Port Forwarding for IPsec

Have you tried creating rules for these ports just as you did for the PPTP?

When creating rules, I ignore the drop down menu and create everything as a "Custom Rule".  Give it a cool name, enter the port, select TCP and/or UDP.

Well, that is actually the problem.  The custom rule only allows you to select ports in Protocol  6 (TCP) and Protocol 17 (UDP).  IPSec uses Protocol 50 (ESP) and Protocol 51 (AH).

Here is a nice summary:

https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

I saw the dropdown had a pre-defined rule for PPTP, which can be config'd using the custom rules.  If the custom rules won't allow you to configure IPsec, it would be nice if it was included in the pre-defined dropdown.

Of course, you are correct.  (I now have a Dunce Cap for every day of the week!)  Looks like you are stuck with either PPTP  on the RAS or OpenVPN (on the Orbi itself).  I have been very happy with OpenVPN on my Orbi.

Perhaps you could hack at the iptables.  I know that Voxel's custom firmware for the RBR50 allows customizing iptables.  (I am also happy with this firmware.  Probably fat and dumb as well.)

ESP can never work as the NAT router would only translate the "outer" IP addresses, but there is no port information, ... so things will go bulloks.

Look for L2TP/IPsec with NAT-T, here the ESP packets will be encpasulated in packets using port 4500/UDP.¨. Before, IKE will run on 500/UDP. AFAIK that's all you need to expose by adding forward rules.

Thanks.  I wasn't aware of the NAT issue with ipsec.  I've moved onto SSTP, which just needs tcp/443.  Took a several stabs to get the certs right (or, at least, close enough), but it works now.  Too bad there isn't any native android support for it...

I went this route because I found the ORBI one slow.  I don't think the orbi processor is up to the task except for light duty things, like rdp.  Running my own vpn I can saturate my bandwidth.  🙂