[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NAT + ESP



  I'm having trouble getting pf to NAT ESP traffic, and am wondering
  if I am missing anything. NAT rules began as :
  nat on $ext from <nattable> to any -> $natAddr
  And were expanded to this when I discovered NAT was not happening for
  ESP traffic:
  nat on $ext from <nattable> to any -> $natAddr
  nat on $ext inet proto esp from <nattable> to any -> $natAddr
  It appears ESP traffic is still traversing pf without being NATed,
  as evidenced by a catch-all rule that prevents untranslated traffic
  from leaving the egress interface (IPs changed):
rule 1/0(match): block out on sis0: esp 1.2.3.4 > 5.6.7.8 spi 0x0022791B seq 21194 len 892
rule 1/0(match): block out on sis0: esp 1.2.3.4 > 5.6.7.8 spi 0x0022791B seq 21195 len 92
rule 1/0(match): block out on sis0: esp 1.2.3.4 > 5.6.7.8 spi 0x0022791B seq 21196 len 92
  What am I doing wrong?
  matthew