My GUESS is that it is like L2TP, etc with psk.
The only way the client can know the server is correct is if it has the right endpoint address, (and the right psk)
And a part of the NAT T negotiation is to determine the actual endpoint addresses.
What it gets back (192.168.5.4) isn't what the client wants to see.
With certificates, you know the server is the one you want whether behind a NAT or not.
You can double NAT the server, so it actually does have a 192.168.4.4 IP address, and it will likely work.
Assuming you are Natting all protocols and ports through to it. (eg. Including ESP)
The only way the client can know the server is correct is if it has the right endpoint address, (and the right psk)
And a part of the NAT T negotiation is to determine the actual endpoint addresses.
What it gets back (192.168.5.4) isn't what the client wants to see.
With certificates, you know the server is the one you want whether behind a NAT or not.
You can double NAT the server, so it actually does have a 192.168.4.4 IP address, and it will likely work.
Assuming you are Natting all protocols and ports through to it. (eg. Including ESP)
Statistics: Posted by rplant — Tue Apr 22, 2025 7:17 am