how to disable nat-t for ipsec?



  • Running 2.4.3-RELEASE-p1 (amd64) CE here on a HyperV. I do have my tunnel working and routable to an Azure VPN Gateway, but its using UDP4500. Id like to disable that; some docs show the config for nat-t under phase 1 ipsec config but I see nothing there. In fact cant see NAT-T anywhere.

    I even tried to bypass that by making a firewall rule to block UDP4500 inbound on the WAN interface but apparently those are just allowed in regardless, as I was able to connect/disconnect/connect/etc the tunnel with no issues. ??? (that seems kind of like a hole, btw)


  • Netgate

    You can't disable it if NAT is anywhere in what would be the ESP path.

    There are automatic rules for IPsec tunnels as most people who define an IPsec tunnel want IKE, ESP, and NAT-T to pass between the endpoints.

    You can disable these rules in System > Advanced, Firewall & NAT, Disable Auto-added VPN rules