Port 4500 ipsec/udp traffice

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L7 Applicator

Hello Infotech,

Please make sure NAT-traversal is enabled on both side firewalls to accept IKE on port 4500. During IKE negotiation, 3rd message onwards, port will flip to UDP 4500.

Traditionally, IPSec does not work when traversing across a device doing NAT.  To circumvent this problem, NAT-T or NAT Traversal was developed.  NAT-T is an IKE phase 1 algorithm that is used when trying to establish a VPN between two gateways devices where a NAT device exists in front of one of the devices.

Thanks.

Highlighted
L4 Transporter

I dont' have any control over the remote site, but if I am able to send 500 ike traffice out into the internet and am not seeing 4500 traffic traying to come in not sure how nat-t would affect it

Highlighted
L4 Transporter

I do not have nat-t enabled on the palo side

Highlighted
L7 Applicator

If NAT-T is not enabled on PAN firewall, then could you please let us know, why are you expecting traffic on port 4500..?

Thanks

Highlighted
L4 Transporter

I have a vendor that creates a vpn tunnel using a fortinet device behind our PA 3020. The device initiates the tunnel,the ike 500 traffic I am seeing passing throught the PA into the internet, Then I would assume a device on the vendors side exchanges SA's with the 500 traffic should say okay and builds the ipsec/udp tunnel using port 4500. I am trying to confirm that we are making in past the pa firewall into the internet and not blocking a response from the vendor

Highlighted
L7 Applicator

is the VPN terminates on PAN FW...?

Thanks

Highlighted
L4 Transporter

I don't understand the question.

Highlighted
L7 Applicator

Is the VPN tunnel configured with PAN firewall or it's just a pass through device..?

Thanks

Highlighted
L4 Transporter

It just passes throught the PA.

Highlighted
L7 Applicator

Ok, then nothing has to be done on the PAN firewall apart from a general security policy etc.

You can check the real time session in the CLI by using 'show session all filter source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION'.

>  If there is a session exist for the same traffic,  then please apply  CLI command PAN> show session id XYZ   >>>>>>>> to get detailed information about that session, i.e NAT rule, security rule, ingress/egress interface etc.

Thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!