[strongSwan] NAT mappings of ESP CHILD_SA changed !!!

[Kesava Srinivas]

HI Guys,

Testbed have an IPSEC Tunnel (IKEv2 - Tunnel Mode) Established between Two
Routers which are connected via Multiple NAT Routers in between. Every
thing was Fine and I can see Keep -Alives are being sent over Standard
NAT-T Ports (Source Port = 4500 & Dest Port = 4500 ).

Now, Trying to do ssh from one Router to another Router with change in
Source(NATP) port of NAT-T Header. Ex: (New Source port = 1003 & New Dest
Port = 4500). I can see Packets are reaching the target router but it is
not responding back.

When I take a look at the Charon log with basic loglevel, it says
*"Aug 14 18:36:18 01[KNL] NAT mappings of ESP CHILD_SA with SPI cd99538e
and reqid {1} changed, queuing update job"*

Does that mean., Target Router's strongswan not handling this Changed
packet correctly ? Vesion is 5.0.4 of strongswan.

PFA Configuration & also detailed charon log (with loglevel = 4 for some
important sub systems).

Looking forward for the reply .

-Thnx ,
VKS.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130814/d70e7e9e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: charon.log
Type: application/octet-stream
Size: 27517 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130814/d70e7e9e/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec_ROUTER1.conf
Type: application/octet-stream
Size: 701 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130814/d70e7e9e/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec_ROUTER2.conf
Type: application/octet-stream
Size: 310 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130814/d70e7e9e/attachment-0002.obj>