IPSec with custom port
-
Hello everyone. I'm experiencing a strange situation:
- I've 2 premise, under 2 different ISP, both with static public address.
- ISP router is set to do port-forwarding for the needed ports to each PFSense instance.
- Setting up an IPSec connection between the 2 premise, works with default ports (500 and 4500).
Everything works fine: following the ping done on host on SITE B to an host of SITE A.
SITE A
SITE B
PING
The problem comes from the fact that port 500 and 4500 are already used by a local service (XBox), so I need to setup the tunnel using custom ports (501 and 4501).
Doing this, brings to the link to work correctly:SITE A
SITE B
Problem is then, if I try to do the same ping test (from host on SITE B), this is what is looks like:
SITE A
Ping request arrives and replied (4 packets in/4 packets out)
SITE B
Ping request:
Packets going out (the number is different cause the screenshot was taken after) but no reply:
What can be the reason for this behavior? NAT should be handled automatically by PFsense, as it happens using the default ports.
UPDATE: While taking the screenshot, I noticed that the case with the custom ports, the phase1 ports are kind of switched (siteA calling from 501 the 4501 of the remote). This is also strange, and can be the reason...
-
After taking the screenshot, and recognizing the mismatch between the ports, I've updated the PHASE1 settings on both ends, specifying just the NAT-T port.
Now, the ports looks coherent.
SITE A
SITE B
Now ping works :)
Still open the question on why this port mismatch happened.....I've lost like 40 hours on this