FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syordanov
Staff
Staff
Description This article describes how to configure custom IKE port between two FortiGate FWs.
Scope

Only on FortiOS 7.0.0 and above

Solution

Some ISPs block UDP port 500 or UDP 4500, preventing an IPsec from being established, FortiOS 7.0.0 introduce new configuration option with the help of which you can specify custom IKE port between 2 FortiGates running on FortiOS 7.0.0 and above

Example topology:

 

FortiGate_FW1 <-> ISP_customer1 <-> Ineternet <-> ISP_customer2 <-> FortiGate_FW2

 

By some reason port 500 and 4500 are blocked between both FWs with the configuration below for VPN will be used port 1234 (it could be every  between 1024 and 65535).

 

FortiGate_FW1 configuration:

 

First step is to configure custom IKE port, this option is global and will affect all existing VPN’s which are configured on the FW, that iswhy it is necessary to be sure that this option could be configured on remote peer / peers .

 

FortiGate_FW1 config:

 

1) Set custom IKE port :

 

# config system  setting
    set ike-port 1234
end

 

2) VPN configuration:

 

    edit "VPN_to_VM2"

        set interface "port1"

        set peertype any

        set net-device disable

        set proposal aes256-sha1

        set localid "VPN"

        set nattraversal forced

        set remote-gw 192.168.200.117

        set psksecret ENC 8Pttk+W8CE/qei6VbcFaz0Hv9ikpV9sQu3dJOfXgi5+jzgsKF6dNVkccgPVXy6Somt1gv4jDjOmw/iGBZD2L8eZi87P9iYJCqXLSifzLvLo3LupwusaSdVGKn0Ne9ZgTJD9vSDMlM1No+iv7leb8GZv6EaUvBADIuEYMqNlZWLvDdHDb1X6u6Lkrw0DLwZpXu4Zmrw==

    next

end

 

Phase 2 configuration:

 

# config vpn ipsec phase2-interfac

    edit "VPN_to_VM2"

        set phase1name "VPN_to_VM2"

        set proposal aes256-sha1

        set src-subnet 10.10.3.0 255.255.255.0

        set dst-subnet 10.10.4.0 255.255.255.0

    next

    end

FortiGate_FW2 config :

 

# config system  setting
    set ike-port 1234
end

 

3) VPN Configuration:

 

# config vpn ipsec phase1-interfac

    edit "VPN_to_VM1"

        set interface "port1"

        set peertype any

        set net-device disable

        set proposal aes256-sha1

        set nattraversal forced

        set remote-gw 192.168.200.116

        set psksecret ENC gTY7OusREa5tKVsOOpvqZRdWfbyIUXOzUVlGghDLZA0h3alXu16RUgFRAwg4wo818+vdSNAx+bRgzlH7+rUzZgTeovMYFSVnHD//2zlVmzH

/ctN7n88AxqCbsSb1mgTBz1R+nQMxgwMC8vXTApTz2YnarrfavxsXJdqfYbBZlhAXK59UpY8mvpGLioMZCEGTIzpN8w==

next

end

 

Phase 2 configuration:

 

# config vpn ipsec phase2-interfac

    edit "VPN_to_VM1"

        set phase1name "VPN_to_VM1"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

        set src-subnet 10.10.4.0 255.255.255.0

        set dst-subnet 10.10.3.0 255.255.255.0

    next

end

 

Check if the configured port is used on both FWs:

 

FGVM1 # diagnose vpn ike gateway list

 

vd: root/0

name: VPN_to_VM2

version: 1

interface: port1 3

addr: 192.168.200.116:1234 -> 192.168.200.117:1234

tun_id: 192.168.200.117

remote_location: 0.0.0.0

created: 665s ago

nat: me peer

IKE SA: created 2/2  established 2/2  time 0/0/0 ms

IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

 

  id/spi: 83 81054410750ca9e4/bb0f28ad2f802b3a

  direction: responder

  status: established 662-662s ago = 0ms

  proposal: aes256-sha1

  key: f0574c512a50c99e-69d5a2e651ec7def-80092d48a7825f3a-529b8b4466c06a92

  lifetime/rekey: 86400/85467

  DPD sent/recv: 00000000/00000000

 

  id/spi: 82 f4d711dc2cc4a913/14f1a4cfb93ef928

  direction: initiator

  status: established 665-665s ago = 0ms

  proposal: aes256-sha1

  key: 0d4876c33ff2b1ff-715b4ebf377a3243-7d7a54537971f079-031ef7123f70335d

  lifetime/rekey: 86400/85434

  DPD sent/recv: 00000000/00000000

 

