Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

Configurable IKE port

Some ISPs block UDP port 500, preventing an IPsec VPN from being established. To accommodate this, the IKE and IKE NAT-T ports can be changed.

To set the IKE ports:
config system settings
    set ike-port <integer>
    set ike-natt-port <integer>
end

ike-port

UDP port for IKE/IPsec traffic (1024 - 65535, default = 500).

ike-natt-port

UDP port for IKE/IPsec traffic in NAT-T mode (1024 - 65535, default = 4500).

Example

In this example, the IKE port is set to 6000 and the IKE NAT-T port is set to 5000. A site to site VPN and a dial-up VPN with NAT are configured to show that the specified ports are used.

To set the IKE ports:
config system settings
    set ike-port 6000
    set ike-natt-port 5000
end
To configure and check the site to site VPN:
  1. Configure the phase1 and phase2 interfaces:

    config vpn ipsec phase1-interface
        edit "s2s"
            set interface "port27"
            set ike-version 2
            set peertype any
            set net-device disable
            set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
            set wizard-type static-fortigate
            set remote-gw 11.101.1.1
            set psksecret **********
        next
    end
    config vpn ipsec phase2-interface
        edit "s2s"
            set phase1name "s2s"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
            set src-addr-type name
            set dst-addr-type name
            set src-name "s2s_local"
            set dst-name "s2s_remote"
        next
    end
  2. Check the IKE gateway list and confirm that the specified port is used:

    # diagnose vpn ike gateway list
    
    vd: root/0
    name: s2s
    version: 2
    interface: port27 17
    addr: 173.1.1.1:6000 -> 11.101.1.1:6000
    tun_id: 11.101.1.1
    remote_location: 0.0.0.0
    created: 194s ago
    PPK: no
    IKE SA: created 1/2  established 1/2  time 0/4500/9000 ms
    IPsec SA: created 1/2  established 1/2  time 0/4500/9000 ms
    ...
  3. Check the VPN tunnel list:

    # diagnose vpn tunnel list
    list all ipsec tunnel in vd 0
    ------------------------------------------------------
    name=s2s ver=2 serial=1 173.1.1.1:6000->11.101.1.1:6000 tun_id=11.101.1.1 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
    bound_if=17 lgwy=static/1 tun=tunnel/15 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc  run_state=0 accept_traffic=1 overlay_id=0
    ...
To configure and check the dialup VPN with NAT:
  1. Configure the phase1 and phase2 interfaces:

    config vpn ipsec phase1-interface
        edit "server"
            set type dynamic
            set interface "port27"
            set ike-version 2
            set peertype any
            set net-device disable
            set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
            set dpd on-idle
            set wizard-type static-fortigate
            set psksecret **********
            set dpd-retryinterval 60
        next
    end
    config vpn ipsec phase2-interface
        edit "server"
            set phase1name "server"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
            set src-addr-type name
            set dst-addr-type name
            set src-name "server_local"
            set dst-name "server_remote"
        next
    end
  2. Check the IKE gateway list and confirm that the specified port is used:

    # diagnose vpn ike gateway list
    
    vd: root/0
    name: server_0
    version: 2
    interface: port27 17
    addr: 173.1.1.1:5000 -> 173.1.1.2:65416
    tun_id: 173.1.1.2
    remote_location: 0.0.0.0
    created: 90s ago
    nat: peer
    PPK: no
    IKE SA: created 1/1  established 1/1  time 0/0/0 ms
    IPsec SA: created 1/1  established 1/1  time 0/0/0 ms
    ...
  3. Check the VPN tunnel list:

    # diagnose vpn tunnel list
    list all ipsec tunnel in vd 0
    ------------------------------------------------------
    name=server_0 ver=2 serial=a 173.1.1.1:5000->173.1.1.2:65416 tun_id=173.1.1.2 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
    bound_if=17 lgwy=static/1 tun=tunnel/15 mode=dial_inst/3 encap=none/904 options[0388]=npu rgwy-chg rport-chg frag-rfc  run_state=0 accept_traffic=1 overlay_id=0
    ...

