Nat-t udp port
-
Hello,
Reading up on the racoon program, I see that it binds to udp port 4500 in addition to 500 for Nat-traversal. Does this mean a firewall rule that allows ISAKMP will automagically allow access to port 4500? If not, how does communication begin to/from port 4500?
Thanks!
–jason
-
If you have NAT-T enabled it will allow access to udp/4500 the same as it will for udp/500.
-
Hello,
Or, in this case, not at all unless I explicitly define an inbound rule. (I just tested it…)
Thank you!
--jason
-
It has occurred to me my own response to this thread could have been interpreted as "snarky". I hereby retract that tone, and I will clarify what I meant.
My question stemmed from seeing "ISAKMP" on the predefined destination port range of the firewall rules. It was clear to me I needed to allow access to ISAKMP in order to even begin an incoming ipsec session. It just wasn't clear if that included the nat-t port. I have since seen the nat-t entry in the port range list as "ipsec nat-t". ONce I defined this rule, the sessions started up immediately.
This is clearly something I could have tested before I opened this thread. I was able to verify using tcpdump at the pfsense command line.
–jason