Hi Flavius, As IKEv1 responder the trigger to use UDP encapsulation is the encapsulation mode sent in the proposals received from the client during Quick Mode. If it proposes tunnel mode without encapsulation then the server won't use UDP encapsulation (there is currently no check if a NAT was found and we just use the first encap mode attribute from any proposal). That's mainly based on what RFC 3947 says about this:
It is not normally useful to propose both normal tunnel or transport mode and UDP-Encapsulated modes. ... Also, the initiator SHOULD NOT include both normal tunnel or transport mode and UDP-Encapsulated-Tunnel or UDP-Encapsulated- Transport in its proposals. Could you send me a log with the log level for enc increased to 3 [1]. That should show what the client actually proposes (i.e. if it has proposals with plain tunnel mode but perhaps also some with UDP encapsulation). I think OpenBSD also supports IKEv2, I'd recommend you switch to that if you can. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
