Created on
‎12-28-2021
09:01 AM
Edited on
‎11-06-2024
06:32 AM
By
Jean-Philippe_P
Description | This article describes configuring a custom IKE port between two FortiGate firewalls. |
Scope |
Only on FortiOS 7.0.0 and above. |
Solution |
Some ISPs block UDP port 500 or UDP 4500, preventing an IPsec from being established, FortiOS 7.0.0 introduces a new configuration option with the help of which it is possible to specify a custom IKE port between 2 FortiGates running on FortiOS 7.0.0 and above.
Example topology: FortiGate_FW1 <-> ISP_customer1 <-> Internet <-> ISP_customer2 <-> FortiGate_FW2.
For some reason ports 500 and 4500 are blocked between both FWs with the configuration below for VPN will be used port 1234 (it could be even between 1024 and 65535).
FortiGate_FW1 configuration:
The first step is to configure a custom IKE port, this option is global and will affect all existing VPNs which are configured on the firewall, that is why it is necessary to be sure that this option could be configured on remote peer/peers.
FortiGate_FW1 config:
edit "VPN_to_VM2" set interface "port1" set peertype any set net-device disable set proposal aes256-sha1 set localid "VPN" set nattraversal forced set remote-gw 192.168.200.117 set psksecret ENC 8Pttk+W8CE/qei6VbcFaz0Hv9ikpV9sQu3dJOfXgi5+jzgsKF6dNVkccgPVXy6Somt1gv4jDjOmw/ iGBZD2L8eZi87P9iYJCqXLSifzLvLo3LupwusaSdVGKn0Ne9ZgTJD9vSDMlM1No+ iv7leb8GZv6EaUvBADIuEYMqNlZWLvDdHDb1X6u6Lkrw0DLwZpXu4Zmrw== next end
Phase 2 configuration:
config vpn ipsec phase2-interfac edit "VPN_to_VM2" set phase1name "VPN_to_VM2" set proposal aes256-sha1 set src-subnet 10.10.3.0 255.255.255.0 set dst-subnet 10.10.4.0 255.255.255.0 next end
config system setting
config vpn ipsec phase1-interfac edit "VPN_to_VM1" set interface "port1" set peertype any set net-device disable set proposal aes256-sha1 set nattraversal forced set remote-gw 192.168.200.116 set psksecret ENC gTY7OusREa5tKVsOOpvqZRdWfbyIUXOzUVlGghDLZA0h3alXu16RUgFRAwg4wo818+ vdSNAx+bRgzlH7+rUzZgTeovMYFSVnHD//2zlVmzH/ctN7n88AxqCbsSb1mgTBz1R+ nQMxgwMC8vXTApTz2YnarrfavxsXJdqfYbBZlhAXK59UpY8mvpGLioMZCEGTIzpN8w== next end
Phase 2 configuration:
config vpn ipsec phase2-interfac edit "VPN_to_VM1" set phase1name "VPN_to_VM1" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set src-subnet 10.10.4.0 255.255.255.0 set dst-subnet 10.10.3.0 255.255.255.0 next end
Check if the configured port is used on both firewalls:
FGVM1 # diagnose vpn ike gateway list
vd: root/0 name: VPN_to_VM2 version: 1 interface: port1 3 addr: 192.168.200.116:1234 -> 192.168.200.117:1234 tun_id: 192.168.200.117 remote_location: 0.0.0.0 created: 665s ago nat: me peer IKE SA: created 2/2 established 2/2 time 0/0/0 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
id/spi: 83 81054410750ca9e4/bb0f28ad2f802b3a direction: responder status: established 662-662s ago = 0ms proposal: aes256-sha1 key: f0574c512a50c99e-69d5a2e651ec7def-80092d48a7825f3a-529b8b4466c06a92 lifetime/rekey: 86400/85467 DPD sent/recv: 00000000/00000000
id/spi: 82 f4d711dc2cc4a913/14f1a4cfb93ef928 direction: initiator status: established 665-665s ago = 0ms proposal: aes256-sha1 key: 0d4876c33ff2b1ff-715b4ebf377a3243-7d7a54537971f079-031ef7123f70335d lifetime/rekey: 86400/85434 DPD sent/recv: 00000000/00000000
diagnose vpn ike gateway list
vd: root/0 name: VPN_to_VM1 version: 1 interface: port1 3 addr: 192.168.200.117:1234 -> 192.168.200.116:1234 tun_id: 192.168.200.116 remote_location: 0.0.0.0 created: 575s ago peer-id: VPN peer-id-auth: no nat: me peer IKE SA: created 2/2 established 2/2 time 0/4500/9000 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms id/spi: 35 f4d711dc2cc4a913/14f1a4cfb93ef928 direction: responder status: established 569-569s ago = 0ms proposal: aes256-sha1 key: 0d4876c33ff2b1ff-715b4ebf377a3243-7d7a54537971f079-031ef7123f70335d lifetime/rekey: 86400/85560 DPD sent/recv: 00000000/00000000 peer-id: VPN
id/spi: 34 81054410750ca9e4/bb0f28ad2f802b3a direction: initiator status: established 575-566s ago = 9000ms proposal: aes256-sha1 key: f0574c512a50c99e-69d5a2e651ec7def-80092d48a7825f3a-529b8b4466c06a92 lifetime/rekey: 86400/85533 DPD sent/recv: 00000000/00000000 peer-id: VPN
When FortiOS is configured to set ike-port X, the firewall will listen on port X and port 4500 :
Behavior when FW1 is set ike-port 4500 and FW2 is set ike-port 1234:
FGVM1 # diagnose vpn ike gateway list
vd: root/0 name: VPN_to_VM2 version: 1 interface: port1 3 addr: 192.168.200.116:4500 -> 192.168.200.117:4500 tun_id: 192.168.200.117 remote_location: 0.0.0.0 created: 20s ago nat: me IKE SA: created 1/1 established 1/1 time 0/0/0 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
id/spi: 86 a8806f2525f1936d/68687ddef906def1 direction: initiator status: established 20-20s ago = 0ms proposal: aes256-sha1 key: 089d0d2924ba1a22-b8dff488e223fde3-b06db275431f90a3-318e2fe8dd85eb4b lifetime/rekey: 86400/86079 DPD sent/recv: 00000000/00000000 FGVM2 (root) # diagnose vpn ike gateway list
vd: root/0 name: VPN_to_VM1 version: 1 interface: port1 3 addr: 192.168.200.117:4500 -> 192.168.200.116:4500 tun_id: 192.168.200.116 remote_location: 0.0.0.0 created: 33s ago peer-id: VPN peer-id-auth: no nat: peer IKE SA: created 1/2 established 1/1 time 0/0/0 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
id/spi: 40 a8806f2525f1936d/68687ddef906def1 direction: responder status: established 9-9s ago = 0ms proposal: aes256-sha1 key: 089d0d2924ba1a22-b8dff488e223fde3-b06db275431f90a3-318e2fe8dd85eb4b lifetime/rekey: 86400/86120 DPD sent/recv: 00000000/00000000 peer-id: VPN
VPN is established over 4500 because FW2 listens on 4500 and X which is configured under global setting.
When set ike-port 500 (default):
In this way, if having dialup Hub(FortiGate) with multiple vendors and IKE 500 is blocked for some of the spokes, it is possible to configure FortiGate spokes to use 4500, because HUB will listen on 500 and 4500. For this, it will not impact spokes which use 500. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.