How do I close UDP Port 500?

Question

I am failing a PCI scan because UDP Port 500 is showing as open|filtered on Nmap scans. I see that this is the ISAKMP service. However I do not have any IPsec connections defined, I have Cisco VPN disabled, and I even went so far as to create a Deny/Drop firewall rule for everything incoming hitting port 500, put it at the top, and that still doesn't work. 
 How do I find out what service on the XG has this port open and then close it?

Bill Roland · Accepted Answer

Alright so replying to my own thread, I think I have figured out a workaround. I remembered this being a problem in the past with RED and somebody suggesting the workaround of creating a business rule and essentially publishing the port to a null IP address. So I did that for UDP 500, and voila, it's now coming back as "filtered" since XG is now forwarding this traffic to essentially a black hole. We'll see if its confirmed by the next PCI scan that will occur in the next 24 hours but my own port scan now show it as filtered, as it should be. 
 I maintain this should not be necessary. I have another XG where this behavior doesn't happen, I guess because I never activated IPSec on it and so whatever internal ACL that gets created to allow IKE traffic on UDP 500 for strongswan to listen for never happened. Seems like a bug to me.

John Woodall · Answer

Well, part of the issue I believe is that you can't even use the firewall to restrict where UDP500 can connect from. 
 I had restricted my IPSec VPN to specific FQDN and it was open to the world. This means it's not REALLY isolated. It only means it won't successfully connect. That's not the same. 
 It should pass through the firewall FIRST, then connect to an internal service for the IPSec VPN

FHF · Answer

One thing to attempt is to stop the related daemon on the XG which is enabled by default. 
 From the advanced shell option on the XG run the following: 
 # service strongswan:stop -ds nosync