The restoration is happening - but being actioned on the wrong location. The destination IP address is being saved and restored, and the SPI being written directly after the destination IP address. From my understanding though, the ESN shuffling should have saved and restored the UDP source / dest ports + SPI.
-Blair On 06/13/2016 10:20 PM, Steffen Klassert wrote: > On Mon, Jun 13, 2016 at 11:48:13AM +1200, Blair Steven wrote: >> During testing we have discovered an issue with IPsec NAT-T where the SPI >> is over writing the source and dest ports of the UDP header. > The headers should be restored after the crypto operation in > esp_restore_header(). Does this not happen in your case? What > kind of problem do you experience? >