10-17-2008 07:31 AM - edited 02-21-2020 03:59 PM
Is there a way to force IPSec Client to use port 4500 instead of 500 to establish IPSec tunnel?
10-17-2008 02:03 PM
Hi,
I dont think there is a way to do this. Let me try and explain to you using VPN3000 as the VPN Server.
If you have NAT-T enabled on the VPN3000, the VPN3000 auto detects the NAT Device during IKE Negotiation and uses UDP Port 5000 for IKE and UDP Port 4500 for IPSEC Traffic.
It is my understanding that the order that the VPN3000 look at during IKE negotiation is:
IPSEC Over TCP
NAT-T
IPSEC Over UDP
So, I dont think there is way to change the behavior where you could force the Client to use UDP Port 4500 for both IKE and IPSEC.
If you are running into a situation where UDP Port 500 is not supported, then you can look into IPSEC Over TCP option where both IKE and IPSEC is encapsulated in a TCP Packet.
I hope it helps.
Regards,
Arul
** Please rate all helpful posts **
10-17-2008 03:50 PM
The problem I am experiencing is the IPSec tunnel negotiation between a spoke router and a IPSec hub router. I have noticed that when a client (2811) tries to establish an IPSec tunnel with a hub router, it starts the process by using port 500. IPSec tunnel will not be successfully established. However, if it uses port 4500, IPSec tunnel will be successfully established. I am unable to find a way to force this client router to use port 4500 instead of port 500 to establish the IPSec tunnel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide