outbound IPsec/L2TP from LAN, passing through opnsense, not possible?

[maweber]

Hi all
I'm struggling to connect from a Mac inside the LAN to an internet IPsec/L2TP server (brand Zyxel).

I tested it successfully without the opnsense router in between (different net, different router).
I unsuccessfully tried without the automatic outbound NAT rules.
It seems the attempt doesn't write anything to the Firewall log.

We got a gateway failover installed.
DNS resolves right.

Any hints?

Thank you very much for your help!
best
Manu

[Julien]

please provide more information.
is your ISP router on bridge mode or not ?
firewall rules ?

[maweber]

please provide more information.
is your ISP router on bridge mode or not ?
firewall rules ?

Connection: It's a biz fiber router with a static global subnet on opnsense WAN. I guess no special mechanics involved: bridged.

Firewall:
There are lots of rules, I think better I would know what to look for.
Do you know what Ports are involved in L2TP/IPsec? I dont understand the multiphase concept enough, sorry.

I thought since there are no blocked entries, it must have been by design (blocket IPsec passthrough because of opnsense's own IPsec ability, or so)

thanks
m

[bartjsmit]

These are the standard IPSec/L2TP firewall rules:

Protocol: UDP, port 500 (for IKEv1/v2)
Protocol: UDP, port 4500 (for IKEv1/v2)
Protocol: UDP, port 1701 (for L2TP)

You shouldn't need the IPsec rules, since they're wrapped in L2TP, but they are:

Protocol: ESP, value 50 (for IPsec)
Protocol: AH, value 51 (for IPsec)

Bart...