Configuring ZeroZhell’s default IKE port (I.E.: 10000)

Forums Network Management VPN Configuring ZeroZhell’s default IKE port (I.E.: 10000)

  • This topic is empty.
Viewing 15 posts - 1 through 15 (of 20 total)
  • Author
  • #43752

    I am helping someone configure ZeroShell for the first time. We are able to connect to ZeroShell ok and browse the internet. I then use cisco’s VPN client to connect to my network’s firewall. My firewall’s logs show ZeroShell using port 10000 for IKE which is denied because my firewall is configured to use port 500 for IKE.

    How do I configure ZeroShell to use port 500 for IKE instead of 10000?

    Thank you.


    I didn’t clearly understood the question , are you trying to connect to Zs using the cisco vpn client ? Could you clarify ?
    afaik , port 10000 is the default port when using cTCP on cisco vpn client side …


    Thanks for follow up.

    BTW our goal is to replace our Chillispot server with Zs.

    Hopefully I can explain better:

    Note in the sample ASA FW logs:
    The Zs server IP is
    The ASA’s IP is represented as ###.###.###.###
    The Chillispot server IP is

    After I successfully connect to Zs, I want to then connect to my cisco ASA using Cisco’s VPN Client (ver 5) configured with IPSec over UDP.

    Here are a sample of my ASA logs when the VPN connection works using our Chillispot server instead of Zs:

    Built inbound UDP connection for INTERNET: ( to identity:###.###.###.###/500

    Built inbound UDP connection for INTERNET: ( to identity:###.###.###.###/4500

    Here are a sample of my ASA logs when the VPN connection does not work using Zs:
    IP =, IKE port 10000 for IPSec UDP already reserved on interface INTERNET

    It’s like Zs is using cTCP instead of IPSec over UDP which is what my cisco client is configured to use.

    Does that make sense ?


    In addition, I cannot allow split tunneling for the cisco VPN clients connecting to the ASA via Zs.


    What mean “after I successfully connect to ZS” ? via cp on the lan ? from the internet ?
    Why you have to connect to Zs ,for then connect to asa ?
    How is Zs configured ? one lan , one wan directly connected to the internet…
    Is Zs at one site , and the asa in another site, and hosts “behind” ZS have to connect to an “asa on its public ip address ” via the internet ?
    Sorry for these questions , just for understand.. 🙄


    Not a problem. I really appreciate the help.

    Zs is going to be used to authenticate users on a local Lan, who want to use our DSL connection to connect to the internet.
    This connection works no problem:
    User ( — Lan –> Zs (Private:; Public: — DSL –>

    Some users will need to connect to the internet to initiate a VPN connection with our ASA firewall at another geographical location(asa is on a public ip address).
    This is the path of the traffic that does not work:
    User ( — Lan –> Zs (Private:; Public: — DSL –> ASA (
    User ( — Lan –> Zs (Private:; Public: — DSL –> ASA (

    Instead, Zs is using port 10000 for IKE. I’ll represent it like this:
    User ( — Lan –> Zs (Private:; Public: — DSL –> ASA (
    Our ASA is not configured to listen on port 10000 for cTCP.

    What do you think?


    Ok , is clear now !!
    Well , I did some tests while waiting for your reply , unfortunately my asa is down at the moment , so i did with an cisco isr….isn’t the same , but for the purpose could also be….host win7 , lan behind Zs , authenticated on the Captive portal … then launched the cisco vpn client (VPN_CLIENT to another site , where the cisco isr vpn server is listening ( on this second site , there is another Zs placed into a DMZ of the cisco router/fw/ips , that acts also as radius server for vpn auth. ) the vpn is ipsec/udp (500/4500) , this is the 1st log of the cisco vpn server regarding the connection

    22:26:52 002312: Oct 4 22:26:52.288 Rome: ISAKMP: local port 500, remote port 56021

    some logs later

    22:26:53 002418: Oct 4 22:26:52.884 Rome: ISAKMP: Trying to insert a peer, and inserted successfully 86914934.

    all the rest goes well , and the connection is established correctly, so , in my case , I would say that ZS doesn’t change the udp 500 can take a look , on ZS , firewall , conntrack , fill the filter field with “10000” , then try to connect via vpn client , and click on refresh button… this is my output , I put 500 in “filter” field

    udp      17 159 src= dst= sport=50692 dport=500 src= dst= sport=500 dport=50692 [ASSURED] mark=0 use=1
    udp 17 170 src= dst= sport=50693 dport=4500 src= dst= sport=4500 dport=50693 [ASSURED] mark=0 use=1

    Try , and let me know…


    Sorry for the delay:
    This is what the Zs log shows:

    udp 17 17 src= dst= sport=10000 dport=10000 [UNREPLIED] src= dst= sport=10000 dport=10000 mark=0 use=1

    It looks like my CISCO client ( is sending the request to my ASA ( on port 1000.

    Go Figure!

    What do you think?


    Did you check the ” Enable Transparent Tunneling” and “IPSec over UDP” flags , on Transport tab of the vpn client config. ? I didn’t understand if the problem appears with the same client …. that if connected to Chillispot it uses 500/4500 and instead on ZS it uses the default udp port 10000…..


    Yes Transport Tunneling and IPSec over UDP is Selected on the VPN client.

    I found this article :

    It talks about the three different methods for IPSec to work.

    NAT Traversal is said to be the default method for UDP tunneling with the Cisco VPN Client.

    How do I know if Zs is configured for NAT Traversal?


    I don’t think that the issue is related to Zs directly , rather some nat config. , take a look here.



    Thank you for the article. I did find the following info on the site:

    I do speak some italian that’s why I was able to reconize it:

    ZeroShell, se abilitato, è in grado di negoziare con i client L2TP/IPSec l’utilizzo del NAT-T.

    How can I enable NAT-T in this manner on Zs?


    That article refers when ZS itself acts as L2TP/IPsec server , not if a client behind (and NATted by) ZS try to connect to a remote vpn server.
    I did some tests on the fly , with asa , and depending the condition of the vpn-client (option 3), it acts exactly as mentioned in the article above.
    btw , I’m italian , but my name isn’t Ricardo…. 🙂


    Duh! Sorry Fulvio… I live in the US and have family in Basilicata that I visit on occasion. What part of Italy are you from?


    I’m not the Zs creator and developer (which is Fulvio) , I’m a fan (and user) of Zs .

Viewing 15 posts - 1 through 15 (of 20 total)
  • You must be logged in to reply to this topic.