Is it possible to change the listening port of IPsec VTI?
-
Hi there,
My ISP just starts to block UDP 500 & 4500 ports. Is it possible to change the listening port of IPsec VTI?Both servers run pfSense.
I tried to set some NATs but there was no clue to do so.
Any suggestion would be appreciated.
U.D.
-
@upper-deck not that I know up. Sucks that your isp is repressive. You could try WireGuard or OpenVPN instead.
-
@upper-deck That's actually NAT-T & ISAKMP not VTI, but as @gabacho4 says that sucks and try WireGuard or OpenVPN.
Otherwise look in the advanced section, not sure what you'd do with the clients :-
-
@nogbadthebad oh wow. Then that suggests you can change the ports? He could set both sides to use say 51820 and 51821?
-
@gabacho4 Yup, I didn't think you could till I used google and found the following redmine:-
https://redmine.pfsense.org/issues/11518
-
@nogbadthebad that is wicked. I’ll have to play with my policy IPsec setup just for the wow factor. That’s freaking great!
-
@nogbadthebad said in Is it possible to change the listening port of IPsec VTI?:
@upper-deck That's actually NAT-T & ISAKMP not VTI, but as @gabacho4 says that sucks and try WireGuard or OpenVPN.
Otherwise look in the advanced section, not sure what you'd do with the clients :-
That is "UDP port for remote gateway", right? Should I change the UDP ports on remote gateway first then change these settings?
-
@upper-deck Not a clue to be honest as just had a look at my mobile client phase 1 setting, fortunately I have a sensible ISP.
-
@nogbadthebad on my site to site policy routed IPSec I have fields to change the local ports. How are you seeing remote ports? Which version pfsense and what kind of IPSec connection?
-
@gabacho4 I use IPsec for a mobile road warrior type connection not site to site.
-
Would you mind to share a screen shot of the local ports changing fields? I can only find remote gateway ports options. Thank you.
-
@upper-deck sure thing. Again I am running a policy routed IPsec connection. When I got to VPN -> IPsec -> Advanced Settings, I have:
EDIT: I am running PfSense Plus 22.05 on this particular box.
-
OOOOOH I get what we're missing. You are looking at the Advance Settings on the P1. I was looking at the advanced settings for IPsec writ large. lightbulb! So that means you need to go to the IPsec advanced settings on the router that is having IPsec UDP/500 UDP/4500 blocked (not P1) and set the alternate ports. Then on the other end, you would need to set those ports in the P1 for the connection. I'd probably do the same thing for both sides just so that things are standardized.
-
@gabacho4 I think so
-
-
@upper-deck that is awesome. I’ll play with mine later but this was a cool learning moment to me.