When an IPSEC NAT tunnel is created I believe the UDP500 tunnel establishes first then after the UDP4500 tunnel to send the headers, initially. You can configure the MT to use a different IPSEC port in IPSEC Peers. Is it possible to configure the MT to send the IPSEC NAT info on a port other than UDP4500? Can a dst-nat rule be applied to the outgoing UDP4500 tunnel to change the destination UDP port number?

Thanks..

UDP/4500 is used for NAT-T only and encapsulates the AH or ESP packet. Do not change that destination port unless you can also change the port the other side listens for NAT-T packets on as it's a well defined port.

fewi thanks...

Yes I can redirect the far side. I have the situation where I need to forward 2IPSEC tunnels to MTs inside one boundary router. I can route the IPSEC tunnels to these MTs very well using port translations but, at the moment, the boundary router must receive port 4500 traffic then simultanously distribute it to the MTs. The router supports this and it works OK but its 'twitchy'. I want to try to take better control. I can do this if I can route 4500 traffic from the source MTs to different ports.

What do you think?

If you want you can have an outside router send to udp/5500 and then NAT the packet to udp/4500 for the inside router based on that, sure.

Thought about that but, for this particular setup, I think I would need to add another MT in-line to do the outbound, from source, port translation. It's this function I wanted to try to incorporate in the source MT itself.

I guess I don't understand what exactly you're trying to do. Can you post a network diagram and the exact problem you're trying to solve?