Greetings, I have a rb4011 computer with an ipsec vpn responding, I would like to change the default port that the service has to another port such as 55555 and not use 500 or 4500, since the internet provider has port 500 blocked with your firewall
I never used any other than the default ports, but perhaps, this is the setting:
Greetings thanks for answering, I have certainly carried out several tests in what you indicate, although I do not see results, only that I see that it uses port 4500 when changing it where you indicated, I ask you where you indicated the change, you do it on the server or on the client to get an idea and retest
From wiki txt, the port option is only half of the solution:
Sub-menu: /ip ipsec peer
port (integer:0..65535; Default: 500) Communication port used (when router is initiator) to connect to remote peer in cases if remote peer uses non-default port.
Seems to me RouterOS lacks the other half of solution, being responder and listening on non-default port. Hackish this can be accomplished using dNAT rule
IP > Firewall > NAT
I haven’t tested the rules below. Packet sniffer, torch and the packet flow diagram (https://wiki.mikrotik.com/wiki/Manual:Packet_Flow) will help with troubleshotting.
You’d need 4 rules on both endpoints
chain=dst-nat src-address= dst-address= proto=udp dst-port=500 action=dst-nat to-port=55555
chain=dst-nat src-address= dst-address= proto=udp dst-port=4500 action=dst-nat to-port=55554
You can’t use the same to-port for 500 and 4500, so to-port would be 55555 and 55554 respectively.
The above rules change the destination port.
When the remote end point receives the packets, they have to be translated again but in reverse
chain=dst-nat src-address= dst-address= proto=udp dst-port=55555 action=dst-nat to-port=500
chain=dst-nat src-address= dst-address= proto=udp dst-port=55554 action=dst-nat to-port=4500