diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix
index c0c6b1e..4136e2c 100644
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@@ -9,6 +9,7 @@ in
     vpns = {
       l2 = {
         as211024 = {
+          udpEncapsulation = true;
           vni = 211024;
           security.enable = true;
           peers = {
diff --git a/nixos/default.nix b/nixos/default.nix
index 82a3592..626eaa0 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -135,6 +135,7 @@ let
       ipv6 = mkBoolOpt' false "Whether this mesh's underlay operates over IPv6.";
       baseMTU = mkOpt' ints.unsigned 1500 "Base MTU to calculate VXLAN MTU with.";
       l3Overhead = mkOpt' ints.unsigned 40 "Overhead of L3 header (to calculate MTU).";
+      udpEncapsulation = mkBoolOpt' false "Whether to encapsulate ESP frames in UDP.";
       firewall = mkBoolOpt' true "Whether to generate firewall rules.";
       vni = mkOpt' ints.unsigned 1 "VXLAN VNI.";
       peers = mkOpt' (attrsOf (submodule l2PeerOpts)) { } "Peers.";
diff --git a/nixos/modules/l2mesh.nix b/nixos/modules/l2mesh.nix
index 6af107b..94a294e 100644
--- a/nixos/modules/l2mesh.nix
+++ b/nixos/modules/l2mesh.nix
@@ -36,8 +36,8 @@ let
         espOverhead =
           if (!mesh.security.enable) then 0
           else
-            # SPI + seq + IV + pad / header + ICV
-            4 + 4 + (if mesh.security.encrypt then 8 else 0) + 2 + 16;
+            # UDP encap + SPI + seq + IV + pad / header + ICV
+            (if mesh.udpEncapsulation then 8 else 0) + 4 + 4 + (if mesh.security.encrypt then 8 else 0) + 2 + 16;
         # UDP + VXLAN + Ethernet + L3 (IPv4/IPv6)
         overhead = espOverhead + 8 + 8 + 14 + mesh.l3Overhead;
       in
@@ -62,7 +62,11 @@ let
       chain l2mesh-${name} {
         ${optionalString mesh.security.enable ''
           udp dport isakmp accept
-          meta l4proto esp accept
+          ${if mesh.udpEncapsulation then ''
+            udp dport ipsec-nat-t accept
+          '' else ''
+            meta l4proto esp accept
+          ''}
         ''}
         ${optionalString (!mesh.security.enable) (vxlanAllow mesh.vni)}
         return
@@ -94,6 +98,7 @@ let
           esp=${if mesh.security.encrypt then "aes_gcm256" else "null-sha256"}
           ikev2=yes
           modecfgpull=no
+          encapsulation=${if mesh.udpEncapsulation then "yes" else "no"}
         '';
       })
     otherPeers);