NAT IPSec Traffic with pf
Sydney Meyer
syd.meyer at gmail.com
Thu Jul 31 00:06:59 UTC 2014
Got a reply in the forums from "junovitch":
"There is a bug in 10.0-RELEASE with how how the kernel is tagging the mbuf allocated with IPSEC packets as it gets tagged to skip firewalling. Hence PF can't NAT what it can't see. Short answer is you need to upgrade to 10.0-STABLE or use an older version of FreeBSD.
Long answers:
http://www.freebsd.org/cgi/query-pr.cgi?pr=185876 - The PR with the technical details.
https://forums.freebsd.org/viewtopic.php?f=7&t=45691 - Same issue and the troubleshooting that helped find it."
Upgrading to 10 STABLE fixed the issue.
Cheers,
S.
More information about the freebsd-pf
mailing list