Configurable IKE port

Some ISPs block UDP port 500, preventing an IPsec VPN from being established. To accommodate this, the IKE and IKE NAT-T ports can be changed.

To set the IKE ports:
config system settings
    set ike-port <integer>
    set ike-natt-port <integer>
end

ike-port

UDP port for IKE/IPsec traffic (1024 - 65535, default = 500).

ike-natt-port

UDP port for IKE/IPsec traffic in NAT-T mode (1024 - 65535, default = 4500).

Example

In this example, the IKE port is set to 6000 and the IKE NAT-T port is set to 5000. A site to site VPN and a dial-up VPN with NAT are configured to show that the specified ports are used.

To set the IKE ports:
config system settings
    set ike-port 6000
    set ike-natt-port 5000
end
To configure and check the site to site VPN:
  1. Configure the phase1 and phase2 interfaces:

    config vpn ipsec phase1-interface
        edit "s2s"
            set interface "port27"
            set ike-version 2
            set peertype any
            set net-device disable
            set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
            set wizard-type static-fortigate
            set remote-gw 11.101.1.1
            set psksecret **********
        next
    end
    config vpn ipsec phase2-interface
        edit "s2s"
            set phase1name "s2s"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
            set src-addr-type name
            set dst-addr-type name
            set src-name "s2s_local"
            set dst-name "s2s_remote"
        next
    end
  2. Check the IKE gateway list and confirm that the specified port is used:

    # diagnose vpn ike gateway list
    
    vd: root/0
    name: s2s
    version: 2
    interface: port27 17
    addr: 173.1.1.1:6000 -> 11.101.1.1:6000
    tun_id: 11.101.1.1
    remote_location: 0.0.0.0
    created: 194s ago
    PPK: no
    IKE SA: created 1/2  established 1/2  time 0/4500/9000 ms
    IPsec SA: created 1/2  established 1/2  time 0/4500/9000 ms
    ...
  3. Check the VPN tunnel list:

    # diagnose vpn tunnel list
    list all ipsec tunnel in vd 0
    ------------------------------------------------------
    name=s2s ver=2 serial=1 173.1.1.1:6000->11.101.1.1:6000 tun_id=11.101.1.1 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
    bound_if=17 lgwy=static/1 tun=tunnel/15 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc  run_state=0 accept_traffic=1 overlay_id=0
    ...
To configure and check the dialup VPN with NAT:
  1. Configure the phase1 and phase2 interfaces:

    config vpn ipsec phase1-interface
        edit "server"
            set type dynamic
            set interface "port27"
            set ike-version 2
            set peertype any
            set net-device disable
            set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
            set dpd on-idle
            set wizard-type static-fortigate
            set psksecret **********
            set dpd-retryinterval 60
        next
    end
    config vpn ipsec phase2-interface
        edit "server"
            set phase1name "server"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
            set src-addr-type name
            set dst-addr-type name
            set src-name "server_local"
            set dst-name "server_remote"
        next
    end
  2. Check the IKE gateway list and confirm that the specified port is used:

    # diagnose vpn ike gateway list
    
    vd: root/0
    name: server_0
    version: 2
    interface: port27 17
    addr: 173.1.1.1:5000 -> 173.1.1.2:65416
    tun_id: 173.1.1.2
    remote_location: 0.0.0.0
    created: 90s ago
    nat: peer
    PPK: no
    IKE SA: created 1/1  established 1/1  time 0/0/0 ms
    IPsec SA: created 1/1  established 1/1  time 0/0/0 ms
    ...
  3. Check the VPN tunnel list:

    # diagnose vpn tunnel list
    list all ipsec tunnel in vd 0
    ------------------------------------------------------
    name=server_0 ver=2 serial=a 173.1.1.1:5000->173.1.1.2:65416 tun_id=173.1.1.2 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
    bound_if=17 lgwy=static/1 tun=tunnel/15 mode=dial_inst/3 encap=none/904 options[0388]=npu rgwy-chg rport-chg frag-rfc  run_state=0 accept_traffic=1 overlay_id=0
    ...