Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Default static NAT for port 500 causes issues with iOS 16 and IPSec

    Scheduled Pinned Locked Moved
    NAT
    1
    1
    392
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • artooroA
      artooro
      last edited by

      By default pfSense has a static NAT port rule in Outbound NAT for port 500.

      Starting with iOS 16 I've noticed issues where phones are having trouble making IKEv2 VPN connections from behind pfSense.
      When one device makes a UDP 500 connection to initiate the IPSec connection, the state does not appear to get dropped and no other devices are able to connect. Previously the port 500 state was quickly recycled allowing devices to connect in fairly quick succession.

      What I've done to workaround this is switch Outbound NAT to Hybrid mode, and create a rule for port 500 that does not have Static Port enabled.
      After creating this rule to effectively disable the automatic built-in rule, the issues are resolved and all phones have no problem connecting to the VPN.

      This may be a bug in iOS 16, but maybe it's time to add an option to System / Advanced / Firewall & NAT to disable the creation of "Auto created rule for ISAKMP"

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.