Securetrust scan failing port 500 UDP


I have a Balance 210 firmware 8.1.1 build 4986. I have 2 ipsec VPN site to site tunnels set up to cisco routers. I need these tunnels to conduct everyday business. I am failing my SecureTrust PCI scan on UDP port 500.

Here’s what the scan report says:

Does anyone have any guidance for how to set these tunnels up so I don’t fail the SecureTrust scan?

Welcome to the Peplink Community!

You can use local service firewall rules under Network> Firewall> Access Rules to allow only the VPN peer’s IP addresses to respond to UDP 500. Change the default rule to deny and this will allow you to pass the PCI scan.

1 Like

Thanks for the reply. Denying all in the local service firewall rules is what I used to pass the scan on our PepVPN with SpeedFusion tunnels. It didn’t fix the IPSec Tunnels. I would like to do exactly as you describe and allow only the VPN peer’s IP address to respond to UDP 500. Do you have any other suggestions?

Here are my local service firewall rules:

I see, this looks like a feature request to add IPsec. One idea however - does the other side of this VPN have a public IP address? If so, it might be possible to use an aggressive mode VPN that would only be established outbound toward them. They would configure your side as a dynamic IP so it would not try to connect to your IP address, but still allow connections from your side…would that work?

1 Like