[strongSwan] ISP marking ipsec traffic based on certificate, how is this possible?

[Mark Zimmer]

 Hello list,

 I have a site-to-site ipsec vpn with strongswan. It was working well 
 for 5-6 months then a day ago I have noticed something strange, that 
 from Site-A to Site-B (tunnel mode) only the upload bandwidth is capped 
 down to 20-30kbit/s inside the VPN.
 I have tried various apps like ftp, scp on different ports it was the 
 same result. I also ran speedtest/wget on both endpoints just to make 
 sure that not the entire connection of those networks are capped.

 Since outside parties cannot see anything from what's going on inside 
 the tunnel, first I was thinking that they started limiting the traffic 
 based on port (4500 udp) or based on protocol (ESP), that is easy to do.

 In older versions of strongswan it's not possible to change the charon 
 nat port (probably wouldn't work anyway since most of the traffic should 
 be ESP (protocol 61?)).
 I have restarted the strongswan daemon on both endpoints multiple times 
 it did not change the situation.
 So my last idea was to make new vpn certificates. For my biggest 
 surprise with the new certificates the capping was gone and the 
 bandwidth went back to normal. I hope I don't have to put the old certs 
 back from backup just to make a point.

 One of the ISPs must started tagging the ipsec traffic based on the 
 certificate and then do traffic shaping (QoS) on it to throttle down the 
 bandwidth. How is this even possible? I was thinking that an ipsec 
 connection is encrypted and random from the beginning. How can they 
 define a pattern to their whatever device to be able to mark this 
 specific traffic?
 Is there a part of the beginning of the connection sequence which is 
 always the same?

 Do I have to worry about here that my vpn keys got compromised?

 Anybody ever experienced this?

 Thanks!