Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec Client Port

Is there a way to force IPSec Client to use port 4500 instead of 500 to establish IPSec tunnel?

2 REPLIES
Cisco Employee

Re: IPSec Client Port

Hi,

I dont think there is a way to do this. Let me try and explain to you using VPN3000 as the VPN Server.

If you have NAT-T enabled on the VPN3000, the VPN3000 auto detects the NAT Device during IKE Negotiation and uses UDP Port 5000 for IKE and UDP Port 4500 for IPSEC Traffic.

It is my understanding that the order that the VPN3000 look at during IKE negotiation is:

IPSEC Over TCP

NAT-T

IPSEC Over UDP

So, I dont think there is way to change the behavior where you could force the Client to use UDP Port 4500 for both IKE and IPSEC.

If you are running into a situation where UDP Port 500 is not supported, then you can look into IPSEC Over TCP option where both IKE and IPSEC is encapsulated in a TCP Packet.

I hope it helps.

Regards,

Arul

** Please rate all helpful posts **

New Member

Re: IPSec Client Port

The problem I am experiencing is the IPSec tunnel negotiation between a spoke router and a IPSec hub router. I have noticed that when a client (2811) tries to establish an IPSec tunnel with a hub router, it starts the process by using port 500. IPSec tunnel will not be successfully established. However, if it uses port 4500, IPSec tunnel will be successfully established. I am unable to find a way to force this client router to use port 4500 instead of port 500 to establish the IPSec tunnel.

153
Views
4
Helpful
2
Replies