nat rule the ipsec VPN starts working correctly.

      I would of hoped that like the other traffic only the packets to (ip address number 5 UDP 500) should go to the server, and packets to (primary ip address) UDP 500 should be received by the firewall.

      Not sure how to go about diagnosing this, any help is much appreciated.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by Derelict

        IPsec requires:

        UDP 500
        UDP 4500
        Protocol ESP

        You might or might not need protocol ESP based on NAT Traversal.

        Probably just want to post your NAT settings and WAN rules.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.