Using VPN through an MX Security Appliance
The MX security appliance is designed to be used as a VPN endpoint, but as a firewall it can also pass VPN traffic to an internal VPN endpoint. PPTP and IPsec are protocols used to establish a secure encrypted VPN connection between two end points. This article outlines how the MX handles PPTP and IPsec traffic, including routing specifics and limitations.
PPTP passthrough for outbound traffic is supported on the MX appliance without additional configuration. Outbound traffic refers to a connection initiated from the LAN side of the appliance.
PPTP requires a port forwarding rule for public TCP port 1723. Inbound GRE traffic initiated as part of this conversation will also be forwarded automatically. Inbound traffic refers to connections initiated from the WAN side of the appliance.
IPsec is supported for outbound traffic only when IPsec NAT-T is used between end points; the MX cannot currently route unencapsulated ESP traffic. IPsec uses IP protocols ESP or AH, and with NAT-T these IP protocols are encapsulated in UDP datagrams.
Passthrough for outbound traffic requires no additional configuration when IPsec NAT-T is used.
Inbound traffic for IPsec using NAT-T can be configured using port forwarding or 1:1 NAT, using the following port numbers:
- UDP 500
- UDP 1701
- UDP 4500
Note: If port forwarding is used for these ports, the MX will not be able to establish connections for the Site-to-site VPN or client VPN features.