Re: IPSEC problems with pf

From: Eugene Grosbein <>
Date: Sun, 26 Sep 2021 11:27:07 UTC
26.09.2021 10:12, Peter Jeremy wrote:

> I'm confident that the last point is because the IPSEC processing preceeds
> the pfil processing on outbound packets, so they aren't seen as eligible
> because IPSEC is seeing the internal, rather than external, address.

I found it much suitable to keep IPSec transport mode but also create gif(4) tunnel between "firewal" and "VPS"
with its own pair of internal IP addresses, so traffic can be encapsulated into the tunnel first and then encrypted.
So it does not need to be NAT-ed.