This article illustrates how to set up Optus router to forward UDP 500, UDP 4500, ESP and AH to the VPN gateway. This is required when setting up IPsec VPN gateway (e.g. EdgeRouter) behind NAT device (e.g. Optus router).
Prerequisites, pitfalls and other nodes:
- Requires a static IP on VPN gateway (EdgeRouter) WAN interface (by setting DHCP static lease on Optus/Sagemcom router or a static IP). In this example, we assume it is
- If you’re trying to set up a DHCP static lease (“reserved address” on Optus router), the IP address needs to be in the DHCP pool. (Optus router is a little bit different to others)
- ESP and AH don’t really have a “port” number, but specify 0 on the Optus modem because it won’t allow us to add the forwarding with an empty “port” field. (I consider this as a UI bug)
- Your IPsec VPN implementation may not require all of these forwardings. For example, UDP 4500 may not required if you’re not using NAT traversal. However, setting up all of these allows you to maximise the chance setting up IPsec VPN successfully. You can remove unused forwarding rules afterwards.
- Do NOT use the “DMZ” function on the Optus router. Otherwise non-IPsec TCP sessions will get reset frequently. You will notice it when you SSH to another host on the Internet.
External host: (empty) Internal host: 192.168.0.2 Protocol: UDP External port: 500 Internal port: 500
External host: (empty) Internal host: 192.168.0.2 Protocol: UDP External port: 4500 Internal port: 4500
External host: (empty) Internal host: 192.168.0.2 Protocol: ESP External port: 0 Internal port: 0
External host: (empty) Internal host: 192.168.0.2 Protocol: AH External port: 0 Internal port: 0