I'm sure I have seen the answer to my question here on the list some time ago, but I'm too stupid to find it again:
In what order are the following operations performed on an IP packet a. IPSEC ( decides whether a packet matches an IPSEC flow ) b. normal kernel routing c. NAT d. packet filtering ( block/pass commands in pf.conf ) The reason I ask is that I failed to setup NAT for a IPSEC tunnel as described in http://marc.info/?l=openbsd-pf&m=115875312200995&w=2 As far as I understand, this can only work if NAT ( on lo1 ) is performed before IPSEC checks for matching flows. Has this order been changed in OBSD4 ( the above post from 2006 refers to OBSD 3.8 ). There is a newer posting on the same issue at http://archives.neohapsis.com/archives/openbsd/2008-12/1110.html, suggesting essentially the same procedure. Regards Christoph