Screen OS

I have a Routing and Remote Access Server behind my SSG and I would like to use it for L2TP VPN. When I try to forward UDP 500 using VIP on my interface, I get a message saying it's not supported, 500 is for management of the box.

I'm also currently using site-to-site VPN which I imagine is using port 500 on the same interface. Is this what is stopping me?

Would there be any way around this? My goal is to allow clients such as Windows PCs and iOS devices to connect to my network without using a certificate and instead a preshared key -- which RRAS supports.

The issue is that only one device can use a specific ip address & port combination at a time.  Since the SSG is using this port you cannot forward it to another device.  

Since this is a protocol standard port for the l2tp connection you also can't just change and use a different port.

So in this situation you have to have a second ip address for  the second device.  If you have a second address in your ip allocation from your ISP you can use destination NAT to forward that address and port to your MS server.  

If you only have one address, contact your ISP and ask about switching your account parameters to allocate a larger subnet.

Many thanks for your response. I've got it working but I'd like to verify my config and potentially help someone else.

I have my untrust (public) interface on e0/0. My ISP gave me a block of IPs on /29.

For example, my interface IP is 100.1.1.2/29. My NAT DST will be used with 100.1.1.3. The internal server IP will be 192.168.1.100.

Setup ARP:

set interface ethernet0/0 proxy-arp-entry 100.1.1.3

Add address:

set address untrust server-pub 100.1.1.3/32

Policy to allow IKE:

set policy from untrust to untrust any server-pub IKE nat dst ip 192.168.1.100 permit

Policy to deny any other traffic:

set policy from untrust to untrust any server-pub any nat dst ip 192.168.1.100 deny

Seems simple enough. Does that look legit?

Yes, that all looks good.