Hi,
I have a Balance 210 firmware 8.1.1 build 4986. I have 2 ipsec VPN site to site tunnels set up to cisco routers. I need these tunnels to conduct everyday business. I am failing my SecureTrust PCI scan on UDP port 500.
Here’s what the scan report says:
Does anyone have any guidance for how to set these tunnels up so I don’t fail the SecureTrust scan?
Welcome to the Peplink Community!
You can use local service firewall rules under Network> Firewall> Access Rules to allow only the VPN peer’s IP addresses to respond to UDP 500. Change the default rule to deny and this will allow you to pass the PCI scan.
Thanks for the reply. Denying all in the local service firewall rules is what I used to pass the scan on our PepVPN with SpeedFusion tunnels. It didn’t fix the IPSec Tunnels. I would like to do exactly as you describe and allow only the VPN peer’s IP address to respond to UDP 500. Do you have any other suggestions?
Here are my local service firewall rules:
I see, this looks like a feature request to add IPsec. One idea however - does the other side of this VPN have a public IP address? If so, it might be possible to use an aggressive mode VPN that would only be established outbound toward them. They would configure your side as a dynamic IP so it would not try to connect to your IP address, but still allow connections from your side…would that work?
Hello!
+1 to close port udp 500 for pci compliance.
I use a L2TP VPN (Advanced → Remote User Access) access for my network on WAN1 and my pci compliance scanner only scans my public ip on WAN3. When I enable “Remote User Access”, it opens port udp 500 on ALL WANs, even though it is only ‘listening’ on WAN1. This causes my PCI compliance scan to fail–my scanner doesn’t know it can’t authenticate on WAN3, it just sees a remote access service is open. (Ticket #26020395)
Please consider only opening udp500 on WANs that are being ‘listened on’.
Thanks,
Ben Adams
