Port 2797: esp-encap — A registered port from the IPsec NAT wars

Port 2797 sits in the registered ports range (1024–49151) with an official IANA assignment: esp-encap, both TCP and UDP, registered by Jorn Sierwald of Data Fellows. ¹

It is, for all practical purposes, unused.

What esp-encap Was Trying to Do

IPsec's Encapsulating Security Payload (ESP) protocol has a NAT problem. ESP encrypts and authenticates IP packets, which is exactly what you want for a VPN. But NAT devices — the boxes that rewrite IP addresses — can't modify what they can't read. ESP packets pass through a NAT opaque and unmodified, which means the destination has no idea where to send the reply. The NAT breaks the session.

The fix everyone converged on: wrap the ESP packet in UDP. UDP has port numbers, NAT understands port numbers, and the device on the other end can unwrap the UDP to find the ESP inside. Simple idea. Hard to standardize.

The Race to a Standard

In the early 2000s, multiple vendors were shipping proprietary implementations of this "UDP encapsulation of ESP" idea. There was no agreed port. An early IETF draft from Ari Huttunen and colleagues — draft-huttunen-ipsec-esp-in-udp — couldn't even commit to a port number, noting that ESPUDP would use "2797 (or 2746, undecided)" as its source and destination ports. ²

That indecision is preserved in the document forever.

The IETF working groups eventually standardized the approach in RFC 3948, but they chose port 4500 — not 2797, not 2746. ³ Port 4500 (also called IKE-NAT-T) became the standard for NAT traversal in IPsec and is what every modern VPN implementation uses.

Port 2797 kept its IANA registration. Nobody claims to use it. It is a timestamp from the standards process — evidence that someone thought the answer would live here, before the answer moved.

What You'll Find Here Today

Almost certainly nothing. Port 2797 has no active community of implementations behind it. If you see traffic on this port, it is more likely to be:

• A misconfigured or non-standard VPN implementation from the early 2000s
• An application that picked a port at random and landed here
• A scanner or probe

How to Check What's Using Port 2797

On Linux/macOS:

# Show what process is listening on port 2797
ss -tlnp | grep 2797
# or
lsof -i :2797

On Windows:

netstat -ano | findstr :2797

If something is listening here and you didn't put it there, that's worth investigating.

The Registered Ports Range

Port 2797 lives in the registered ports range (1024–49151), also called user ports. This range is where IANA accepts registration requests from software vendors and protocol authors. Registration means IANA records the association — it doesn't mean the service is in widespread use, or in use at all. Many registered ports are orphaned like this one: claimed during active development, then superseded or abandoned.

The assignment is recorded in the IANA Service Names and Transport Protocol Port Number Registry, which is the authoritative list maintained under RFC 6335. ⁴