Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syordanov
Staff
Staff

Created on ‎12-28-2021 09:01 AM Edited on ‎11-06-2024 06:32 AM By Moderator

Article Id 202107

Technical Tip: Configure custom IKE port between two FortiGate firewalls

Description This article describes configuring a custom IKE port between two FortiGate firewalls.
Scope

Only on FortiOS 7.0.0 and above.
Solution

Some ISPs block UDP port 500 or UDP 4500, preventing an IPsec from being established, FortiOS 7.0.0 introduces a new configuration option with the help of which it is possible to specify a custom IKE port between 2 FortiGates running on FortiOS 7.0.0 and above.

 

Example topology:

FortiGate_FW1 <-> ISP_customer1 <-> Internet <-> ISP_customer2 <-> FortiGate_FW2.

 

For some reason ports 500 and 4500 are blocked between both FWs with the configuration below for VPN will be used port 1234 (it could be even between 1024 and 65535).

 

FortiGate_FW1 configuration:

 

The first step is to configure a custom IKE port, this option is global and will affect all existing VPNs which are configured on the firewall, that is why it is necessary to be sure that this option could be configured on remote peer/peers.

 

FortiGate_FW1 config:

 

  1. Set custom IKE port :

    config system  setting
        set ike-port 1234
    end

  2. VPN configuration:

 

    edit "VPN_to_VM2"

        set interface "port1"

        set peertype any

        set net-device disable

        set proposal aes256-sha1

        set localid "VPN"

        set nattraversal forced

        set remote-gw 192.168.200.117

        set psksecret ENC 8Pttk+W8CE/qei6VbcFaz0Hv9ikpV9sQu3dJOfXgi5+jzgsKF6dNVkccgPVXy6Somt1gv4jDjOmw/

iGBZD2L8eZi87P9iYJCqXLSifzLvLo3LupwusaSdVGKn0Ne9ZgTJD9vSDMlM1No+

iv7leb8GZv6EaUvBADIuEYMqNlZWLvDdHDb1X6u6Lkrw0DLwZpXu4Zmrw==

    next

end

 

Phase 2 configuration:

 

config vpn ipsec phase2-interfac

    edit "VPN_to_VM2"

        set phase1name "VPN_to_VM2"

        set proposal aes256-sha1

        set src-subnet 10.10.3.0 255.255.255.0

        set dst-subnet 10.10.4.0 255.255.255.0

    next

    end

FortiGate_FW2 config :

 

config system  setting
    set ike-port 1234
end

 

  1. VPN Configuration:

     

 

config vpn ipsec phase1-interfac

    edit "VPN_to_VM1"

        set interface "port1"

        set peertype any

        set net-device disable

        set proposal aes256-sha1

        set nattraversal forced

        set remote-gw 192.168.200.116

        set psksecret ENC gTY7OusREa5tKVsOOpvqZRdWfbyIUXOzUVlGghDLZA0h3alXu16RUgFRAwg4wo818+

vdSNAx+bRgzlH7+rUzZgTeovMYFSVnHD//2zlVmzH/ctN7n88AxqCbsSb1mgTBz1R+

nQMxgwMC8vXTApTz2YnarrfavxsXJdqfYbBZlhAXK59UpY8mvpGLioMZCEGTIzpN8w==

    next

end

 

Phase 2 configuration:

 

config vpn ipsec phase2-interfac

    edit "VPN_to_VM1"

        set phase1name "VPN_to_VM1"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

        set src-subnet 10.10.4.0 255.255.255.0

        set dst-subnet 10.10.3.0 255.255.255.0

    next

end

 

Check if the configured port is used on both firewalls:

 

FGVM1 # diagnose vpn ike gateway list

 

vd: root/0

name: VPN_to_VM2

version: 1

interface: port1 3

addr: 192.168.200.116:1234 -> 192.168.200.117:1234

tun_id: 192.168.200.117

remote_location: 0.0.0.0

created: 665s ago

nat: me peer

IKE SA: created 2/2  established 2/2  time 0/0/0 ms

IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

 

  id/spi: 83 81054410750ca9e4/bb0f28ad2f802b3a

  direction: responder

  status: established 662-662s ago = 0ms

  proposal: aes256-sha1

  key: f0574c512a50c99e-69d5a2e651ec7def-80092d48a7825f3a-529b8b4466c06a92

  lifetime/rekey: 86400/85467

  DPD sent/recv: 00000000/00000000

 

