Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [solved] Mobile VPN on OPT1

    Scheduled Pinned Locked Moved IPsec
    3 Posts 1 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      rsingh
      last edited by

      Hey guys,

      I currently have mobile VPN working well on my WAN port. I have an OPT1 port with a faster ISP and would like to use this for mobile IPSec. Ideally, I could have users connect on either ISP. I know I could re-name the interfaces (WAN<->OPT1) to get the mobile ipsec on the other ISP but I'd rather not do that.

      any ideas?

      –------------
      Solution:
      Yet another issue where I had to find the answer myself… hopefully this helps others:
      netstat -na shows that ports 500 and 4500 are being listened to on all interfaces so nothing needs to be done to the ipsec server
      all you need are two things:
      1. NAT rules with automatic firewall rules for tcp/udp 500 and tcp/udp 4500 to your pfsense's ip address

      If  Proto  Ext. port range  NAT IP  Int. port range  Description 
      OPT1 TCP/UDP 500 (ISAKMP) 192.168.1.1 500 (ISAKMP) NAT ISAMKP 
      OPT1 TCP/UDP 4500 (IPsec NAT-T) 192.168.1.1 4500 (IPsec NAT-T) NAT NAT-T

      This makes the following rules on OPT1 for you:
      Proto  Source  Port  Destination  Port  Gateway  Schedule  Description
      TCP/UDP  *  *  192.168.1.1  500 (ISAKMP)  *      NAT ISAMKP 
      TCP/UDP * * 192.168.1.1 4500 (IPsec NAT-T) *   NAT NAT-T

      2. Next go to the IPSec configuration. Under My indentifier, set it to "My IP Address" and enter your OPT1's IP address here.

      3. Go to your VPN client software. Tell it the identifier is the OPT1's IP address and tell it not to resolve this on it's own.

      This works for me. I think that my rules can be tighened and/or simplified. This proceedure could probably be tweaked so WAN and OPT1 accept mobile VPN clients at the same time but this meets my requirement of having mobile IPSEC on OPT1.

      1 Reply Last reply Reply Quote 0
      • R Offline
        rsingh
        last edited by

        so there are no ideas on how to have mobile ipsec users connect on the OPT1 ISP?

        ok, i guess i'm renaming the interfaces next maintenance window…

        1 Reply Last reply Reply Quote 0
        • R Offline
          rsingh
          last edited by

          problem solved, first post edited. i don't know if what i was asking wasn't clear enough, it's hard to believe no one else could provide this answer. the only two downsides of pfsense are it's poor logging capabilities, bugs and lack of support. given that it's free i guess that makes up for it.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.