IPSEC source port 4500

We have an ipsec tunnel between a CCR and a remote site using Strongswan. It’s configured to use NAT-T on port 4500, and everything works fine.
But once every hour we get 5-6 errors in the CCR log, mentioning timeout trying to negotiate phase1 from the standard IKE port 500.
This issue seems obvious, since we have not mentioned port 500 in any config and it should not be used..
How do I make the CCR initiate connections using port 4500?

17:28:12 ipsec,error phase1 negotiation failed due to time up [500]<=>[4500] 60c43a6d80bcaf6a:000000
17:29:22 ipsec,error phase1 negotiation failed due to time up [500]<=>[4500] 436282b6b2bb2b0e:000000
17:30:22 ipsec,error phase1 negotiation failed due to time up [500]<=>[4500] 960b27d6bf626da9:000000


/ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=/32 local-address= passive=no port=4500 auth-method=pre-shared-key secret=“” generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5


/ip ipsec remote-peers print
0 local-address= port=4500 remote-address= port=4500 state=established side=responder established=2m29s

UDP Port 500 is used to exchange keys in a secure manner, UDP 4500 is a NAT-T tunnel. Think of it like the data session where port 500 is the control session.

You shouldn’t use port 4500 for both, you may be able to configure the MikroTik to accept the different port, but I don’t know about SrongSwan.

Thanks. You’re right.
Replacing ‘port=4500’ with ‘port=500’ solved the problem.
With ‘nat-traversal=yes’ the CCR is automatically moving to port 4500 after the initial ISAKMP setup, so that port doesn’t have to be specified.