Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pjang
Staff & Editor
Staff & Editor

Created on ‎09-19-2024 11:24 PM Edited on ‎01-28-2025 01:48 AM By Community Manager

Article Id 342618

Technical Tip: Network scans show TCP 4500 on the FortiGate even when ike-tcp-port is modified (7.4 and later)

Description This article describes a known behavior where TCP port 4500 will always appear when performing network port scans on the FortiGate. Note that this article applies to FortiGates that are running v7.4.2+ and that also have at least one IPsec VPN tunnel configured.
Scope FortiGate v7.4.2 and later, IPsec.
Solution

In v7.4.2, a new feature was added that enabled proprietary TCP encapsulation of IKE and IPsec packets between FortiGates (i.e. TCP-based IPsec) when using IKEv2-based IPsec tunnels. Later, v7.4.4 broadened support for this feature so that multi-vendor IPsec tunnels with TCP encapsulation were possible. Refer to the following documents for more information:

As part of this feature, FortiGate's IKed process (which handles IPsec) now listens on TCP/4500 in addition to the traditional UDP/500 and UDP/4500 ports. Additionally, the FortiGate can be configured to listen to a different TCP port by configuring the following setting:

 

config system setting

    set ike-tcp-port <integer>

end

 

However, there is an interesting behavior: when the above setting is modified to a value other than the default 4500, the FortiGate will show as listening on both the new port and the default TCP/4500. This can be observed when running a network port scan against the FortiGate, and it is also reflected in the output of diagnose sys tcpsock on the FortiGate itself. In the following example, the FortiGate has ike-tcp-port set to 8500:

 

FortiGate # show full system settings | grep ike-tcp-port

    set ike-tcp-port 8500

 

FortiGate # diagnose sys tcpsock | grep 500
0.0.0.0:10500->0.0.0.0:0->state=listen err=0 socktype=4 rma=0 wma=0 fma=0 tma=0 inode=21796 process=191/authd
0.0.0.0:8500->0.0.0.0:0->state=listen err=0 socktype=1 rma=0 wma=0 fma=0 tma=0 inode=31548648 process=209/iked
0.0.0.0:4500->0.0.0.0:0->state=listen err=0 socktype=1 rma=0 wma=0 fma=0 tma=0 inode=31548647 process=209/iked

 

This is expected behavior. The implementation of the FortiGate for this TCP encapsulation feature follows RFC 9329, and under Section 2 of the RFC the following specification can be found here:

Compliant implementations MUST support TCP encapsulation on TCP port 4500

 

As per the RFC, the FortiGate is required to always be listening on TCP/4500 as part of TCP-encapsulated IPsec, even when alternate TCP ports are configured for listening. Furthermore, TCP-based IPsec tunnels can still be established even if one of two peers has changed their TCP IKE port (since at least one peer is initiating connections to TCP/4500 and all peers are always listening on  TCP/4500).
4742
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.