Technical Tip: Configure custom IKE port between two FortiGates

Only on FortiOS 7.0.0 and above.

Some ISPs block UDP port 500 or UDP 4500, preventing an IPsec tunnel from being established. v7.0.0 introduces a new configuration option that allows using a custom IKE port instead. It requires that both FortiGates are running on firmware v7.0.0 or above.

Example topology:

FortiGate_FW1 <-> ISP_customer1 <-> Internet <-> ISP_customer2 <-> FortiGate_FW2.

UDP ports 500 and 4500 may be blocked between both firewalls for various reasons, preventing IPsec tunnels from coming up on the default ports. The configuration below provides an example setup for IPsec VPN using port 1234 instead. Any port between 1024 and 65535 may be used, but there can be issues if they overlap with other open ports on FortiGate, like any VIPs or service access on interfaces.

FortiGate_FW1 configuration:

The first step is to configure a custom IKE port. This option is global and will affect all existing VPNs which are configured on the firewall: all peers maintaining a VPN tunnel to this FortiGate must also switch to this port.

FortiGate_FW1 config:

1. Set a custom IKE port:
   

config system  setting
    set ike-port 1234
end

2. Phase 1 configuration:

config vpn ipsec phase1-interface   

    edit "VPN_to_VM2"

        set interface "port1"

        set peertype any

        set net-device disable

        set proposal aes256-sha1

        set localid "VPN"

        set nattraversal forced

        set remote-gw 192.168.200.117

        set psksecret ENC XXX

    next

end

3. Phase 2 configuration:

config vpn ipsec phase2-interface

    edit "VPN_to_VM2"

        set phase1name "VPN_to_VM2"

        set proposal aes256-sha1

        set src-subnet 10.10.3.0 255.255.255.0

        set dst-subnet 10.10.4.0 255.255.255.0

    next

    end

FortiGate_FW2 config:

1. Set a custom IKE port:
   

config system  setting
    set ike-port 1234
end

2. Phase 1 configuration:

config vpn ipsec phase1-interface

    edit "VPN_to_VM1"

        set interface "port1"

        set peertype any

        set net-device disable

        set proposal aes256-sha1

        set nattraversal forced

        set remote-gw 192.168.200.116

        set psksecret ENC XXX

    next

end

3. Phase 2 configuration:

config vpn ipsec phase2-interfac

    edit "VPN_to_VM1"

        set phase1name "VPN_to_VM1"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

        set src-subnet 10.10.4.0 255.255.255.0

        set dst-subnet 10.10.3.0 255.255.255.0

    next

end

Check if the configured port is used on both firewalls:

FGVM1 # diagnose vpn ike gateway list

vd: root/0

name: VPN_to_VM2

version: 1

interface: port1 3

addr: 192.168.200.116:1234 -> 192.168.200.117:1234

tun_id: 192.168.200.117

remote_location: 0.0.0.0

created: 665s ago

nat: me peer

IKE SA: created 2/2  established 2/2  time 0/0/0 ms

IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 83 81054410750ca9e4/bb0f28ad2f802b3a

  direction: responder

  status: established 662-662s ago = 0ms

  [...]

  id/spi: 82 f4d711dc2cc4a913/14f1a4cfb93ef928

  direction: initiator

  status: established 665-665s ago = 0ms

  [...]

FGVM2 # diagnose vpn ike gateway list

vd: root/0

name: VPN_to_VM1

version: 1

interface: port1 3

addr: 192.168.200.117:1234 -> 192.168.200.116:1234

tun_id: 192.168.200.116

remote_location: 0.0.0.0

created: 575s ago

peer-id: VPN

peer-id-auth: no

nat: me peer

IKE SA: created 2/2  established 2/2  time 0/4500/9000 ms

IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 35 f4d711dc2cc4a913/14f1a4cfb93ef928

  direction: responder

  status: established 569-569s ago = 0ms

  [...]

  id/spi: 34 81054410750ca9e4/bb0f28ad2f802b3a

  direction: initiator

  status: established 575-566s ago = 9000ms

  [...]

When FortiOS is configured to use a custom IKE port, the firewall will listen on the custom port AND the NAT Traversal default port of 4500.

Expect the following behavior when FW1 has set ike-port 4500 and FW2 has set ike-port 1234:

FGVM1 # diagnose vpn ike gateway list

vd: root/0

name: VPN_to_VM2

version: 1

interface: port1 3

addr: 192.168.200.116:4500 -> 192.168.200.117:4500

tun_id: 192.168.200.117

remote_location: 0.0.0.0

created: 20s ago

nat: me

IKE SA: created 1/1  established 1/1  time 0/0/0 ms

IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 86 a8806f2525f1936d/68687ddef906def1

  direction: initiator

  status: established 20-20s ago = 0ms

  [...]

vd: root/0

name: VPN_to_VM1

version: 1

interface: port1 3

addr: 192.168.200.117:4500 -> 192.168.200.116:4500

tun_id: 192.168.200.116

remote_location: 0.0.0.0

created: 33s ago

peer-id: VPN

peer-id-auth: no

nat: peer

IKE SA: created 1/2  established 1/1  time 0/0/0 ms

IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 40 a8806f2525f1936d/68687ddef906def1

  direction: responder

  status: established 9-9s ago = 0ms

  [...]

VPN is established over 4500 because FW2 listens on 4500 and X, which is configured under the global settings.

When the IKE port is set to default 500:

• The server listens on ports 500 and 4500.
• The initiator starts on port 500.

As FortiGate always listens on UDP port 4500 for incoming IKE connections, if a FortiGate serves as an IPSec VPN hub to multiple spokes, including third-party devices, FortiGate spokes can always be configured to use port 4500 for IKE, and the tunnel will come up no matter what other custom port is set on the hub FortiGate, provided port 4500 is not blocked.

As of FortiGate v7.6.5, IPsec VPN over UDP may now use port 443 for the IKE negotiation port as well.

config system  setting
    set ike-port 443
end

Starting from 7.4.2, and in cases where UDP is blocked, IKE can also use TCP instead of UDP, based on the following document: FortiGate New Features: TCP encapsulation of IKE and IPsec packets across multiple vendors.