Re
You may be able to get manually keyed ESP in tunnel mode to work, but that's suboptimal from a management and security perspective.
Saw websites that recommend this configuration, but it wont work for me as well.
If it's worked for someone else, you may want to dig into it.
Yep, this could be the solution. Already found this NAT-T patch. Any experiences ???
Sorry, no. There's an article at SANS about NAT-T, a Google search for 'nat traversal ipsec peace agreement' should make it top of the list. It's got a couple of obvious errors (that any QA would have found), but it gets the message across. Oh, you need to register to be allowed access to their 'reading room'. Bottom line is that NAT-T works for outbound connections and protocols that don't need any special treatment, such as FTP, RPC, etc.. It seems to me that you can't place NAT-T devices in a head-to-head configuration, but I may be wrong here.
Are you forced to have NAT take place on that outer router?
??? Its not my router and they had enabled NTA as a kind of "security" :O)
NAT isn't a security feature, IMnsHO.
PS: I read something about your secunet on tickers. freeS/wan ipsec for the certified by RegTP boxes ? Nice !
Disclaimer: I work for secunet. None of what I say necessarily reflect my employer's opinions, policy, whatever. I do not mean to abuse this list for advertising. Yeah, that'd be our SINA box. It is pretty good security-wise, if I say so myself (see disclaimer). Cheers, Tobias