2) I have an IPsec tunnel from a soekris box (with custom kernel)
through a NAT. I ping through the tunnel and the replies come back to
the soekris. UDP encapsulation works fine until I reboot the NAT box.
After rebooting the NAT box, the IPsec gateway continues to send back
replies on the old port (51884), but the NAT box has chosen another
source port, obviously.
tcpdump on the NAT box after reboot:
09:51:49.835997 22.214.171.124.64819 > 126.96.36.199.4500: udpencap:
esp 188.8.131.52 > 184.108.40.206 spi 0x5ACCA1E0 seq 241 len 132
09:51:49.837076 220.127.116.11.4500 > 18.104.22.168.51884: udpencap:
esp 22.214.171.124 > 126.96.36.199 spi 0x89134FAD seq 192 len 132
Before reboot, the NAT machine (188.8.131.52) sent packets with source
port 51884 and everything worked fine.
Why is 184.108.40.206 (the IPsec gateway) still sending back replies to
the old port (51884) instead of the new port 64819?
The issue is resolved after the SA expires and a new SA is set up.