Port 500 (UDP) – IKE/ISAKMP

What runs on port 500?

Port 500 carries IKE (Internet Key Exchange) running over ISAKMP, the control protocol that sets up IPsec VPN tunnels. It negotiates the cipher suite, authenticates the peers, and derives the keys for the security association before encrypted traffic flows. When NAT is in the path, IKE typically migrates to UDP 4500 for NAT traversal. Port 500 is found on VPN concentrators, firewalls, and routers.

Why it matters for security

Because IKE endpoints are usually internet-facing by design, port 500 is a standing target. The protocol leaks gateway details that help attackers fingerprint the vendor and software version. The biggest classic weakness is IKE aggressive mode with pre-shared keys: the gateway returns a PSK-derived hash that an attacker can capture and crack offline, recovering the VPN secret. IKE daemons have also suffered DoS and memory-handling bugs over the years.

How it's attacked

Attackers use tools like ike-scan to enumerate gateways, identify the vendor via fingerprints, and test for aggressive mode. If aggressive mode is enabled, they capture the PSK hash and run offline cracking against it. Floods of malformed or half-open IKE handshakes are used for DoS, and unpatched VPN appliances are probed for known firmware CVEs.

Hardening checklist

Disable aggressive mode and require main mode or, preferably, IKEv2. Use certificate-based authentication instead of PSKs; if PSKs are unavoidable, make them long and random. Restrict accepted peer IPs where the topology allows, enable dead-peer detection and rate limiting to blunt DoS, and patch VPN firmware promptly. Use the nmap snippet above to fingerprint IKE on gateways you are authorized to test.