Palo Alto Networks Knowledgebase: What do the port numbers in an IPSEC-ESP session represent?
What do the port numbers in an IPSEC-ESP session represent?
Created On 09/25/18 19:24 PM - Last Updated 09/25/18 23:09 PM
Upon a successful IPSec tunnel establishment, a session with application 'IPSEC-UDP' and protocol 50 (ESP) display source and destination port numbers. Since a Non-TCP and a Non-UDP protocol cannot support ports, the port numbers shown are actually the Decimal Equivalent values of the SPIs that are negotiated in the IPSEC tunnel establishment.
Port numbers for IPSec session creation are derived from SPI values that remote IPSec peers exchange during IKE phase 2 of tunnel establishment. This method can be applied only in case one of IPSec peers is the firewall itself, or only if IPSec tunnel is terminated on the firewall.
In case of pass-through IPSec traffic, where the Palo Alto Networks firewall is just an intermediate device between two IPSec peers, it is practically impossible to create a session based on negotiated SPI values since IKE phase 2 is encrypted and its content is not visible to the firewall.
Since SPI values can’t be seen in advance, for IPSec pass-through traffic the Palo Alto Networks firewall creates a session by using generic value 20033 for both source and destination port.
In this example below we can see that source and destination ports of both c2s and s2c flows are given the same value 20033: