John Greiner wrote:
Any chance the UDP 500 negotiations between the firewalls for ipsec tunnels could be directed to negotiate on a different port leaving 500 available for L2TP traffic behind the firewall?
Thats possible, but UDP port 500 is only relevant for IKE traffic. The IKE protocol is used for authenticating peers and negotiating dynamic key material. A security transport protocol, typically ESP, is used to protect the actual traffic. ESP is an IP protocol like TCP/UDP but it has no port numbers in its header. This creates problems for firewalls that perform NAT as they can only inspect source/destination addresses to classify the traffic.
If it were possible to do with pfsense, you might be able to get away with only forwarding packets destined for UDP ports 500 and 4500 to the internal L2TP host. But that depends entirely on Nat Traversal being supported by both the L2TP client and gateway. This multiplexes IKE and encapsulated ESP packets on UDP port 4500 which allows the traffic to pass through NAT more easily.
If pfsense can't do a selective port forward based on the source address and destination port, then your out of luck.
-Matthew --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
