Internet-Security.com UDP port 500 details

UDP port 500 is used by the Internet Key Exchange (IKE/ISAKMP) protocol for IPsec VPN negotiation.
Real-world implementations include Microsoft Windows built-in IKEv2 VPN, Apple iOS/macOS IKEv2, and Android IPsec/IKEv2 (e.g., strongSwan client).
Network devices like Cisco ASA/IOS, Juniper SRX, Fortinet FortiGate, Palo Alto firewalls (GlobalProtect in IPsec mode), MikroTik RouterOS, and Sophos XG listen on UDP 500 for site-to-site and remote-access IPsec.
Open-source gateways such as strongSwan and Libreswan (Linux), pfSense/opnSense (using strongSwan), and OpenBSD isakmpd use UDP 500 for IKE.
Major cloud VPN services—AWS Site-to-Site VPN, Azure VPN Gateway, and Google Cloud VPN—also use UDP 500 for IKE negotiations.
When NAT is detected, many of these switch to UDP 4500 (NAT-T) after the initial exchange on UDP 500.
Security note: UDP 500 is frequently targeted for VPN enumeration and IKEv1 Aggressive Mode pre-shared key cracking, and past IKE daemon flaws (e.g., in Cisco ASA or strongSwan) have been exploited.

UDP 500