<div dir="ltr"><font face="verdana, sans-serif">Thanks Tobias for the response. </font><div><font face="verdana, sans-serif"><br></font></div><div><font face="verdana, sans-serif">Yes. Your Guess was Correct. For the Control traffic , still the standard Ports remains same (4500-4500). No Source Port Change for them. This NAT Mapping was happening only for specific Traffic (Ex: ssh,http,ftp etc) . We have a Kernel space Module written on Router (linux machine) to identify the SSH Traffic (using iptables Mark etc.. ) and then over writing the NAT-T header's source port from 4500 to 1003. </font></div>
<div><font face="verdana, sans-serif"><br></font></div><div><span style="font-family:verdana,sans-serif">Now inorder to handle this scenario where Control Traffic (Keep-alives) will still go over 4500-4500 and Data Traffic will have a source port change , whats the possible tweak that we can do in strongswan or Linux kernel !!! Thinking of two feasible solutions here...</span></div>
<div><span style="font-family:verdana,sans-serif"><br></span></div><div><span style="font-family:verdana,sans-serif">1] Can't it handle parallely both the Traffic ? 1]4500-4500 2]1003-4500</span><br></div><div><span style="font-family:verdana,sans-serif">2] C</span><span style="font-family:verdana,sans-serif">ontrolling the keepalives to be delayed further (from 10secs to some 40-50 secs) in such a way that meanwhile communcation happens with Port 1003.</span></div>
<div><br></div><div><span style="font-family:verdana,sans-serif">Please let me know of any more solutions to handle this scenario in the best way!!!</span></div><div><span style="font-family:verdana,sans-serif"><br></span></div>
<div><span style="font-family:verdana,sans-serif">-Best Regards,</span></div><div><span style="font-family:verdana,sans-serif">VKS.</span></div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Aug 15, 2013 at 2:04 AM, Tobias Brunner <span dir="ltr"><<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<div class="im"><br>
> Does that mean., Target Router's strongswan not handling this Changed<br>
> packet correctly ?<br>
<br>
</div>No, the daemon correctly updates the two SAs:<br>
<br>
> Aug 14 18:55:23 01[KNL] NAT mappings of ESP CHILD_SA with SPI c22c81c5 and reqid {1} changed, queuing update job<br>
> ...<br>
> Aug 14 18:55:23 10[KNL] updating SAD entry with SPI c22c81c5 from 192.168.3.128[4500]..10.10.0.130[4500] to 192.168.3.128[1003]..10.10.0.130[4500]<br>
> ...<br>
> Aug 14 18:55:23 10[KNL] updating SAD entry with SPI c41a180e from 10.10.0.130[4500]..192.168.3.128[4500] to 10.10.0.130[4500]..192.168.3.128[1003]<br>
<br>
But the problem is that after the update an IKE packet is actually<br>
received from port 4500, not 1003, which reverts those updates:<br>
<br>
> Aug 14 18:55:32 11[NET] received packet: from 192.168.3.128[4500] to 10.10.0.130[4500] (76 bytes)<br>
> ...<br>
> Aug 14 18:55:32 11[KNL] updating SAD entry with SPI c22c81c5 from 192.168.3.128[1003]..10.10.0.130[4500] to 192.168.3.128[4500]..10.10.0.130[4500]<br>
> ...<br>
> Aug 14 18:55:32 11[KNL] updating SAD entry with SPI c41a180e from 10.10.0.130[4500]..192.168.3.128[1003] to 10.10.0.130[4500]..192.168.3.128[4500]<br>
<br>
And such packets continue to arrive from port 4500:<br>
<br>
> Aug 14 18:55:42 12[NET] received packet: from 192.168.3.128[4500] to 10.10.0.130[4500] (76 bytes)<br>
<br>
So how exactly did you force the change of the NAT mapping? It seems it<br>
doesn't apply to all the traffic.<br>
<br>
Regards,<br>
Tobias<br>
<br>
</blockquote></div><br></div>