Hi, I use the default IKE port 500 rule from mikrotik when you add a VPN.
I tried a port scanner and it detects port 500 open. Since IKE uses UDP and thus is connectionless it feels like there should be possible to hide the port better for scanners.
Only let valid traffic through that success with exchange. Or maybe its too early and the router cant determine if the exchange is valid from the fist UDP message, im no expert on the IKE protocol.

Thanks

IKE requires this port open. At least for "incoming connections". When you make your connections towards another system that is passive, you can of course remove that rule as the established/related rule will take care of it. In that case, make sure you have DPD (dead peer detection) active with an interval of 2 minutes or less.
When you know the IP address of the remote, you can allow traffic only from there.

IKE requires this port open. At least for "incoming connections". When you make your connections towards another system that is passive, you can of course remove that rule as the established/related rule will take care of it. In that case, make sure you have DPD (dead peer detection) active with an interval of 2 minutes or less.
When you know the IP address of the remote, you can allow traffic only from there.

I get that it needs to be "open" for traffic to come to the router. But it feels like it should be able to hide that its there since its UDP. But maybe im overthinking it. I solved it for port 1701 by eforcing ipsec policy. That port is no longer discoverable by scanners

I hope you are not in the Steve Gibson camp... did you "hide" your router for ICMP as well? BAD IDEA!!!

I hope you are not in the Steve Gibson camp... did you "hide" your router for ICMP as well? BAD IDEA!!!

ICMP is not hidden
But hiding that I have a VPN would be nice

When you want to run a VPN server on your router that is reachable from all IP addresses, you need to have this port open for all IP addresses.
Unless of course you want to tinker with a "port knocking" scheme.