> > What about the IPsec packets themselves? They also need to be NATted.....
Well, it was working...I just upgraded my firewall from S9 Sparc to S10 X86, re-enabled the NAT entries for the VPN connection so I could answer your question, and the box paniced as soon as the first ESP packet tried to cross. I see this is a known issue for some versions of IPFilter. I'm using the stock version that comes with S10, I guess I'll have to try to retrofit 4.1.9 back in using the recently posted how-to. I was also having a problem with my ruleset under this version of IPFilter. I've always had Pass in quick on <internal interface> Pass out quick on <internal interface> For many many years. This worked with IPF 3.x and 4.1.9 under S9 Sparc. Now under S10, I get a syntax error on the second rule. If I swap the rules around, I still get a syntax error on the second rule. If I comment those rules out, the syntax error moves to a second set of identical rules for another internal interface.
