Unable to setup tunnel without NAT-T
-
I have a VPS on a public IP, and PFsense on my ISP's public IP, so there's no NAT involved. However, the tunnel appears to negotiate over NAT-T, which I'm trying to avoid for maximum throughalput and minimal overhead.
The NAT-T settings in PFSense 2.2 appear to only be Force or auto. I've even tried specifically opening ESP on my local and remote pfsense as well as port 500 UDP and re-establishing the tunnel, but it keeps connecting with NAT-T,
Any ideas what I might be missing?
-
This is going to be fixed in the next release, due very soon I think. https://redmine.pfsense.org/issues/3979
You can modify /etc/inc/vpn.inc to force the strongswan config file to include "mobike = no" in the meantime.
Regards!
-
Thanks for the tip, I'm familiar with strongswan syntax, however not with pfsense's variables, could you suggest where to put mobikeike=no in vpn.inc?
-
Look for the part that genterates the config file, and just hard-code it there as per the strongswan syntax (it is pretty simple). I don't have a 2.2 install handy right now so as to tell you the line number, sorry
-
If you're using IKEv2, it's what georgeman noted.
If it's IKEv1, that means there is some kind of translation happening between the systems. NAT-T is used where NAT-D sees a source IP or port change between the endpoints.