Router NAT settings can cause client reconnection issues #520
Comments
|
I have the same issue. But not clearly understand how to fix it. |
|
@lgg Do you use pfSense? I can post some screen shots of the NAT settings. |
|
It's a known issue and I refer to those routers as "broken routers". A lot of proprietary ones do this and it obviously causes problems. |
|
So, is there anything that can be done to fix this, short of buying a pfSense router? |
|
If your router has a feature called "VPN Passthrough" or "IPsec Passthrough" try turning it off. |
|
Just wanted to say thank you for documenting this here. I had been struggling with this problem (multiple macOS/iOS clients + pfSense), and this appears to have fixed it. |
|
@davidemyers Could you send a PR to cover this in the docs, please? |
|
Will do. |
Here's a description of an issue I've found written in a form suitable for the Troubleshooting document.
I have multiple devices and they have problems staying connected
Check your router’s NAT settings. In pfSense, NAT randomizes the source ports of outgoing connections. In order to accommodate IPsec clients whose IKE implementations don’t support NAT-T, pfSense exempts outgoing IKE connections (port 500) from randomization and keeps the source port static. This creates a limitation of only one current IKE negotiation at a time. Any subsequent attempt to create an IPsec connection fails until the firewall state created by the previous attempt expires (in about a minute).
pfSense users can avoid this issue by disabling the static port NAT exemption for IKE. In Outgoing NAT settings, switch to Manual Outbound NAT and disable the rule for traffic from your LAN address to port 500.
This issue is more likely to be seen by those with multiple iOS clients as they tend to attempt frequent reconnections when sleeping.
The text was updated successfully, but these errors were encountered: