PF and NAT-T

Vadym Chepkov vchepkov at gmail.com
Wed Apr 16 21:40:45 UTC 2008 

Hello,

I am using FreeBSD  6.3-RELEASE-p1 with NAT-T patch applied 
(freebsd6-natt.diff, 
http://ipsec-tools.cvs.sourceforge.net/ipsec-tools/htdocs/ )

PF works as expected with "regular" IPSEC. But if I try to use NAT-T, 
packets get lost, I don't see them on internal interface.

I created this pf.conf for testing:

set loginterface enc0
set debug loud

This is what I see in status:

Interface Stats for enc0              IPv4             IPv6
   Bytes In                             120                0
   Bytes Out                              0                0
   Packets In
     Passed                               0                0
     Blocked                              2                0

Nothing useful in the log file.

When I add 'set skip on enc', everything starts to work fine.
How can I determine why those packets got blocked?

Thank you,
Vadym Chepkov

More information about the freebsd-pf mailing list