HiHo! NAT-T (or nat-traversal) is the also a solution as you stated yourself. It is also available for several other IPsec solutions. Yet for FreeSwan you need at least a patch (nat-traversal) or use superfreeswan (www.freeswan.ca) . I don't know about other implementations, esp the new derived ones. Nat-traversal encapsulates the complete packets into yet another UDP packet destenied for port 4500. This can be natted as usual. The otherside simply has to pick the ipsec packet from the udp packet. So NAT-T must be used on both sides, yet it has the advantage that it is more transparent. ciao markus
