IPSec Tunnel - NSa 5650 Sending ESP (UDP 4500) traffic to IKE (UDP 500) port
I'm working with a customer of mine who has an NSa 5650, and we are trying to configure an IPSec IKEv2 tunnel between the 5650 and a Sierra Wireless XR90 cellular router. The customer has several IKEv1-based tunnels already established between Juniper and Cisco devices, and they are working fine. We have configured this tunnel very much the same, with the exception of using IKEv2, so we can use Peer IDs in place of static IP addresses, as the XR90 has multiple cellular WAN interfaces, and will change to different IP addresses based on the cellular WAN in use at a given time.
What we are seeing is that the IKE (Phase 1) processes completes successfully, and the ESP (Phase 2) process initiates from the XR90 side. The ESP processes ends up failing due to no responses (apparently) coming back from the 5650. When doing a packet trace, we do see responses coming back from the 5650, and the source UDP port is 4500, but the destination UDP port is 500, which seems to indicate to me that the ESP response is being sent to the IKE process. This will obviously not work. Here is a snapshot of the packet capture.
I can't fathom any reason for this type of behavior. We also saw the same on the Sonicwall side, with the Sonicwall sending from port 4500 to port 500.
Does anyone have any thoughts on this?