3 Replies Latest reply on Jan 13, 2015 11:27 AM by sliedl

    VPN Pass-through and termination


      I have a Version 8 Firewall that requires client IPSEC pass-through to an internal device, while simultaneously supporting IPSEC on-box termination for Site-to-Site VPN's.  The knowledegebase seems to indicate that this should work, but the Firewall actually seems to be doing a wild-card bind on the ISAKMP Server, and I am unable to pass the UDP Port 500 traffic through to the internal device, even though I am using a different external IP Address?

      Should this be possible?

      Do I need to do anything specific to bind the ISAKMP server to a single IP Address?
      Is this because the Firewall has been upgraded from Version 7 instead of installed from scratch at Version 8?


      Hope someone can help...





        • 1. Re: VPN Pass-through and termination

          Make sure the pass-through rule has the second external address specified in the Destination field, it is above the ISAKMP Server rule, and it's using a packet-filter app. defense and not a UDP-proxy app. defense.

          • 2. Re: VPN Pass-through and termination

            It's definitely the second address, and using a 'Connection settings' app defence.  It started out below the ISAKMP Server rule, but I moved it above yesterday.  I don't need to reboot or anything horrible do I?  I've tried re-starting the ISAKMP Server, but it still seems to be doing the wild-card bind?

            • 3. Re: VPN Pass-through and termination

              It does not matter if the ISAKMP server is doing a wildcard bind if the pass-through rule is above the ISAKMP Server rule.  There may be a way to get ikmpd to only do a bind on a specific IP address but I have never had to do that nor heard of that being done.  I suggest calling in to Support to do a remote session if the rule is still not working.