  id/spi: 82 f4d711dc2cc4a913/14f1a4cfb93ef928

  direction: initiator

  status: established 665-665s ago = 0ms

  proposal: aes256-sha1

  key: 0d4876c33ff2b1ff-715b4ebf377a3243-7d7a54537971f079-031ef7123f70335d

  lifetime/rekey: 86400/85434

  DPD sent/recv: 00000000/00000000

 

diagnose vpn ike gateway list

 

vd: root/0

name: VPN_to_VM1

version: 1

interface: port1 3

addr: 192.168.200.117:1234 -> 192.168.200.116:1234

tun_id: 192.168.200.116

remote_location: 0.0.0.0

created: 575s ago

peer-id: VPN

peer-id-auth: no

nat: me peer

IKE SA: created 2/2  established 2/2  time 0/4500/9000 ms

IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 35 f4d711dc2cc4a913/14f1a4cfb93ef928

  direction: responder

  status: established 569-569s ago = 0ms

  proposal: aes256-sha1

  key: 0d4876c33ff2b1ff-715b4ebf377a3243-7d7a54537971f079-031ef7123f70335d

  lifetime/rekey: 86400/85560

  DPD sent/recv: 00000000/00000000

  peer-id: VPN

 

  id/spi: 34 81054410750ca9e4/bb0f28ad2f802b3a

  direction: initiator

  status: established 575-566s ago = 9000ms

  proposal: aes256-sha1

  key: f0574c512a50c99e-69d5a2e651ec7def-80092d48a7825f3a-529b8b4466c06a92

  lifetime/rekey: 86400/85533

  DPD sent/recv: 00000000/00000000

  peer-id: VPN

 

When FortiOS is configured to set ike-port X, the firewall will listen on port X and port 4500 :

 

Behavior when FW1 is set ike-port 4500 and FW2 is set ike-port 1234:

 

FGVM1 # diagnose vpn ike gateway list

 

vd: root/0

name: VPN_to_VM2

version: 1

interface: port1 3

addr: 192.168.200.116:4500 -> 192.168.200.117:4500

tun_id: 192.168.200.117

remote_location: 0.0.0.0

created: 20s ago

nat: me

IKE SA: created 1/1  established 1/1  time 0/0/0 ms

IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

 

  id/spi: 86 a8806f2525f1936d/68687ddef906def1

  direction: initiator

  status: established 20-20s ago = 0ms

  proposal: aes256-sha1

  key: 089d0d2924ba1a22-b8dff488e223fde3-b06db275431f90a3-318e2fe8dd85eb4b

  lifetime/rekey: 86400/86079

  DPD sent/recv: 00000000/00000000

FGVM2 (root) # diagnose vpn ike gateway list

 

vd: root/0

name: VPN_to_VM1

version: 1

interface: port1 3

addr: 192.168.200.117:4500 -> 192.168.200.116:4500

tun_id: 192.168.200.116

remote_location: 0.0.0.0

created: 33s ago

peer-id: VPN

peer-id-auth: no

nat: peer

IKE SA: created 1/2  established 1/1  time 0/0/0 ms

IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

 

  id/spi: 40 a8806f2525f1936d/68687ddef906def1

  direction: responder

  status: established 9-9s ago = 0ms

  proposal: aes256-sha1

  key: 089d0d2924ba1a22-b8dff488e223fde3-b06db275431f90a3-318e2fe8dd85eb4b

  lifetime/rekey: 86400/86120

  DPD sent/recv: 00000000/00000000

  peer-id: VPN

 

VPN is established over 4500 because FW2 listens on 4500 and X which is configured under global setting.

 

When set ike-port 500 (default):

  • The server listens on port 500 and port 4500.
  • The initiator starts on port 500.

 

In this way, if having dialup Hub(FortiGate) with multiple vendors and IKE 500 is blocked for some of the spokes, it is possible to configure FortiGate spokes to use 4500, because HUB will listen on 500 and 4500. For this, it will not impact spokes which use 500.

Starting from 7.4.2 and in case of having UDP blocked, IKE can also use TCP instead of UDP based on the following document TCP encapsulation of IKE and IPsec packets across multiple vendors.

 

Labels:
4931
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.