Create a Post
Showing results for 
Search instead for 
Did you mean: 

tunnel using udp port 4500


we've got a new requirement which is to tunnel trafic on port udp 4500, which is coming from an Aruba wifi controller MD on a remote site, to an Aruba controller MM which is at HQ.

Setup thus looks like : 

MM - CP VSX VPN - internet - CP VPN GW - MD


VSX VPN = 80.30

GW = 77.20

The vpn community is setup that udp port 4500 (defined as IKE_NAT_TRAVERSAL) is actually excluded.

Basically meaning that udp port 4500 trafic going from MD to MM will be dropped since private addresses are used.

Aruba is unable to change the port.

We've already tested a setup where we assigned a public ip to MM, and connected this way successfully.  But i was wondering if there is another way to avoid this?  And not expose the MM to the public internet.  Someone hinted that if we define a new service udp_4500 and create rulebases specific on that service it could work.  Has anyone faced a similar issue and found a solution?


0 Kudos
1 Reply

As port 4500 is used for NAT Traversal traffic you can do 2 things, when you have NAT addresses available you can use NAT for both ends or just one end and only have 1 end setup the VPN, for that one use hide NAT behind the gateway.

The other option is to setup MSS clamping on your VPN, a good idea anyway, and reduce the MSS to 1396 so there will not be to much fragmentation. I do not know what type of traffic will be running across this tunnel but if it is only sync traffic between the Aruba units than it should be no problem.


Regards, Maarten
0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events