Windows Server IPSec VPN Behind pfSense
-
I'm at my wits end here after trying to figure out why I cannot get a connection to my Windows Server 2025 IPSec IKEv2 VPN.
Connection is getting dropped prior to the pfSense firewall and I can only assume it's because the built-in VPN/IPSec module is doing something.
Running packet capture on my WAN interface I can see the incoming connection requests to my public IP, port 500 UDP when I try to connect.
When I check the firewall logs, there are absolutely NO entries (pass or drop) during the same period for ANYTHING remotely related to the connection I'm trying to make. No port 500 UDP traffic showing on the public IP or internal IP of the Windows Server machine.
I've disabled the "Auto-added VPN rules" under System > Advanced > General and verified that there are no pfSense IPSec tunnels configured at all.
I've gone through all my NAT/firewall rules manually, and with AI assistance to ensure there are no other rules conflicting with UDP 500/4500.
Since nothing shows in the firewall logs, but does show hitting the WAN interface during packet inspection, I can only assume that something else is hooking that traffic before it makes it to the firewall. No idea how to proceed from here.
-
@Cortexian I assume your Windows server is behind pfSense (NAT’ed)?
Start by doing a packet capture on LAN to see if pfSense is forwarding the NAT’ed packets as expected - then you know if its Windows or pfSense not doing it’s thing.
On another note,, why not let pfSense run the VPN service? It’s a built in feature, works beautifully, and they you can access the Windows server for updates and management without fear of cutting your own VPN.
-
@keyser Thank you for the comment! This is a POC, pfSense won't be involved in the final deployment.
Yes the Windows server is behind pfSense. I have port forwarding setup with the associated rule as required.
Packet capture on the LAN interface shows the traffic is going to the correct internal IP address. Does that mean the firewall is functioning even though there's nothing in the log showing the rule passing traffic?
-
@Cortexian If the packets are forwarding to the correct internal IP, then the NAT/Firewall rule is working as expected.
Please note that pfSense does not log packets on rules by default. You have to select the “log” setting on your NAT rule for that to happen.
Also, pfSense does not log every packet - it only logs new “states/connections”. So once a state or connection is made you do not get log entries for additional packets in that connection. If you have a very active log, you probably need to filter it to even notice the logentry -
@Cortexian is the Windows firewall disabled/configured?
https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html
