Forum Discussion
zeiss_63263
Jul 26, 2016Historic F5 Account
As a postscript to this thread: the ipsec.lookupspi is only of relevance when the data flow happens as ESP in IP and not ESP in UDP port 4500 (in IP). When NAT is detected, the IPsec peers should switch to UDP port 4500 and the ESP once the tunnel is established will be encapsulated in UDP.
In such a scenario ipsec.lookupspi is of no relevance because the connection flow characteristics are set up based on the IP/UDP data.
In the scenario that Kannan has proposed, SNAT is supported on the Virtual Server (make sure it is a forwarding Virtual Server), however that also guarantees that the float to UDP port 4500 will happen and so ipsec.lookupspi is redundant in this scenario.