IPSEC passthrough problem

  • Hi all

    We tried the following setup in our lab:

    [Site A]==[MS ISA Server Backend Firewall]==[pfSense Frontend Firewall]–PUBLIC--[MS ISA Server Firewall]==[Site B]

    We then tried to span an L2TP/IPSEC VPN between the two ISA Firewalls.

    -It works if Site A establishes the VPN.
    -It works both ways without the pfSense Firewall in between.

    -It does not work if Site B establishes the VPN through pfSense  >:(

    I think all Port-Forwarding and Firewall rules are present on the pfSense. pfSense forwards the initial (Main Mode) IKE Packets from Site B on Port 500 to the Backend ISA Firewall. But then the IKE negotiation times out.

    Any suggestions would be welcome  :)

    By the way pfSense is a great product. Thanks to the team!

    Best Regards


  • Try a recent snapshot @ snapshots.pfsense.com / FreeBSD6 / RELENG_1_2

  • Thanks. We tried the last three snapshots. Currently I am testing with "1.2-BETA-1-TESTING-SNAPSHOT-06-29-2007".

    I tried with Advanced Outbound NAT and with Automatic Outbound NAT.

    It did not work with any version  :(


  • Turn on advanced outbound NAT and then edit the LAN entry.  Check static-port.  Save.

    Test again, please.

  • Thanks. Unfortunately that did not work either.


  • New results:

    I used the AssumeUDPEncapsulationContextOnSendRule=2 registry setting from Windows XP on the ISA Server of Site B (although it is a Win2003 not an XP machine).

    Now it does work if I route the traffic through the WAN interface of pfSense  :)

    It seems that Win2003 does not auto-detect pfSense as a NAT device so must be forced to use NAT-T via that registry setting.

    But, it still does not work if I route the traffic through the OPT1 interface of pfSense instead of the WAN interface.  :(
    Is this intentional or a bug that those interfaces are handled differently by pfSense?

    I also noticed in the firewall logs of pfSense that although I used UDP ports 500 and 4500 in the NAT and Firewall rules the traffic gets forwarded by pfSense but is identified as TCP ports 500 and 4500  ???


  • Upgrade to 1.2b2 first. Log issues are fixed (lot of UDP traffic was displayed as TCP).

    Windows (or any VPN device, for that matter) does not automatically detect NAT, that's not possible.

    What do you mean by routing it through OPT1 instead of WAN? Outbound from ISA on OPT1? Do you have the appropriate rules on OPT1?

    This is a very simple setup, definitely not any bugs in 1.2b2 in this area.

    1. I will try 1.2b2 during the next couple of days. Thanks for the info.

    2. According to several MS articles Windows should auto-detect if NAT-T is needed for the IPsec connection. At least with pfSense in between it does not. But I don't know whether this is an MS issue, a pfSense issue or simply a false information. It does not matter to me, because it works if I force Windows to use NAT-T as mentioned.

    3. To illustrate the problem with OPT1:

    With the following setup an L2TP/IPsec VPN connection can be initiated from Site B (Interface in curly brackets):

    [Site A]==[MS ISA Firewall]==[pfSense Firewall]{WAN}–PUBLIC--[MS ISA Firewall]==[Site B]

    With the following setup the same connection can not be initiated from Site B (Interface in curly brackets):

    [Site A]==[MS ISA Firewall]==[pfSense Firewall]{OPT1}–PUBLIC--[MS ISA Firewall]==[Site B]

    The problem is reproducible (I tried several times both configurations). The rules are exactly the same in both configurations, I copied them via the pfSense Web-Interface.

    I hope this makes things clearer :) Thanks for your kind help.


  • I can confirm that logging UDP traffic works now with Beta 2  ;D

    Will test the other problem soon.