the lo1 hack is no longer needed here; read OUTGOING NETWORK ADDRESS TRANSLATION in ipsec.conf(5).
On 2009-10-29, Christoph Leser <le...@sup-logistik.de> wrote: > I'm sure I have seen the answer to my question here on the list some > time ago, but I'm too stupid to find it again: > > In what order are the following operations performed on an IP packet > > a. IPSEC ( decides whether a packet matches an IPSEC flow ) > b. normal kernel routing > c. NAT > d. packet filtering ( block/pass commands in pf.conf ) > > The reason I ask is that I failed to setup NAT for a IPSEC tunnel as > described in > > http://marc.info/?l=openbsd-pf&m=115875312200995&w=2 > > > As far as I understand, this can only work if NAT ( on lo1 ) is > performed before IPSEC checks for matching flows. > > Has this order been changed in OBSD4 ( the above post from 2006 refers > to OBSD 3.8 ). There is a newer posting on the same issue at > http://archives.neohapsis.com/archives/openbsd/2008-12/1110.html, > suggesting essentially the same procedure. > > > > Regards > > Christoph
