ISAKMP and Outbound NAT Rules.

Started by brim2full, May 15, 2020, 02:58:04 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 15, 2020, 02:58:04 PM
I was digging around my firewall rules today trying to check why I'm having a problem with OpenVPN, unrelated.  I noted two autoconfigured NAT outbound rules both include IP address ranges associated with lan, localhost and my OpenVPN.

Interface  Src. Networks  Port     Dest. Networks  Port  NAT Address Port  Static Port     Description
WAN        LAN networks,   *          *                            500    WAN              *       YES                Auto created rule for ISAKMP
                 127.0.0.0/8,
                 op.en.vpn.0/24
 
WAN        LAN networks,   *          *                            *         WAN             *        NO                  Auto created rule
                 127.0.0.0/8,
                 op.en.vpn.0/24

What immediately caught my eye though was Auto created rule for ISAKMP.  Not being the most experienced in these things and not recognising ISAKMP I googled the interweb.  It appears ISAKAMP is strongly associated with IPSEC and CISCO neither of which I am using.  So why does this rule exsist?  Also, if my understanding of the outbound rules are correct, I'm wonder if the rule is actually required.  Would it not be covered by the second rule, (Auto created rule)?

It might also be sensible to query my reading of these rules and that would be: map source addresses:ports (the source networks listed) leaving the WAN interface to destination addresses:ports.  If that is wrong then please educate me.

Regards all and keep safe.
May 15, 2020, 03:01:00 PM #1
This rules is created since you have automatic nat or hybrid nat enabled.
It will NAT outbound connections from LAN to WAN with the WAN IP. Everything fine until here?
If an internal client wants to use a VPN client to outside world, this mostly only works when you have static port mapping (again, direction only LAN to WAN). So OPNsense adds this too to minimize your troubleshooting if something doesn't work.
Usually you also want this for SIP/RTP :)
May 15, 2020, 03:30:59 PM #2
Thanks mimugmail your reply was insightful and raises specific OpenVPN question not related to this post so I'll give it some thought and maybe post a different question.
Mean while back to this ranch....  does OpenVPN use the ISAKMP protocol?
Print
Go Up Pages1
User actions