ISP marking ipsec traffic based on certificate, how is this possible?

Mark Zimmer sgi at
Thu Dec 17 09:28:57 UTC 2015

 Hello list,

  I have a site-to-site ipsec vpn with strongswan. It was working well
  for 5-6 months then a day ago I have noticed something strange, that
  from Site-A to Site-B (tunnel mode) only the upload bandwidth is 
  down to 20-30kbit/s inside the VPN.
  I have tried various apps like ftp, scp on different ports it was the
  same result. I also ran speedtest/wget on both endpoints just to make
  sure that not the entire connection of those networks are capped.

  Since outside parties cannot see anything from what's going on inside
  the tunnel, first I was thinking that they started limiting the 
  based on port (4500 udp) or based on protocol (ESP), that is easy to 

  In older versions of strongswan it's not possible to change the charon
  nat port (probably wouldn't work anyway since most of the traffic 
  be ESP (protocol 50)).
  I have restarted the strongswan daemon on both endpoints multiple 
  it did not change the situation (the bandwidth limiting was still 
  So my last idea was to make new vpn certificates. For my biggest
  surprise with the new certificates the capping was gone and the
  bandwidth went back to normal. I hope I don't have to put the old 
  back from backup just to make a point.

  One of the ISPs must started tagging the ipsec traffic based on the
  certificate and then do traffic shaping (QoS) on it to throttle down 
  bandwidth. How is this even possible? I was thinking that an ipsec
  connection is encrypted and random from the beginning. How can they
  define a pattern to their whatever device to be able to mark this
  specific traffic?
  Is there a part at the beginning of the connection sequence which is
  always the same with using the same certificate?

  Do I have to worry about here that my vpn keys got compromised?

  Anybody ever experienced this?


More information about the NANOG mailing list