Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Turn off NAT-T in an IPSec Tunnel --

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 442 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Phonebuff
      last edited by

      I have an issue with a Putty session across a IPSec Tunnel.

      The connection is created and will stay active for hours, until I start doing something like a "netstat -rn", and then, while the session is up, the terminal becomes unresponsive until Putty fails with a Connection Error.

      Trying to figure out why a connection to a public FQDN works while a connection based on IP over the IPSec Tunnel fails.

      One thing I noticed is that the Statuis / IPSec / Overview shows that both ends of the Phase 1 show the link as NAT-T.

      Host: 10.n.n.n:4500 Host: 18.n.n.n:4500
      NAT-T
      SPI: 98df7365092cdf3d NAT-T SPI: e1058c7ed11ea817

      But the Configuration Panel VPN / IPsec / Tunnels/ Edit Phase 1 Advanced Options / NAT Transversal only appears to support Auto or Force. How do you set it to None?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Phonebuff
        last edited by

        @Phonebuff
        NAT-T is only used if it is really needed. It's needed if the endpoint is behind a NAT router (if the endpoint isn't bound to the IP, the remote endpoint sees).

        I don't think, that this has anything to do with your issue.

        Maybe ticking "Enable Maximum MSS" in System > Advanced > Firewall & NAT can help.

        1 Reply Last reply Reply Quote 0
        • P
          Phonebuff
          last edited by

          Okay,

          I check that setting and

          Enable Maximum MSS: Enable MSS clamping on VPN traffic is Checked.
          Maximum MSS 1400

          The connection is from 172.16.200.0/24 to 172.25.0.0/16

          No need for any NAT when the tunnel is active. (Phase II)

          1 Reply Last reply Reply Quote 0
          • P
            Phonebuff
            last edited by

            So I forgot to add that this a Netgate 3100
            24.11-RELEASE (arm)
            FreeBSD 15.0-CURRENT
            built on Sat Jan 11 11:11:00 EST 2025

            Hoping someone has some ideas on what I may have missed in the configuration.

            1 Reply Last reply Reply Quote 0
            • P
              Phonebuff
              last edited by

              @Phonebuff said in Turn off NAT-T in an IPSec Tunnel --:

              The connection is created and will stay active for hours, until I start doing something like a "netstat -rn", and then, while the session is up, the terminal becomes unresponsive until Putty fails with a Connection Error.

              Hoping someone has some ideas on where to start troubleshooting this so I can resolve the issue.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.