Description | This article describes how to configure custom IKE port between two FortiGate FWs. |
Scope |
Only on FortiOS 7.0.0 and above |
Solution |
Some ISPs block UDP port 500 or UDP 4500, preventing an IPsec from being established, FortiOS 7.0.0 introduce new configuration option with the help of which you can specify custom IKE port between 2 FortiGates running on FortiOS 7.0.0 and above Example topology:
FortiGate_FW1 <-> ISP_customer1 <-> Ineternet <-> ISP_customer2 <-> FortiGate_FW2
By some reason port 500 and 4500 are blocked between both FWs with the configuration below for VPN will be used port 1234 (it could be every between 1024 and 65535).
FortiGate_FW1 configuration:
First step is to configure custom IKE port, this option is global and will affect all existing VPN’s which are configured on the FW, that iswhy it is necessary to be sure that this option could be configured on remote peer / peers .
FortiGate_FW1 config:
1) Set custom IKE port :
# config system setting
2) VPN configuration:
edit "VPN_to_VM2" set interface "port1" set peertype any set net-device disable set proposal aes256-sha1 set localid "VPN" set nattraversal forced set remote-gw 192.168.200.117 set psksecret ENC 8Pttk+W8CE/qei6VbcFaz0Hv9ikpV9sQu3dJOfXgi5+jzgsKF6dNVkccgPVXy6Somt1gv4jDjOmw/iGBZD2L8eZi87P9iYJCqXLSifzLvLo3LupwusaSdVGKn0Ne9ZgTJD9vSDMlM1No+iv7leb8GZv6EaUvBADIuEYMqNlZWLvDdHDb1X6u6Lkrw0DLwZpXu4Zmrw== next end
Phase 2 configuration:
# config vpn ipsec phase2-interfac edit "VPN_to_VM2" set phase1name "VPN_to_VM2" set proposal aes256-sha1 set src-subnet 10.10.3.0 255.255.255.0 set dst-subnet 10.10.4.0 255.255.255.0 next end
# config system setting
3) VPN Configuration:
# config vpn ipsec phase1-interfac edit "VPN_to_VM1" set interface "port1" set peertype any set net-device disable set proposal aes256-sha1 set nattraversal forced set remote-gw 192.168.200.116 set psksecret ENC gTY7OusREa5tKVsOOpvqZRdWfbyIUXOzUVlGghDLZA0h3alXu16RUgFRAwg4wo818+vdSNAx+bRgzlH7+rUzZgTeovMYFSVnHD//2zlVmzH /ctN7n88AxqCbsSb1mgTBz1R+nQMxgwMC8vXTApTz2YnarrfavxsXJdqfYbBZlhAXK59UpY8mvpGLioMZCEGTIzpN8w== next end
Phase 2 configuration:
# config vpn ipsec phase2-interfac edit "VPN_to_VM1" set phase1name "VPN_to_VM1" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set src-subnet 10.10.4.0 255.255.255.0 set dst-subnet 10.10.3.0 255.255.255.0 next end
Check if the configured port is used on both FWs:
FGVM1 # diagnose vpn ike gateway list
vd: root/0 name: VPN_to_VM2 version: 1 interface: port1 3 addr: 192.168.200.116:1234 -> 192.168.200.117:1234 tun_id: 192.168.200.117 remote_location: 0.0.0.0 created: 665s ago nat: me peer IKE SA: created 2/2 established 2/2 time 0/0/0 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
id/spi: 83 81054410750ca9e4/bb0f28ad2f802b3a direction: responder status: established 662-662s ago = 0ms proposal: aes256-sha1 key: f0574c512a50c99e-69d5a2e651ec7def-80092d48a7825f3a-529b8b4466c06a92 lifetime/rekey: 86400/85467 DPD sent/recv: 00000000/00000000
id/spi: 82 f4d711dc2cc4a913/14f1a4cfb93ef928 direction: initiator status: established 665-665s ago = 0ms proposal: aes256-sha1 key: 0d4876c33ff2b1ff-715b4ebf377a3243-7d7a54537971f079-031ef7123f70335d lifetime/rekey: 86400/85434 DPD sent/recv: 00000000/00000000
# diagnose vpn ike gateway list
vd: root/0 name: VPN_to_VM1 version: 1 interface: port1 3 addr: 192.168.200.117:1234 -> 192.168.200.116:1234 tun_id: 192.168.200.116 remote_location: 0.0.0.0 created: 575s ago peer-id: VPN peer-id-auth: no nat: me peer IKE SA: created 2/2 established 2/2 time 0/4500/9000 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms id/spi: 35 f4d711dc2cc4a913/14f1a4cfb93ef928 direction: responder status: established 569-569s ago = 0ms proposal: aes256-sha1 key: 0d4876c33ff2b1ff-715b4ebf377a3243-7d7a54537971f079-031ef7123f70335d lifetime/rekey: 86400/85560 DPD sent/recv: 00000000/00000000 peer-id: VPN
id/spi: 34 81054410750ca9e4/bb0f28ad2f802b3a direction: initiator status: established 575-566s ago = 9000ms proposal: aes256-sha1 key: f0574c512a50c99e-69d5a2e651ec7def-80092d48a7825f3a-529b8b4466c06a92 lifetime/rekey: 86400/85533 DPD sent/recv: 00000000/00000000 peer-id: VPN
When FortiOS is configured set ike-port X, FW will listens on port X and port 4500 :
Behavior when FW1 is set ike-port 4500 and FW2 is set ike-port 1234:
FGVM1 # diagnose vpn ike gateway list
vd: root/0 name: VPN_to_VM2 version: 1 interface: port1 3 addr: 192.168.200.116:4500 -> 192.168.200.117:4500 tun_id: 192.168.200.117 remote_location: 0.0.0.0 created: 20s ago nat: me IKE SA: created 1/1 established 1/1 time 0/0/0 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
id/spi: 86 a8806f2525f1936d/68687ddef906def1 direction: initiator status: established 20-20s ago = 0ms proposal: aes256-sha1 key: 089d0d2924ba1a22-b8dff488e223fde3-b06db275431f90a3-318e2fe8dd85eb4b lifetime/rekey: 86400/86079 DPD sent/recv: 00000000/00000000 FGVM2 (root) # diagnose vpn ike gateway list
vd: root/0 name: VPN_to_VM1 version: 1 interface: port1 3 addr: 192.168.200.117:4500 -> 192.168.200.116:4500 tun_id: 192.168.200.116 remote_location: 0.0.0.0 created: 33s ago peer-id: VPN peer-id-auth: no nat: peer IKE SA: created 1/2 established 1/1 time 0/0/0 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
id/spi: 40 a8806f2525f1936d/68687ddef906def1 direction: responder status: established 9-9s ago = 0ms proposal: aes256-sha1 key: 089d0d2924ba1a22-b8dff488e223fde3-b06db275431f90a3-318e2fe8dd85eb4b lifetime/rekey: 86400/86120 DPD sent/recv: 00000000/00000000 peer-id: VPN
VPN is established over 4500, because FW2 is listen on 4500 and X which is configured under global setting .
When set ike-port 500 (default):
In this way if you have dialup Hub(FortiGate) with multiple vendors and IKE 500 is blocked for some of the spokes, you can configure Fortigate spokes to use 4500 , because HUB will listen on 500 and 4500, in this way you will not impact spokes which use 500. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.