> Also note that NAT-T is an endpoint feature, not a router feature. You
> don't say what you're trying to do, but if you're trying to get some
> *other* machine to do IPsec *through* m0n0wall, then NAT-T would need to
> be provided on the *other* machine.
Oops, forgot to mention my intended usage.
m0n0wall is used as an exterior firewall, allowing IPSec access in from
various roadwarrior clients. All clients initiating a connection from a
routable IP (read: not behind NAT) have no issues keying and initiating a
tunnel. Some clients that are behind NAT have no issues whatsoever, and
there are those few poor souls who are stuck behind ancient NAT
implementations which do not work. I myself cannot pass traffic from
behind an older PIX, though both phases 1 and 2 complete successfully. I
know what you're thinking, and no, its not an ACL or other intentional
restrictive policy. :)
If I remember, I'll snag logs from both my laptop and the m0n0wall box the
next time I try it. Perhaps one (or more) of you would be interested in