Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is it necessary to add the 4500(IPsec Nat-T) and 500 (ISAKmp) on the WAN?? pfsense 2.4.4

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 423 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sal
      last edited by

      Hi guys,

      Some tutorials online are saying to add the 4500(IPsec Nat-T) and 500 (ISAKmp) on the WAN for the site to site IPsec tunnel. I was in the process of adding the rules on the second pfsense after I added it on the first one, but I noticed that the tunnel is connected. Is it required? I thought that the important part is to add the rules on the IPsec interface, not the WAN. Is this correct ??

      1 Reply Last reply Reply Quote 0
      • JeGrJ
        JeGr LAYER 8 Moderator
        last edited by

        @Sal said in Is it necessary to add the 4500(IPsec Nat-T) and 500 (ISAKmp) on the WAN?? pfsense 2.4.4:

        I thought that the important part is to add the rules on the IPsec interface, not the WAN. Is this correct ??

        Rules for 4500/500 on your IPSEC interface? Makes no sense. Those ports have to be working on your WAN so incoming IPSEC connections are passed through. On your tunnel/IPSEC interface those rules for those ports make no sense.

        But IMHO IPSec Ports are accepted automatically on WAN if IPSEC connections are configured.

        but I noticed that the tunnel is connected.

        IPSEC can be initiated bi-directional. So every side can be initiator or receiver. The tunnel coming up doesn't mean you already have working rules as it could have been initiated from the second site to the first your created the rules yourself. But as stated above, if I remember correctly IPSEC is created automatically (and that automation can be switched off in adv. settings)

        Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.