[solved] Mobile VPN on OPT1

  • Hey guys,

    I currently have mobile VPN working well on my WAN port. I have an OPT1 port with a faster ISP and would like to use this for mobile IPSec. Ideally, I could have users connect on either ISP. I know I could re-name the interfaces (WAN<->OPT1) to get the mobile ipsec on the other ISP but I'd rather not do that.

    any ideas?

    Yet another issue where I had to find the answer myself… hopefully this helps others:
    netstat -na shows that ports 500 and 4500 are being listened to on all interfaces so nothing needs to be done to the ipsec server
    all you need are two things:
    1. NAT rules with automatic firewall rules for tcp/udp 500 and tcp/udp 4500 to your pfsense's ip address

    If  Proto  Ext. port range  NAT IP  Int. port range  Description 
    OPT1 TCP/UDP 4500 (IPsec NAT-T) 4500 (IPsec NAT-T) NAT NAT-T

    This makes the following rules on OPT1 for you:
    Proto  Source  Port  Destination  Port  Gateway  Schedule  Description
    TCP/UDP  *  *  500 (ISAKMP)  *      NAT ISAMKP 
    TCP/UDP * * 4500 (IPsec NAT-T) *   NAT NAT-T

    2. Next go to the IPSec configuration. Under My indentifier, set it to "My IP Address" and enter your OPT1's IP address here.

    3. Go to your VPN client software. Tell it the identifier is the OPT1's IP address and tell it not to resolve this on it's own.

    This works for me. I think that my rules can be tighened and/or simplified. This proceedure could probably be tweaked so WAN and OPT1 accept mobile VPN clients at the same time but this meets my requirement of having mobile IPSEC on OPT1.

  • so there are no ideas on how to have mobile ipsec users connect on the OPT1 ISP?

    ok, i guess i'm renaming the interfaces next maintenance window…

  • problem solved, first post edited. i don't know if what i was asking wasn't clear enough, it's hard to believe no one else could provide this answer. the only two downsides of pfsense are it's poor logging capabilities, bugs and lack of support. given that it's free i guess that makes up for it.

Log in to reply