Hi Glen, > So I guess NAT keepalives maybe send by either side as long as it's NATed?
You are right. I thought we disabled that on responders at some point as a NAT on that end usually has to be static so keepalives are not necessary. But it's possible that we left it as is with dynamic double NAT scenarios via mediation extension in mind. It could always be disabled on servers behind static NATs via charon.keep_alive=0. > Maybe I should use --net host to eliminate NAT to get better performance? Unless your clients are *not* behind a NAT, it probably doesn't make that much of a difference as UDP encapsulation will be required anyway. But sure, for full performance you probably want to avoid the additional NAT. Regards, Tobias
