<div dir="ltr"><font face="verdana, sans-serif">Thank U for responding back.</font><div><font face="verdana, sans-serif"><br></font></div><div><font color="#ff0000"><span style="font-family:arial,sans-serif;font-size:13px"><What's the point of changing the ports for certain traffic anyway?></span><br>
</font></div><div><font face="verdana, sans-serif">We are doing Policy Based routing in our Next Hop Router based on IP Header Options. For the next hop router all the 5 tuple looks equal and hence we are facing NAT Problems when routing a packet via a different interface than the previous packet's routed interface (as U might be already knowing the fact that NAT & CONN Track are tightly coupled modules). Once the Kernel remembers the First Packet's 5 Tuple information and it's in/out interfaces ., then for second packet ; it is trying to apply the same (NAT IP). For that reason we want to have some metric in 5 tuple to differ and looks like a different packet to the Next Hop Router's kernel. And Obviously with out option the only one available was Source Port.</font></div>
<div><font face="verdana, sans-serif"><br></font></div><div><span style="font-family:verdana,sans-serif">Well, I will try to patch the kernel_handler.c file but as U raised., still need to see how it goes with the Kernel !!!</span><br>
</div><div><br></div><div><font face="verdana, sans-serif">-Regards,<br>VKS.</font></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Aug 20, 2013 at 2:06 AM, Tobias Brunner <span dir="ltr"><<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<div class="im"><br>
> Looks like the Second Solution is Not working. Even though I configured<br>
> /etc/strongswan.conf with charon.keep_alive = 0 on both initiator and<br>
> responder, it looks like this configuration is Not reflecting at all.<br>
> Still I see Keep-alive Packets are going over Standard NAT-T Ports every<br>
> 10 seconds. (Initiator Strongswan - 5.0.1 & Receiver Strongswan - 5.1.0)<br>
<br>
</div>That's because the change back to port 4500 is not caused by keepalive<br>
packets (which are silently ignored as they are not authenticated) but<br>
by DPD packets (check dpd... options in ipsec.conf). But any valid IKE<br>
packet could cause such a change.<br>
<br>
You may theoretically patch kernel_handler.c so that no update_sa_job is<br>
created when the kernel detects a changed NAT mapping for ESP packets.<br>
strongSwan would then ignore the changed ports and not update the SA.<br>
But I don't think this is optimal as the kernel will still create events<br>
for each received packet with a different port.<br>
<br>
What's the point of changing the ports for certain traffic anyway?<br>
<br>
Regards,<br>
Tobias<br>
</blockquote></div><br></div>