Turn off NAT-T in an IPSec Tunnel --
-
I have an issue with a Putty session across a IPSec Tunnel.
The connection is created and will stay active for hours, until I start doing something like a "netstat -rn", and then, while the session is up, the terminal becomes unresponsive until Putty fails with a Connection Error.
Trying to figure out why a connection to a public FQDN works while a connection based on IP over the IPSec Tunnel fails.
One thing I noticed is that the Statuis / IPSec / Overview shows that both ends of the Phase 1 show the link as NAT-T.
Host: 10.n.n.n:4500 Host: 18.n.n.n:4500
NAT-T
SPI: 98df7365092cdf3d NAT-T SPI: e1058c7ed11ea817But the Configuration Panel VPN / IPsec / Tunnels/ Edit Phase 1 Advanced Options / NAT Transversal only appears to support Auto or Force. How do you set it to None?
-
@Phonebuff
NAT-T is only used if it is really needed. It's needed if the endpoint is behind a NAT router (if the endpoint isn't bound to the IP, the remote endpoint sees).I don't think, that this has anything to do with your issue.
Maybe ticking "Enable Maximum MSS" in System > Advanced > Firewall & NAT can help.
-
Okay,
I check that setting and
Enable Maximum MSS: Enable MSS clamping on VPN traffic is Checked.
Maximum MSS 1400The connection is from 172.16.200.0/24 to 172.25.0.0/16
No need for any NAT when the tunnel is active. (Phase II)
-
So I forgot to add that this a Netgate 3100
24.11-RELEASE (arm)
FreeBSD 15.0-CURRENT
built on Sat Jan 11 11:11:00 EST 2025Hoping someone has some ideas on what I may have missed in the configuration.
-
@Phonebuff said in Turn off NAT-T in an IPSec Tunnel --:
The connection is created and will stay active for hours, until I start doing something like a "netstat -rn", and then, while the session is up, the terminal becomes unresponsive until Putty fails with a Connection Error.
Hoping someone has some ideas on where to start troubleshooting this so I can resolve the issue.