IKEv2 Ports
I just changed my DSL modem firewall settings from allowing ALL ports from WAN to LAN to blocking ALL ports from WAN to LAN. That breaks IKEv2 VPN connection as expected. I have to change modem firewall settings back to allow ALL from WAN to LAN. Trying to block all and only allow needed ports for IKEv2 VPN connection.
What TCP/UDP ports are needed to allow incoming IKEv2 VPN connection to M270?
0
Sign In to comment.
Comments
A Google search for "What TCP/UDP ports are needed to allow incoming IKEv2 VPN connection" shows multiple results showing that IKEv2 uses UDP port 500. You could start with that and see if it works.
Gregg Hill
I just read the article:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/general/mobile_vpn_types_c.html
By default, IKEv2 uses IPSec, which requires UDP ports 500 and 4500, and ESP IP Protocol 50. You cannot disable IPSec.
and
Required ports: ESP and UDP port 500; UDP port 500 and 4500 for NAT-T
In cases where the ISP device cannot be put into bridge mode and a Firebox is behind an ISP device doing NAT, I leave the ISP device's firewall enabled, then I put the Firebox's WAN IP address (which is on the ISP device's LAN) into the ISP modem's DMZ. That way, other than double-NAT, it's no different than the Firebox being first in line. All inbound services work, plus I get the benefit of seeing all inbound traffic in FSM traffic monitor.
I don't know if that fits your setup.
Gregg Hill
That's a great idea. I'll give that a try.
So I re-enabled modem firewall, blocking all from WAN to LAN and adding M270 WAN IP to DMZ on the modem. I thought I got it working yesterday because no one complained (they were already connected when I made changes late Thursday). VPN users complain they can't connect this morning. I tested it. They're right. I can't connect. Bummer! Gotta disable modem firewall once again.
Is the ISP modem doing NAT, with your M270 behind it on private IPs?
Was the DMZ WAN IP of the Firebox on the LAN of the ISP modem, and did it remain the same as the M270's WAN IP before and after it worked? In those cases, I set my Firebox' WAN IP as static and/or use a DHCP reservation in their ISP modem/router for the Firebox' WAN IP just in case the ISP modem tries to change it.
Gregg Hill
"blocking all from WAN to LAN"
Is there a firewall setting for blocking all from WAN to DMZ that also may have been enabled?
What model DSL modem do you have?
Gregg Hill
It's a ZyXel P-873HNU-51B. I don't know enough about the modem settings so I'll just leave it the way it is at this time.