Skip to main content
noc
noc
Explorer
September 27, 2007
Question

Change nat-t IKE destination port

  • September 27, 2007
  • 3 replies
  • 5130 views
Hi, I' m triing to do a dialup tunnel between forticlient and Fortigate 50B behind a Cisco Router. This router has a GRE Tunnel configurated, so I can' t map UDP port 500 to Fortigate. My question... Is possible to change destination port 500 on forticlient (by example, 505) in order to do a NAT inside change on cisco Router to port 500 and send to Fortigate??. Thanks in advance

    3 replies

    vanc
    vanc
    New Member
    September 27, 2007
    You just need to enable NAT-Traversal on both FortiClient and Fortigate. They will use port 4500 instead of 500.
    noc
    nocAuthor
    Explorer
    October 1, 2007
    Hi, Nat traversal is checked (active) on both Client and Fortigate. The log shows that first message is sent to UDP 500 Port instead 4500. I dont' know if exist any form to change this via Windows Registry. In such way I cold change destination port in cisco Router. Thanks Lluis Arasanz
    noc
    nocAuthor
    Explorer
    October 1, 2007
    Hi again, Here is the Test log from FortiClient. You can see than Natt is on and destination port is 500 on first message. On others dialup VPN, system change from udp500 to udp4500 on 3rd message, after IKE phase 2.. and always as source port, not destination one. In run_timer_list, jiffies=00000000, skipped = 0 tvecs[1]->bits is 3, tvecs->index is 0 sys_get_local_gwy() called: remote gw:0f4224d4 next hop:0 Detect local gateway for peer: xx.xx.xx.xx sys_get_local_gwy() called: remote gw:0f4224d4 next hop:12e644 Get sa_connect message...172.30.1.212->xx.xx.xx.xx:0, natt_mode=0 Using new connection...natt_mode=0 Set connection name = Canaletas. Adding timer #1... expiry=3600, data=16552536 Adding to bucket 3 at index 1 Tunnel 172.30.1.212 ---> xx.xx.xx.xx:500,natt_en=1 is starting negotiation Will negotiate a DHCP SA Initiator: aggressive mode is sending 1st message... Initiator:aggressive mode set dh=1024. Sending VID payload.... Sending NATT VID payload (draft3).... Sending NATT VID payload (draft3 and draft1).... Initiator: sent xx.xx.xx.xx aggressive mode message #1 (OK) Adding timer #2... expiry=28770, data=4185704 Adding to bucket 4 at index 1 set retransmit: st=1, timeout=10. Adding timer #2... expiry=10, data=4185704 Adding to bucket 1 at index 10 Next_time = 10 sec Thanks Lluis Arasanz
    noc
    nocAuthor
    Explorer
    October 4, 2007
    Hi all. Finally is all ok. I have a Virtual IP defined for this port (udp 500) and Fortigate does not take control, only bypass the frame. Thanks to all anyway. Lluis Arasanz
    Terms & ConditionsAccessibility statement