OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • ISAKMP and Outbound NAT Rules.
« previous next »
  • Print
Pages: [1]

Author Topic: ISAKMP and Outbound NAT Rules.  (Read 5085 times)

brim2full

  • Newbie
  • *
  • Posts: 11
  • Karma: 0
    • View Profile
ISAKMP and Outbound NAT Rules.
« on: May 15, 2020, 02:58:04 pm »
I was digging around my firewall rules today trying to check why I'm having a problem with OpenVPN, unrelated.  I noted two autoconfigured NAT outbound rules both include IP address ranges associated with lan, localhost and my OpenVPN.
 
 Interface  Src. Networks  Port     Dest. Networks  Port  NAT Address Port  Static Port     Description
 WAN        LAN networks,   *          *                            500    WAN              *       YES                Auto created rule for ISAKMP
                 127.0.0.0/8,
                 op.en.vpn.0/24
 
 WAN        LAN networks,   *          *                            *         WAN             *        NO                  Auto created rule
                 127.0.0.0/8,
                 op.en.vpn.0/24
 
 What immediately caught my eye though was Auto created rule for ISAKMP.  Not being the most experienced in these things and not recognising ISAKMP I googled the interweb.  It appears ISAKAMP is strongly associated with IPSEC and CISCO neither of which I am using.  So why does this rule exsist?  Also, if my understanding of the outbound rules are correct, I'm wonder if the rule is actually required.  Would it not be covered by the second rule, (Auto created rule)?
 
 It might also be sensible to query my reading of these rules and that would be: map source addresses:ports (the source networks listed) leaving the WAN interface to destination addresses:ports.  If that is wrong then please educate me.
 
 Regards all and keep safe.
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6766
  • Karma: 494
    • View Profile
Re: ISAKMP and Outbound NAT Rules.
« Reply #1 on: May 15, 2020, 03:01:00 pm »
This rules is created since you have automatic nat or hybrid nat enabled.
It will NAT outbound connections from LAN to WAN with the WAN IP. Everything fine until here?
If an internal client wants to use a VPN client to outside world, this mostly only works when you have static port mapping (again, direction only LAN to WAN). So OPNsense adds this too to minimize your troubleshooting if something doesn't work.
Usually you also want this for SIP/RTP :)
Logged
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

brim2full

  • Newbie
  • *
  • Posts: 11
  • Karma: 0
    • View Profile
Re: ISAKMP and Outbound NAT Rules.
« Reply #2 on: May 15, 2020, 03:30:59 pm »
Thanks mimugmail your reply was insightful and raises specific OpenVPN question not related to this post so I'll give it some thought and maybe post a different question.
Mean while back to this ranch....  does OpenVPN use the ISAKMP protocol?
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • ISAKMP and Outbound NAT Rules.
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2