How to change outgoing port of IPSec mikrotik?

R

Roman Bukivsky2020-05-18 19:14:56

VPN

Roman Bukivsky, 2020-05-18 19:14:56

Good evening, I set up IPSec for personal use on Mikrotik and raise tunnels from different places. but from one place it is not possible to raise the tunnel, neither from the router, nor from the tablet, nor from the laptop (apparently the provider is blocking the outgoing connection). The only device that can lift the tunnel is a Samsung smartphone. After a little digging and analyzing the connection from another place, I realized that the phone can connect from anywhere because it can change the outgoing port, it uses non-standard and non-fixed ports. The last time he checked this he was using port 50105 (instead of 4500).

And now the main question: how to force Mikrotik to use a different outgoing port?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

V

ValdikSS, 2020-05-18
@ValdikSS

The IPsec standard specifies UDP ports 500 and 4500 when using UDP encapsulation. In general, it is impossible to change them, only some software allows this (strongswan, for example).
The inability to connect can be caused by blocking fragmented IP packets on the provider's side. Not every client supports IPsec fragmentation, and long certificates like RSA 2048 don't fit in one packet, causing the client to fragment the packet at the IP level. You can try to use ECDSA certificates or RSA 1024, it fits into one package with MTU 1350+.

The last time he checked this he was using port 50105 (instead of 4500).

I highly doubt it. Most likely, you didn't watch something.