Racoon –-- IPSec----and NAT or How to twist its Tail
-
I am a little unclear (read confused) on the inbound and Outbound NATing of IPSec and Racoon. As I read it Racoon is to a point is actually intergrated into the WAN interface Firewall….but just how deeply integrated in relation to NAT and Outbound firewall?
I'm hoping someone could shed a little brighter light on this subject.
Anyway further reading indicates Pfsense Does in fact support IPSec......IF they IPSec dameon Racoon is enabled and firewall rules are setup to Pass IPSec inbound, on the newly created TAB under fire wall rules. Correct me if I'm wrong, but it appear's that IPSec is implemented in Pfsense by a certain Portion of Code in the WAN interface??..............Enabling pass thru from the WAN to the LAN (s) at least from the New IPSec TAB in Firewall-Rules-IPSec.
Question.....Since this appears to allow this traffic IN is it then Necessary to Create a Rule for the IPsec outbound traffic on LAN interface to Allow Out bound traffic on the LAN IpSec ports? ( I have done so temporarily....WAN<---LAN,<----ANY Pass all 4500 UDP & 500 UDP)
So I have created those.....Now NAT...
I set Port Forwards for required ports (in this case, 123 UDP, 500 UDP, and 4500 UDP) These NAT Port Forwards automatically generate WAN Rules...the Question here is are these Really Needed? Since UDP ports 500 (for Key Exchange) and 4500 (the traffic ) are IPSec standards. if allowed on the IPSec Firewall TAB with specific rules for Inbound traffic ( or do I need to set NAT forwards on IPSec TAB----->LAN----->ALL instead of on the WAN---->LAN--->ALL)??
But that still leaves a question on OutBound NAT - Manual.......Port 500 appear's to automatically be generated for each Interface for ISAKMP, I am assuming I will need to also create an Outbound NAT for Port 4500 UDP as well(or all)??
Hopefully some can shed a little more light on this.....Most of the information I have come across about IPSec is about IPSec and touch's very little on the Firewall configuration and rules themselves.
Thanks Steve