• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Unable to setup tunnel without NAT-T

Scheduled Pinned Locked Moved IPsec
5 Posts 3 Posters 2.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    ACiD GRiM
    last edited by Feb 27, 2015, 10:38 AM

    I have a VPS on a public IP, and PFsense on my ISP's public IP, so there's no NAT involved. However, the tunnel appears to negotiate over NAT-T, which I'm trying to avoid for maximum throughalput and minimal overhead.

    The NAT-T settings in PFSense 2.2 appear to only be Force or auto. I've even tried specifically opening ESP on my local and remote pfsense as well as port 500 UDP and re-establishing the tunnel, but it keeps connecting with NAT-T,

    Any ideas what I might be missing?

    1 Reply Last reply Reply Quote 0
    • G
      georgeman
      last edited by Feb 27, 2015, 1:10 PM

      This is going to be fixed in the next release, due very soon I think. https://redmine.pfsense.org/issues/3979

      You can modify /etc/inc/vpn.inc to force the strongswan config file to include "mobike = no" in the meantime.

      Regards!

      If it ain't broke, you haven't tampered enough with it

      1 Reply Last reply Reply Quote 0
      • A
        ACiD GRiM
        last edited by Feb 27, 2015, 9:44 PM

        Thanks for the tip, I'm familiar with strongswan syntax, however not with pfsense's variables, could you suggest where to put mobikeike=no in vpn.inc?

        1 Reply Last reply Reply Quote 0
        • G
          georgeman
          last edited by Feb 28, 2015, 9:55 PM

          Look for the part that genterates the config file, and just hard-code it there as per the strongswan syntax (it is pretty simple). I don't have a 2.2 install handy right now so as to tell you the line number, sorry

          If it ain't broke, you haven't tampered enough with it

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by Mar 1, 2015, 2:24 AM

            If you're using IKEv2, it's what georgeman noted.

            If it's IKEv1, that means there is some kind of translation happening between the systems. NAT-T is used where NAT-D sees a source IP or port change between the endpoints.

            1 Reply Last reply Reply Quote 0
            1 out of 5
            • First post
              1/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received