That's one of the things I'm going to look at.  But this was working at some
  point in the past, several months ago.  The only thing that has changed is
  the ipsec-tools and kernel versions.

I'm using a DLINK DI-624, if that tweaks anyones memory.  I'm running the
  latest firmware available for my DLINK hardware (2.50), and my Contivity
  client on my other machine works just fine through the NAT.

Matthias Scheler wrote:
On Tue, Aug 23, 2005 at 11:33:46PM +0100, Matthias Scheler wrote:
IKE negotiation stalls shortly after startup, with it eventually timing
That sounds like a problem with your NAT router. Have you tried to
enable "ike_frag"?

Another idea:
Does your NAT router perhaps not handle traffic to port 4500 correctly?
IKE negotiation will start on port 500 and later switch to port 4500
if NAT-T is used. If only traffic to port 500 get throught it would
explain my the IKE exchange starts but doesn't finish.

	Kind regards


Marcus Leech                            Mail:   Dept 1A12, M/S: 04352P16
Security Standards Advisor        Phone: (ESN) 393-9145  +1 613 763 9145
Advanced Technology Research
Nortel Networks