Problem
Can I use an IPSec server on my internal network instead of the UTM Firewall (IPSec pass through)?
Solution
•Solution if the IPSec endpoints are NAT aware (NAT Traversal)
You need to forward UDP port 500 and 4500 to the internal IPSec server.
•Solution if the IPSec endpoints are not NAT aware (NAT Traversal)
You need to forward UDP port 500 and the ESP protocol (protocol 50).
NOTE: You cannot forward the AH protocol.
◦To port forward ESP for version 3.x and later firmware: Select IP protocol 50 under the Protocol field.
◦To port forward ESP for firmware prior to version 3.x, manually add two rules to forward ESP traffic to your internal IPSec server. Under Rules, Custom Firewall Rules, add the following two lines:
iptables -t nat -A PREROUTING -i $INTERNET_IF -d $INTERNET_ADDR -p 50 -j DNAT –to-destination a.b.c.d
iptables -A ExtAcc -p 50 -d a.b.c.d -j ACCEPT
where a.b.c.d is your internal IPSec server.
NOTE: This is only for an IPSec server running behind the UTM Firewall. By default, the UTM Firewall is able to handle IPSec passthrough for clients. However, these clients need to access different IPSec servers on the Internet unless the IPSec clients are NAT aware, meaning they cannot connect to the same IPSec server behind the same UTM Firewall unless the IPSec clients are NAT aware.
vir: https://kc.mcafee.com/corporate/index?page=content&id=KB62398
