OPNsense Forum

English Forums => Virtual private networks => Topic started by: MoonbeamFrame on November 27, 2020, 11:27:41 am

Title: IPSEC (NAT-T)
Post by: MoonbeamFrame on November 27, 2020, 11:27:41 am

For a policy-based IPSEC between 2 OPNsense 20.7.5 boxes I have NAT-T disabled.

In the logs I can see both sides sending data on UDP/4500 which, as expected, is block at the other end.

Are there other configuration settings which affect NAT-T outside of the phase 1 configuration?

Title: Re: IPSEC (NAT-T)
Post by: mimugmail on November 27, 2020, 12:04:38 pm

Maybe better check IPsec.logs

Title: Re: IPSEC (NAT-T)
Post by: MoonbeamFrame on November 27, 2020, 12:21:51 pm

The logs show sending and receiving of UDP/4500

Title: Re: IPSEC (NAT-T)
Post by: MoonbeamFrame on November 27, 2020, 12:28:27 pm

OK I think I have it.

Using IKEv2. So NAT Traversal is always enabled.

But if NAT-T is disabled in the phase 1 proposal the inbound NAT-T is rejected (because the Automatically generated rule is not created).