• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Default static NAT for port 500 causes issues with iOS 16 and IPSec

Scheduled Pinned Locked Moved NAT
1 Posts 1 Posters 478 Views 1 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A Offline
    artooro
    last edited by Sep 28, 2022, 1:54 PM

    By default pfSense has a static NAT port rule in Outbound NAT for port 500.

    Starting with iOS 16 I've noticed issues where phones are having trouble making IKEv2 VPN connections from behind pfSense.
    When one device makes a UDP 500 connection to initiate the IPSec connection, the state does not appear to get dropped and no other devices are able to connect. Previously the port 500 state was quickly recycled allowing devices to connect in fairly quick succession.

    What I've done to workaround this is switch Outbound NAT to Hybrid mode, and create a rule for port 500 that does not have Static Port enabled.
    After creating this rule to effectively disable the automatic built-in rule, the issues are resolved and all phones have no problem connecting to the VPN.

    This may be a bug in iOS 16, but maybe it's time to add an option to System / Advanced / Firewall & NAT to disable the creation of "Auto created rule for ISAKMP"

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received