Scribd
Upload
47 views4 pages

What Do The Port Numbers in An IPSEC

The port numbers in an IPSec-ESP session represent the SPI values that are negotiated during IKE phase 2 tunnel establishment. For pass-through IPSec traffic where the firewall is not terminating the tunnel, a generic value of 20033 is used for both source and destination ports since the actual SPI values are encrypted and not visible.

Uploaded by

ankit
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
47 views4 pages

What Do The Port Numbers in An IPSEC

The port numbers in an IPSec-ESP session represent the SPI values that are negotiated during IKE phase 2 tunnel establishment. For pass-through IPSec traffic where the firewall is not terminating the tunnel, a generic value of 20033 is used for both source and destination ports since the actual SPI values are encrypted and not visible.

Uploaded by

ankit
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

What do the port numbers in an IPSEC-

ESP session represent?


93373
Created On 09/25/18 19:24 PM - Last Modified 11/19/19 05:15 AM
IPSEC
VPNS
8.1
7.1
PAN-OS

Environment

Exception : PA-7000, PA-5200 and PA-3200 series

Resolution

Upon a successful IPSec tunnel establishment, a session with application 'IPSEC-UDP' and protocol 50 (ESP)
display source and destination port numbers. Since a Non-TCP and a Non-UDP protocol cannot support ports, the
port numbers shown are actually the Decimal Equivalent values of the SPIs that are negotiated in the IPSEC tunnel
establishment.
Port numbers for IPSec session creation are derived from SPI values that remote IPSec peers exchange during IKE
phase 2 of tunnel establishment. This method can be applied only in case one of IPSec peers is the firewall itself, or
only if IPSec tunnel is terminated on the firewall.

In case of pass-through IPSec traffic, where the Palo Alto Networks firewall is just an intermediate device between
two IPSec peers, it is practically impossible to create a session based on negotiated SPI values since IKE phase 2 is
encrypted and its content is not visible to the firewall.

Since SPI values can’t be seen in advance, for IPSec pass-through traffic the Palo Alto Networks firewall creates a
session by using generic value 20033 for both source and destination port.

In this example below we can see that source and destination ports of both c2s and s2c flows are given the same
value 20033:

admin@vm-300> show session id 791

Session 791

c2s flow:
source: 192.168.0.11 [trust]
dst: 129.187.7.11
proto: 50
sport: 20033 dport: 20033
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown

s2c flow:
source: 129.187.7.11 [untrust]
dst: 192.168.0.11
proto: 50
sport: 20033 dport: 20033
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown

start time : Thu June 10 11:58:59 2015


timeout : 3600 sec
time to live : 3142 sec
total byte count(c2s) : 1080
total byte count(s2c) : 1014
layer7 packet count(c2s) : 8
layer7 packet count(s2c) : 5
vsys : vsys1
application : ipsec-esp
rule : any-any
session to be logged at end : True
session in session ager : True
session updated by HA peer : False
layer7 processing : completed
URL filtering enabled : True
URL category : any
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/2
egress interface : ethernet1/1
session QoS rule : N/A (class 4)
tracker stage l7proc : ctd app has no decoder
end-reason : unknown

owner: anatrajan

You might also like