I'm having trouble getting pf to NAT ESP traffic, and am wondering if I am missing anything. NAT rules began as :
nat on $ext from <nattable> to any -> $natAddr And were expanded to this when I discovered NAT was not happening for ESP traffic: nat on $ext from <nattable> to any -> $natAddr nat on $ext inet proto esp from <nattable> to any -> $natAddr It appears ESP traffic is still traversing pf without being NATed, as evidenced by a catch-all rule that prevents untranslated traffic from leaving the egress interface (IPs changed): rule 1/0(match): block out on sis0: esp 1.2.3.4 > 5.6.7.8 spi 0x0022791B seq 21194 len 892 rule 1/0(match): block out on sis0: esp 1.2.3.4 > 5.6.7.8 spi 0x0022791B seq 21195 len 92 rule 1/0(match): block out on sis0: esp 1.2.3.4 > 5.6.7.8 spi 0x0022791B seq 21196 len 92 What am I doing wrong? matthew
