On Thursday 19 May 2011 13:02:52 Nick Howitt wrote: > Also if you do not > need NAT-T what is the point of adding nat_traversal=yes? Again, just > ignore ipsec.verify for this one. Quite right, other than answering OP's question. Perhaps 'FAILED' is a bit strong here, since it's not *really* a failure. But it *does* seem to get attention.