7.21 IPSec port bug?

jayooo · May 8, 2026, 1:57am

I had a v7.19 router with an IPSec tunnel to a Palo Alto router. It worked fine. Then I copied the config to a replacement router and updated to 7.21. The tunnel would no longer connect.

The logs showed that it was sending packets out on port 4500 and not receiving any response. nat-traversal=no so it should have been using port 500 by default. In the profile, the port was blank (just like it had always been, and it was using 500 by default with 7.19 and previous versions).

After updating to 7.21, I had to manually specify port 500 for it to work … and it works properly after specifying port 500.

WHY is it using port 4500 when leaving the port blank when nat-traversal is disabled??? This was not the behavior before, because 500 is the standard port.

BartoszP · May 8, 2026, 6:18am

So is it "...a bug?" or just a change in the defaults that are inconsistient with settings you used to use?
Have you checked changleogs if something could have influenced the behaviour?

pe1chl · May 8, 2026, 7:22am

Can you show the IPsec configuration you had on the MikroTik before it worked ?

(of course you can replace any IP addresses and keys)

jayooo · May 8, 2026, 2:23pm

I have checked change logs, there is nothing I see that indicates this change.

Regarding your question of a bug vs just a change in defaults: If this really is happening (and not just something I have missed in my config), then this would be considered a bug. It would be no different than if the https fetch tool started using port 2000 instead of the standard port 443 by default, and you had to manually specify port 443.

Port 500 is, by definition, the IPSEC port. Port 4500 is, by definition, the NAT-T port. There would be no reason for those standardized port numbers to ever have their defaults changed. Sure, some configs might need to change them manually for their own purposes, but that would be a per-situation change, not a change in the default behavior of the router.

jayooo · May 8, 2026, 2:40pm

Here is the config that works on 7.19

/ip ipsec peer
add address=remote.ip/32 exchange-mode=ike2 name=REMOTE

/ip ipsec profile
set [ find default=yes ] dh-group=ecp256 dpd-interval=1m \
    dpd-maximum-failures=5 enc-algorithm=aes-256 hash-algorithm=sha512 \
    lifetime=8h nat-traversal=no

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=1h pfs-group=\
    none

/ip ipsec identity
add peer=REMOTE secret=12345678

/ip ipsec policy
add dst-address=0.0.0.0/0 peer=REMOTE src-address=10.1.0.0/24 tunnel=yes

Here is the modified config that works on 7.21 (the only change is port=500)

/ip ipsec peer
add address=remote.ip/32 exchange-mode=ike2 name=REMOTE port=500

/ip ipsec profile
set \[ find default=yes \] dh-group=ecp256 dpd-interval=1m 
dpd-maximum-failures=5 enc-algorithm=aes-256 hash-algorithm=sha512 
lifetime=8h nat-traversal=no

/ip ipsec proposal
set \[ find default=yes \] enc-algorithms=aes-256-cbc lifetime=1h pfs-group=
none

/ip ipsec identity
add peer=REMOTE secret=12345678

/ip ipsec policy
add dst-address=0.0.0.0/0 peer=REMOTE src-address=10.1.0.0/24 tunnel=yes

pe1chl · May 8, 2026, 2:57pm

Ok, so IKEv2. Indeed I seem to remember that IKEv2 can also setup connections on 4500 (skipping the use of 500 altogether) but as you write, that should not be the default. With this config, will it eventually establish an ESP tunnel (protocol 50) or will it keep trying to use port 4500?

Maybe it somehow misdetects the NAT situation…

My IKEv2 router is also still running 7.19.6 so I can not immediately rule out that something has changed. I’m not going to update it right now, this week I have spent several hours to make plain Linux systems using *swan to make and sustain tunnel connection, all those forks have different quirks (and so does RouterOS).

jaclaz · May 8, 2026, 3:27pm

Wouldn't:
export /ip ipsec peer verbose
show the defaults (in both 7.19 and 7.21 so that they can be compared)?

jayooo · May 8, 2026, 4:17pm

I waited several hours before changing it, and it never did establish during those several hours, until I changed the port. It was only attempting to use 4500.

jayooo · May 8, 2026, 4:25pm

No, that command does not seem to show the defaults.

Here is the output of that command on a new peer without specifying a port:

[admin@mikrotik] > /ip ipsec peer export verbose
# 2026-05-08 12:20:49 by RouterOS 7.21.4
# software id = xxxx-xxxx
#
# model = RB4011iGS+
# serial number = xxxxxxxxxx
/ip ipsec peer
add disabled=no exchange-mode=ike2 name=TEST passive=yes profile=default \
    send-initial-contact=yes
[admin@mikrotik] >

jaclaz · May 8, 2026, 4:46pm

Yep, but in 7.21.4 there could be "no default" for "port" (and you had to add port =500), you need also the output of same command on 7.19 to see if in that one there was a default of "port=500" (or some other ones).

BartoszP · May 8, 2026, 4:52pm

Do not agree. Can not find any information that the source port for communication HAS TO BE 500/4500 ... communication has to switch to 500 - 500 ports when NAT-T is recognized.
According your argument of https fetch: is there any obligatory rule that says that fetch has to start from port 443 or may use the other one? Do you suggest that all devices behind firewall do https request with SRC443 - DST 443 ports? What are the other ports then?

jayooo · May 8, 2026, 6:15pm

Here is the same verbose command from 7.19

[routeradmin@mikrotik] > /ip ipsec peer export verbose
# 2026-05-08 14:13:44 by RouterOS 7.19.4
# software id = xxxx-xxxx
#
# model = RB750Gr3
# serial number = xxxxxxxx
/ip ipsec peer
add disabled=no exchange-mode=ike2 name=TEST passive=yes profile=default \
    send-initial-contact=yes
[routeradmin@mikrotik] >

jayooo · May 8, 2026, 6:38pm

My example of fetch was destination port. My point is, you can always expect the destination port for regular https traffic to be 443 (if it is not otherwise specified). It would be a bug if Mikrotik were, for example, to start sending fetch traffic to port 2000 of the fetch URL if you leave the port blank. That would not make sense.

Likewise, it does not make sense for Mikrotik to send regular IPSec traffic to the remote IP on dst port 4500 if the port is left blank and if NAT-T / nat-traversal is disabled. Port 4500 is specifically for nat-traversal.

Regarding your point that "Can not find any information that the source port for communication HAS TO BE 500/4500 ... communication has to switch to 500 - 500 ports when NAT-T is recognized." Again, we don't really care about the source port, at least not for this discussion. The destination port, however, which my post is regarding, is supposed to be 500 for regular IPSec and is supposed to 4500 for nat-traversal traffic according to the RFC standards (and this is how Mikrotik seems to have always worked in the past).

According to the standards, port 4500 is reserved for UDP-encapsulated ESP and IKE. Otherwise it should use port 500. Obviously, if both sides agree to change it, that can be done, but that is not the standard and a non-standard method should not be the default.

Now, regardless of whether or not we agree on the above, the following is DIRECTLY from the official Mikrotik Documentation: IPsec - RouterOS - MikroTik Documentation

port (integer:0..65535 ; Default: 500 )

Therefore, with 500 being the official Mikrotik default, that means that having to manually put 500 into the blank field to make it 500 is a bug.

jaclaz · May 8, 2026, 8:40pm

So, It Is a "silent" default, not shown in export verbose?

jayooo · May 8, 2026, 8:56pm

Seems like another bug, at least based on the official Mikrotik description of "verbose":

verbose: With this parameter, the export command will output whole configuration parameters and items including defaults.