From owner-freebsd-pf@FreeBSD.ORG  Wed Apr 16 21:40:45 2008
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1D0A1106566B
	for <freebsd-pf@freebsd.org>; Wed, 16 Apr 2008 21:40:45 +0000 (UTC)
	(envelope-from vchepkov@gmail.com)
Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.29])
	by mx1.freebsd.org (Postfix) with ESMTP id C2D8E8FC1B
	for <freebsd-pf@freebsd.org>; Wed, 16 Apr 2008 21:40:44 +0000 (UTC)
	(envelope-from vchepkov@gmail.com)
Received: by yw-out-2324.google.com with SMTP id 2so1488562ywt.13
	for <freebsd-pf@freebsd.org>; Wed, 16 Apr 2008 14:40:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:from:to:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole;
	bh=mEKuB5eOp9DKxJGDcrpt/NPbNvG2s5KEE3zXxp/fIlA=;
	b=u4yP0ItippriVXGTF3MmcorzAT3QqbKEIDu1Lo6Nm+YX/lAWA9k1kmLb+3rg8kweR7O7zSVDl/mLQ9UVz//yhy7L8v6Gw2l0+1q+KqUTxISKaI2mzGbNURcGGUEuI8oCudbeeSIT/PjPBeQWltUWMX9ypIB4wjLTLY9Uc8Rd6Io=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:from:to:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole;
	b=XES+SYyOrwruj9Sv7kQvoGUOKdVf3xEK6xorW2U1Ix/txI0Kjvm4KRSxCTRng/dyN7tNkto1FO4Jw7Cs/C2PB+LEKhiOyIpIgBSSdaRvN5Sy+NnIJrtY5ru7OilULbmTDtlCimuxX685ST01ClKJfRtna6nJNyxT9GSElJn5qKk=
Received: by 10.150.121.3 with SMTP id t3mr721312ybc.227.1208379870602;
	Wed, 16 Apr 2008 14:04:30 -0700 (PDT)
Received: from xp ( [70.109.62.236])
	by mx.google.com with ESMTPS id g5sm19103418wra.33.2008.04.16.14.04.28
	(version=SSLv3 cipher=RC4-MD5); Wed, 16 Apr 2008 14:04:29 -0700 (PDT)
Message-ID: <005601c8a005$776e5820$0610a8c0@chepkov.lan>
From: "Vadym Chepkov" <vchepkov@gmail.com>
To: <freebsd-pf@freebsd.org>
Date: Wed, 16 Apr 2008 17:04:30 -0400
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="Windows-1252";
	reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Subject: PF and NAT-T
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Apr 2008 21:40:45 -0000

Hello,

I am using FreeBSD  6.3-RELEASE-p1 with NAT-T patch applied 
(freebsd6-natt.diff, 
http://ipsec-tools.cvs.sourceforge.net/ipsec-tools/htdocs/ )

PF works as expected with "regular" IPSEC. But if I try to use NAT-T, 
packets get lost, I don't see them on internal interface.

I created this pf.conf for testing:

set loginterface enc0
set debug loud

This is what I see in status:

Interface Stats for enc0              IPv4             IPv6
   Bytes In                             120                0
   Bytes Out                              0                0
   Packets In
     Passed                               0                0
     Blocked                              2                0

Nothing useful in the log file.

When I add 'set skip on enc', everything starts to work fine.
How can I determine why those packets got blocked?

Thank you,
Vadym Chepkov