As a result of IPsec being an integral part of the IKEv2 specification, client-server IKE traffic goes through UDP port 500, port 4500, or both. That’s because both of those ports are IPsec control paths, ensuring that any Web data transmitted happens without any errors.
UDP (which stands for User Datagram Protocol) is a TCP/IP protocol that prioritizes speed over reliability since this delivery protocol doesn't check for errors.
With that said, it’s often used for bandwidth-intensive activities, such as streaming video and audio, voice over IP (VoIP), and videoconferencing. When more sensitive data is transferred, TCP is used, which does check for errors.
In the world of virtual private networks, UDP ports are used during the early "negotiation" stages before setting up a secure VPN tunnel. More precisely, UDP port 500 is used for IKE Phase 1 negotiation and Phase 2 negotiations. If NAT-T is used, then UDP protocol 4500 is required to establish a secure and reliable VPN connection.
IPsec and IKE involve a range of underlying technologies. There are two negotiation phases and five stages in total regarding establishing IPsec/IKE tunnels. Let's take a closer look at what happens during each of those stages.
1. The first stage requires the IPsec security policy to be configured, which triggers the first stage (as soon as the IPsec peers start the IKE process). That means that each IPsec peer needs to be configured to identify the type of traffic that should be encrypted. Once that happens, the next step beings.
2. The next step is the first stage of IKE negotiation, which is when UDP ports 500 or 4500 come into play. This stage is used for IKE to authenticate IPsec peers and set up a secure channel that enables IKE exchanges.
3. Then, the second stage of IKE negotiation happens, used to set up the IPsec tunnel. Once the secure channel is set up in the previous step, this is when the secure tunnel is established, used for IPsec security algorithms.
4. From this moment on, the newly created IPsec tunnel is used to transmit information. That means individual packets are encrypted and decrypted on-demand, based on the previously set security policy.
5. Once there’s no longer a need for the IPsec tunnel, it can be terminated through deletion or by timing out. After the IPsec tunnel is terminated, the keys are also discarded. Thus, each new IKE negotiation produces new encryption keys, providing an uninterrupted flow of information.
We hope you’ve learned something new about UDP ports 500 and 4500, as well as their role in establishing IKE traffic in a VPN client-server relationship. In case there are any questions, make sure to let us know via the comments section below. And lastly, thanks for reading!