Skip to content
PortsDB

Port reference

Port 4500 (UDP) – IPsec NAT-T (IKE NAT traversal)

UDP encapsulation port for IPsec NAT-Traversal, carrying IKE and ESP traffic across NAT devices.

udpRegisteredCommonly attacked

Default state

Open on VPN gateways and remote-access concentrators that support clients behind NAT. Typically paired with IKE on UDP 500; the security depends on IKE/IPsec configuration.

Common attacks

  • IKE/VPN fingerprinting and vendor identification
  • Aggressive-mode PSK capture and offline cracking
  • Brute-force or password-spraying of remote-access VPN credentials
  • Exploitation of vulnerable VPN gateway firmware reachable via NAT-T

Hardening

  • Disable IKEv1 aggressive mode; prefer IKEv2 with strong, modern crypto
  • Use certificate or EAP authentication instead of weak group PSKs
  • Restrict UDP 500/4500 to expected client networks where feasible
  • Enforce MFA on remote-access VPN and rate-limit authentication
  • Keep VPN gateway firmware patched against known CVEs

nmap snippet

nmap -sU -p4500 --script ike-version <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 4500?

Port 4500 carries IPsec NAT-Traversal (NAT-T). Plain IPsec ESP has no port numbers, so NAT routers can't track it. NAT-T detects a NAT on the path and encapsulates IKE and ESP inside UDP on port 4500, letting the VPN tunnel work behind NAT. It works alongside IKE on UDP 500 and is common on remote-access gateways and L2TP/IPsec setups (with L2TP on 1701).

Why it matters for security

Port 4500 is the doorway to a remote-access VPN, which often grants broad access to the internal network. The port itself is benign, but the IKE/IPsec configuration behind it is a prime target. Aggressive-mode IKEv1 with a shared PSK can leak a crackable hash, and weak or reused VPN credentials let attackers walk straight into the corporate network.

How it's attacked

Attackers fingerprint the gateway with tools like ike-version or ike-scan to identify the vendor and supported modes. Against aggressive mode they capture the PSK hash and crack it offline. They also spray or brute-force remote-access credentials and exploit known firmware CVEs in popular VPN appliances reachable over NAT-T.

Hardening checklist

Disable IKEv1 aggressive mode and prefer IKEv2 with strong, modern crypto. Use certificate or EAP authentication instead of weak group PSKs, and enforce MFA on remote access. Restrict UDP 500/4500 to expected client networks where possible, rate-limit authentication, and keep gateway firmware patched against known CVEs. Use the nmap snippet above to check exposure on systems you are authorized to assess.

Related ports

Port 500Port 1701Port 1194Port 443

Frequently asked questions

Why does IPsec need port 4500 in addition to 500?
Standard IPsec ESP isn't a UDP/TCP protocol, so NAT devices can't track it. NAT-Traversal detects NAT and wraps IKE and ESP inside UDP on port 4500 so the tunnel survives address translation.
Is port 4500 a vulnerability by itself?
No. It's a legitimate VPN transport. Risk comes from weak configurations — IKEv1 aggressive mode with a guessable PSK, missing MFA, or unpatched gateway firmware — not from the port being open.