Hi,
I've setup an OpenBSD 4.0 (release) server to accept incoming IPsec connections (using isakmpd). As long as the clients are not behind a NAT things work great. However, as soon as NAT-T comes into play, things stop working. In order to diagnose to problem I tried to perform a controlled test: Initially I did a pfctl -d, just to make sure it's not in the way. Logging was performed using: tcpdump -ni enc0 -w .. tcpdump -ni rl0 -w .. isakmpd -d -D A=99 > .. ipsecctl -s all > .. (periodically) and wireshark was running on the client. These logs are NOT included in this mail just to save some space, in case they are wanted/needed, I'll be happy to include them (obviously I'll happily send dmesg and isakmpd.conf as well). The client (Microsoft Windows Vista) and the server negotiate SAs and setup flows without any problems and the client system start sending ESP packets. First I tried some TCP traffic (HTTP), then I tried some ICMP (ping) ... nothing. The server is not responding at all. When examining the enc0 logs you can see the packets sent by the client. The TCP packets seem to get a bad checksum, don't know if that is "supposed" to happen. The ICMP packets seem to get through correctly. But the server doesn't respond with a single packet. As soon as I'm not using IPsec everything works fine. Thank you for you help /john