偶有见到移动网络下 L2TP/IPSec 连接不稳定，一般和NAT网络环境有关。

IPSec的配置文件/etc/ipsec.conf默认不开启NAT穿透，但其实IPSec是支持NAT穿透的。

点击这里关于ipsec.conf配置文件的说明,是开启NAT穿透的三个参数，需手动填到config setup下

   nat_traversal

whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec. Acceptable values are: yes and no (the default). This parameter may eventually become per-connection.

   force_keepalive

whether to force sending NAT-T keep-alives to support NAT which are send to prevent the NAT router from closing its port when there is not enough traffic on the IPsec connection. Acceptable values are: yes and no (the default). This parameter may eventually become per-connection.

   keep_alive

The delay (in seconds) for NAT-T keep-alive packets, if these are enabled using force_keepalive This parameter may eventually become per-connection.

开启穿透：

nat_traversal=yes
force_keepalive=yes

但是keep_alive的值需要进行尝试。它定义了发送维持连接的封包的间隔时间。如果设置的秒数太长，NAT路由会超时关闭连接，间隔太短发送太频繁又可能会影响正常通信，建议设为5到10之间。

设置完毕，重启 ipsec 和 xl2ptd 即可正常连接。
配置文件如下所示

PS: 英语中 NAT-traversal 是 NAT 遍历的意思，可是不知道怎么的到中文文档中却翻译成了“NAT 穿透”，可能这个翻译比较形象地描述了这个特性吧。