Options

IKEv2 Ports

morpheus27morpheus27
edited June 2020 in Firebox - VPN Mobile User

I just changed my DSL modem firewall settings from allowing ALL ports from WAN to LAN to blocking ALL ports from WAN to LAN. That breaks IKEv2 VPN connection as expected. I have to change modem firewall settings back to allow ALL from WAN to LAN. Trying to block all and only allow needed ports for IKEv2 VPN connection.

What TCP/UDP ports are needed to allow incoming IKEv2 VPN connection to M270?

Comments

  • Options
    greggmh123greggmh123

    A Google search for "What TCP/UDP ports are needed to allow incoming IKEv2 VPN connection" shows multiple results showing that IKEv2 uses UDP port 500. You could start with that and see if it works.

    Gregg Hill

  • Options
    morpheus27morpheus27

    I just read the article:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/general/mobile_vpn_types_c.html

    By default, IKEv2 uses IPSec, which requires UDP ports 500 and 4500, and ESP IP Protocol 50. You cannot disable IPSec.

    and

    Required ports: ESP and UDP port 500; UDP port 500 and 4500 for NAT-T

  • Options
    greggmh123greggmh123

    In cases where the ISP device cannot be put into bridge mode and a Firebox is behind an ISP device doing NAT, I leave the ISP device's firewall enabled, then I put the Firebox's WAN IP address (which is on the ISP device's LAN) into the ISP modem's DMZ. That way, other than double-NAT, it's no different than the Firebox being first in line. All inbound services work, plus I get the benefit of seeing all inbound traffic in FSM traffic monitor.

    I don't know if that fits your setup.

    Gregg Hill

  • Options
    morpheus27morpheus27

    That's a great idea. I'll give that a try.

  • Options
    morpheus27morpheus27

    So I re-enabled modem firewall, blocking all from WAN to LAN and adding M270 WAN IP to DMZ on the modem. I thought I got it working yesterday because no one complained (they were already connected when I made changes late Thursday). VPN users complain they can't connect this morning. I tested it. They're right. I can't connect. Bummer! Gotta disable modem firewall once again.

  • Options
    greggmh123greggmh123

    Is the ISP modem doing NAT, with your M270 behind it on private IPs?

    Was the DMZ WAN IP of the Firebox on the LAN of the ISP modem, and did it remain the same as the M270's WAN IP before and after it worked? In those cases, I set my Firebox' WAN IP as static and/or use a DHCP reservation in their ISP modem/router for the Firebox' WAN IP just in case the ISP modem tries to change it.

    Gregg Hill

  • Options
    greggmh123greggmh123

    "blocking all from WAN to LAN"

    Is there a firewall setting for blocking all from WAN to DMZ that also may have been enabled?

    What model DSL modem do you have?

    Gregg Hill

  • Options
    morpheus27morpheus27

    It's a ZyXel P-873HNU-51B. I don't know enough about the modem settings so I'll just leave it the way it is at this time.

    @Greggmh123 said:
    Is the ISP modem doing NAT, with your M270 behind it on private IPs?

    Was the DMZ WAN IP of the Firebox on the LAN of the ISP modem, and did it remain the same as the M270's WAN IP before and after it worked? In those cases, I set my Firebox' WAN IP as static and/or use a DHCP reservation in their ISP modem/router for the Firebox' WAN IP just in case the ISP modem tries to change it.

Sign In to comment.