# diagnose vpn ike gateway list

 

vd: root/0

name: VPN_to_VM1

version: 1

interface: port1 3

addr: 192.168.200.117:1234 -> 192.168.200.116:1234

tun_id: 192.168.200.116

remote_location: 0.0.0.0

created: 575s ago

peer-id: VPN

peer-id-auth: no

nat: me peer

IKE SA: created 2/2  established 2/2  time 0/4500/9000 ms

IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 35 f4d711dc2cc4a913/14f1a4cfb93ef928

  direction: responder

  status: established 569-569s ago = 0ms

  proposal: aes256-sha1

  key: 0d4876c33ff2b1ff-715b4ebf377a3243-7d7a54537971f079-031ef7123f70335d

  lifetime/rekey: 86400/85560

  DPD sent/recv: 00000000/00000000

  peer-id: VPN

 

  id/spi: 34 81054410750ca9e4/bb0f28ad2f802b3a

  direction: initiator

  status: established 575-566s ago = 9000ms

  proposal: aes256-sha1

  key: f0574c512a50c99e-69d5a2e651ec7def-80092d48a7825f3a-529b8b4466c06a92

  lifetime/rekey: 86400/85533

  DPD sent/recv: 00000000/00000000

  peer-id: VPN

 

When FortiOS is configured set ike-port X, FW will listens on port X and port 4500 :

 

Behavior when FW1 is set ike-port 4500 and FW2 is set ike-port 1234:

 

FGVM1 #  diagnose vpn ike gateway list

 

vd: root/0

name: VPN_to_VM2

version: 1

interface: port1 3

addr: 192.168.200.116:4500 -> 192.168.200.117:4500

tun_id: 192.168.200.117

remote_location: 0.0.0.0

created: 20s ago

nat: me

IKE SA: created 1/1  established 1/1  time 0/0/0 ms

IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

 

  id/spi: 86 a8806f2525f1936d/68687ddef906def1

  direction: initiator

  status: established 20-20s ago = 0ms

  proposal: aes256-sha1

  key: 089d0d2924ba1a22-b8dff488e223fde3-b06db275431f90a3-318e2fe8dd85eb4b

  lifetime/rekey: 86400/86079

  DPD sent/recv: 00000000/00000000

FGVM2 (root) # diagnose vpn ike gateway list

 

vd: root/0

name: VPN_to_VM1

version: 1

interface: port1 3

addr: 192.168.200.117:4500 -> 192.168.200.116:4500

tun_id: 192.168.200.116

remote_location: 0.0.0.0

created: 33s ago

peer-id: VPN

peer-id-auth: no

nat: peer

IKE SA: created 1/2  established 1/1  time 0/0/0 ms

IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

 

  id/spi: 40 a8806f2525f1936d/68687ddef906def1

  direction: responder

  status: established 9-9s ago = 0ms

  proposal: aes256-sha1

  key: 089d0d2924ba1a22-b8dff488e223fde3-b06db275431f90a3-318e2fe8dd85eb4b

  lifetime/rekey: 86400/86120

  DPD sent/recv: 00000000/00000000

  peer-id: VPN

 

VPN is established over 4500, because FW2 is listen on 4500 and X which is configured under global setting .

 

When set ike-port 500 (default):
      - server listens on port 500 and port 4500
      - initiator starts on port 500

 

In this way if you have dialup Hub(FortiGate)  with multiple vendors and IKE 500 is blocked for some of the spokes, you can configure Fortigate spokes to use 4500 , because HUB will listen on 500 and 4500, in this way you will not impact spokes which use 500.

 

Contributors