Custom NAT-T port for remote gateway not taken into account

jc_fastcom

Dear all,

I set up two pfsense IPsec VPNs on two different servers.

The Server A is configured to have the default parameters on listening (Advanced Settings):
IKE port: 500
NAT-T port: 4500
The Server A sends messages on custom parameters (Advanced Options):
IKE port: 8031
NAT-T port: 8035

The Server B is configured to have custom parameters on listening (Advanced Settings):
IKE port: 8031
NAT-T port: 8035
The Server B sends messages on default parameters (Advanced Options):
IKE port:500
NAT-T port: 4500

The Server B is "behind" a NAT.
Firewall on Server B enables UDP protocol on port 8031 and 8035.
Both Servers have the "Disable Auto-added VPN rules" checked (System/Advanced/Firewall & NAT)

When I open a connection from Server A to Server B, Server A sends the first message with its port 500 to the port 8031.
The Server B receives the first message and creates a new message with the information that it is behind a NAT.
The Server B sends the second message to Server A with its port 8031 to the port 500.
The Server A receives the second message and get the information that Server B is behind a NAT.
The Server A creates a third message but this time tries to use NAT-T port for the communication.
The Server A sends the third message with its port 4500 but to the port 4500 and NOT to the port 8035 as defined in the configuration.
The Server B can not receive the third message as it listens to the port 8035 and its firewall is disable for port 4500.
The connection between both servers is not correctly initialized.
Both ports (8031 and 8035) are properly forwarded to the Server B.

Why does the Server A use the NAT-T default port (4500) and not the one in the configuration (8035) for the remote gateway?

Thanks!

viragomann

@jc_fastcom said in Custom NAT-T port for remote gateway not taken into account:

The Server A is configured to have the default parameters on listening (Advanced Settings):
IKE port: 500
NAT-T port: 4500
The Server A sends messages on custom parameters (Advanced Options):
IKE port: 8031
NAT-T port: 8035

The Server B is configured to have custom parameters on listening (Advanced Settings):
IKE port: 8031
NAT-T port: 8035
The Server B sends messages on default parameters (Advanced Options):
IKE port:500
NAT-T port: 4500

Configure the connection for IKEv2 wit NAT-T forced, this doesn't use port 500 und can use random source port.

In the phase 1 at "NAT Traversal" select force and only enter the NAT-T port.

jc_fastcom

@viragomann
Hi,
Thank you for your answer.

Unfortunately, selecting force in phase 1 at "NAT Traversal" option does not solve the problem.
The server is still using the default NAT-T port (4500) instead of the custom port set in the advanced option (here, 8035).

viragomann

@jc_fastcom
If you state 8035 as NAT-T port in the phase 1 for this connection at A and leave the Remote IKE port field blank, the server should not send any packet to any other port.

Bot not really clear, what you've configured. Maybe you can post screenshots your settings.

jc_fastcom

@viragomann

It's working fine with leaving the Remote IKE port field blank.
Now the Server A is using the custom NAT-T port as intended.

Thanks for your help.