Is it necessary to add the 4500(IPsec Nat-T) and 500 (ISAKmp) on the WAN?? pfsense 2.4.4



  • Hi guys,

    Some tutorials online are saying to add the 4500(IPsec Nat-T) and 500 (ISAKmp) on the WAN for the site to site IPsec tunnel. I was in the process of adding the rules on the second pfsense after I added it on the first one, but I noticed that the tunnel is connected. Is it required? I thought that the important part is to add the rules on the IPsec interface, not the WAN. Is this correct ??


  • LAYER 8 Moderator

    @Sal said in Is it necessary to add the 4500(IPsec Nat-T) and 500 (ISAKmp) on the WAN?? pfsense 2.4.4:

    I thought that the important part is to add the rules on the IPsec interface, not the WAN. Is this correct ??

    Rules for 4500/500 on your IPSEC interface? Makes no sense. Those ports have to be working on your WAN so incoming IPSEC connections are passed through. On your tunnel/IPSEC interface those rules for those ports make no sense.

    But IMHO IPSec Ports are accepted automatically on WAN if IPSEC connections are configured.

    but I noticed that the tunnel is connected.

    IPSEC can be initiated bi-directional. So every side can be initiator or receiver. The tunnel coming up doesn't mean you already have working rules as it could have been initiated from the second site to the first your created the rules yourself. But as stated above, if I remember correctly IPSEC is created automatically (and that automation can be switched off in adv. settings)


Log in to reply