IPsec VPN forwarding rules

I'm having issues with my VPN. As per the provider (It's Norton actually), one thing to try was to open UDP ports 500 and 4500. So I tried that (even though it actually worked before opening them), but the problem wasn't solved, and now it rarely works.

I added the following to /etc/config/firewall

config rule
	option src 'wan'
	option target 'ACCEPT'
	list proto 'udp'
	option name 'Norton VPN'
	option dest 'lan'
	option dest_port '500 4500'

Am I missing something?

1 Like

Aren't there already rules that allow port 500 and 4500 by default in the firewall?

But for IPv4 you need to forward the ports since you don't have public IPv4 addresses in the LAN.

1 Like
  • What issues do you have?
  • Where is yous VPN client installed?
  • What protocol and port does it use to connect to the server?

There is a rule to allow UDP port 500but not 4500.

They are forwarded, and showing as such in LuCI. The wiki says when the target (but not the source) port or IP is specified, the rule works as forward.

@vgaetera It just rarely works on my android phone and almost never work on my Windows PC, although they both worked for a few days in the beginning. The clients are installed in the client devices (it's part of Norton 360 service and software and not a dedicated VPN solution, so no much room for tinkering around).

The Norton documentations say UDP ports 500 and 4500, and I got that open on the router. Though, when I try online tools for checking the ports it says they are closed. So not sure if the rule isn't working, or if ISP is blocking them, which they deny.

It looks like IPsec, and the instruction seems to be here.
Unfortunately, I have no experience with IPsec.

Try to follow the @mikma's advice.
And make sure to open ports on the destination host if possible.

Checking UDP ports is typically more problematic than TCP and should be performed differently and separately from usual TCP scans.
UDP port check may not be supported by most online port check services.
Moreover, you need to open the destination, forward it on the router and run the software that listens on that port.

Something like that, though I'm not sure if 4500/UDP is required to open explicitly or not.
Perhaps it depends on the specific IPsec implementation.

4500 is required, it's the port used for udp encapsulation, it's used when nat is detected since ESP can't be NATed.

1 Like

I did that too. Added port forwarding, with and without destination IP. No luck.

Not possible. I have no control over the VPN server. Though, I imagine they must have the ports open.

What bothers me really is that it sometimes work!

Anyway, I think to exclude any ISP factor I will try to try the router at a friend's house.

1 Like

Then it should not be a configuration issue.
Do you have static IP at home or dynamic?

1 Like

It's dynamic IP.

But then again, often it works on the phone but not the PC, even if they are connected to the same router.

It is not clear if the ports must be opened inbound or outbound. Judging by the fact that it worked before opening the ports on the firewall I'll guess it is for outbound.

Are you supposed to connect more than one devices to the VPN at the same time?

I am not sure what do you mean by inbound and outbound.

Yes, I have license for multiple devices.

Inbound is wan->lan and outbound lan->wan.

Then I am out of ideas. I'd suggest to open a trouble ticket and troubleshoot with them.


To add more details and mystery:
My setup is BTHH5A as modem and main router, and C7 V2 as a WDS client, both running 19.07. BTHH5A is the DHCP server, and has DNS of and configured for the WAN interface. When I experienced the issue, I assigned different SSIDs to the APs so I can easily know which device I'm connected to. No matter what I tried, establishing a VPN connection on the mobile often took long time, and sometimes fail; and it didn't work on the PC.

Then yesterday I happened to restart the C7. Today, I tried the VPN on the mobile and it took no time. I then tried it on the PC and it worked!

I can't think of how the C7 would affect the VPN if I'm connected to the other router, or how restarting the C7 would solve the problem. It could be a coincidence after all, but I'll keep an eye on it and report if I come to a conclusion.


Perhaps it is related to netfilter connection tracking while traversing NAT.

1 Like

The VPN has been working flawlessly on both PC and mobile, today it stopped working again. There was no issue with VDSL or any any change in my setup that could be related. I tried restarting the C7 and also turning off the WDS AP on the BTHH5A, plus restarting the BTHH5A itself, but still no VPN on PC, and it takes long on the phone to establish VPN connection.

So the mystery remains... probably something form ISP side.

It may be worth optimizing MTU as incorrect MTU can affect connectivity.

1 Like

Thanks. I believe my MTU of 1492 is correct. However, I tried smaller values including 1420 and 1380 but that didn't solve the issue either.

It's worth mentioning that I don't have issues with internet connection; it's just the Norton VPN that currently refuses to connect.

1 Like

Sounds as something that should be troubleshot with Norton VPN support.
Do they "see" your connection attempts?
Is there any error in their logs?
If you can traceroute to the Norton endpoint address, I would rule out the fault from your side, since it works fine for a week and then it doesn't..