On Thursday 01 Aug 2013 06:37:28 SUN Nideson wrote:
> Many thanks for your suggestion.
> It shall solve my problem.
You're welcome! The problem you've come across is I think related to how IP
headers are encapsulated by IPSec. When an encrypted packet is received the
original IP address and port are not visible and so cannot be processed yet.
After an SA is matched and the packet decrypted, then and only then the inner
headers become visible and the inner IP/port can be routed in accordance with
the SPD entries. If you think what happens to each packet along these lines I
think you'll be able to solve your problem (as long as it is solvable!).
Matching SPIs/SAs/SPs with a //unique:<number> parameter will hopefully allow
you to route traffic through the desired ports.