Can you forward ESP (type 50) packets with the Telstra unit? If not you will struggle to get this working. If you can move to just using IKEv2 instead of L2TP/IPSec for authentication, encryption and tunnelling you can convince it to use only UDP port 500 to do everything. Regards, Jason Hecker <https://www.upandrunningtech.com.au/> <https://www.upandrunningtech.com.au/> On Sat, 17 Oct 2020, at 09:44, Roger Plant wrote:
Hi,
It is quite possible (likely) that the router is messing with it. Unfortunately usually they are usually also servicing phones, so replacement is less easy.
You could put something (eg. a Mikrotik) behind the router, and port forward to that temporarily, and see if 4500 and 500 traffic is actually getting through. eg. packet sniffer, or maybe a pass through firewall rule somewhere.
As "Service" mentioned, if the client is windows and the Server is behind a nat. (And you are using pre shared key authentication) You need to make the registry changes. This is very specific, its only if the Server has a port forward too it, it doesn't apply if only the client is behind a Nat. (It doesnt apply for non windows clients either)
During ipsec negotion the client gets told what the Server's actual IP address is, and if it doesnt match the external IP address it's sending too, (and its PSK, etc) it refuses to connect.
Good Luck Regards Roger