IPSec Client Port

santipongv · ‎10-17-2008

Is there a way to force IPSec Client to use port 4500 instead of 500 to establish IPSec tunnel?

ajagadee · ‎10-17-2008

Hi,

I dont think there is a way to do this. Let me try and explain to you using VPN3000 as the VPN Server.

If you have NAT-T enabled on the VPN3000, the VPN3000 auto detects the NAT Device during IKE Negotiation and uses UDP Port 5000 for IKE and UDP Port 4500 for IPSEC Traffic.

It is my understanding that the order that the VPN3000 look at during IKE negotiation is:

IPSEC Over TCP

NAT-T

IPSEC Over UDP

So, I dont think there is way to change the behavior where you could force the Client to use UDP Port 4500 for both IKE and IPSEC.

If you are running into a situation where UDP Port 500 is not supported, then you can look into IPSEC Over TCP option where both IKE and IPSEC is encapsulated in a TCP Packet.

I hope it helps.

Regards,

Arul

** Please rate all helpful posts **

santipongv · ‎10-17-2008

The problem I am experiencing is the IPSec tunnel negotiation between a spoke router and a IPSec hub router. I have noticed that when a client (2811) tries to establish an IPSec tunnel with a hub router, it starts the process by using port 500. IPSec tunnel will not be successfully established. However, if it uses port 4500, IPSec tunnel will be successfully established. I am unable to find a way to force this client router to use port 4500 instead of port 500 to establish the IPSec tunnel.