After I upgraded from openBSD 4.6 to 5.2 I have the following problem with isakmpd+nat when the remote side is behind a NAT gateway:
openBSD Phase 1 recognizes NAT and switches to port 4500 to send the ID information. openBSD Phase 2 then tries to negotiate TUNNEL mode, but the remote side rejects this with 'no proposal chosen'. The remote side's log says something like 'expected 'UDP Encapsulated TUNNEL', got 'TUNNEL' I believe that I never saw 'UDP_ENCAP_TUNNEL' in tcpdump of isakmpd.pcap where I was on 4.6. Why did it work with 4.6 and not with 5.2? Best Regards / Mit freundlichen Grüßen Christoph
