IPSec IKEv2 primarily uses UDP ports 500 and 4500.
IPSec (Internet Protocol Security) is a suite of protocols used to secure IP communications by authenticating and encrypting each IP packet in a communication session. IKEv2 (Internet Key Exchange version 2) is the protocol used within IPSec to set up a Security Association (SA), which contains the keys and algorithms used for encryption and authentication.
Required Ports and Protocol for IKEv2/IPSec
According to the provided reference from WatchGuard documentation, IKEv2 relies on IPSec for secure communication. This requires specific network ports and protocols to be open and accessible for the connection to be established and maintained.
The reference explicitly states:
By default, IKEv2 uses IPSec, which requires UDP ports 500 and 4500, and ESP IP Protocol 50.
This means that for IKEv2-based VPN connections utilizing IPSec, the following are essential:
- UDP Port 500: Used for the initial IKE SA negotiation. This is where peers authenticate each other and establish the first secure tunnel.
- UDP Port 4500: Used for IKE and ESP when Network Address Translation (NAT) is detected. If one or both endpoints are behind a NAT device, IKE negotiations and subsequent ESP traffic are encapsulated within UDP port 4500 to traverse the NAT. This is often referred to as "NAT Traversal" (NAT-T).
- ESP (Encapsulating Security Payload) - IP Protocol 50: This is the protocol that carries the encrypted and authenticated data after the SA has been established by IKE. ESP is an IP protocol itself, not a TCP or UDP port number, and is identified by the protocol number 50 in the IP header.
Here is a summary of the requirements:
| Component | Protocol | Port / IP Protocol Number | Purpose |
|---|---|---|---|
| IKE Initial | UDP | 500 | Initial Security Association negotiation |
| IKE/ESP (NAT-T) | UDP | 4500 | Used when NAT is detected |
| Encrypted Data | ESP | 50 | Carries encrypted and authenticated data |
Practical Considerations
When configuring firewalls or network devices for IPSec IKEv2 VPNs, it is crucial to allow traffic on these specific ports and the ESP IP protocol. Blocking any of these can prevent the VPN tunnel from establishing or passing traffic. For example, if users are connecting from behind various home routers (common for remote work), ensuring UDP 4500 is allowed is vital for connections involving NAT.
It is important to note that while IKEv2 uses IPSec and thus requires these ports and protocol, you cannot simply disable IPSec when using IKEv2, as stated in the reference: "You cannot disable IPSec."
