Bug #12505


NAT issues with IPsec passthrough

Added by Kev Kitchens over 2 years ago. Updated over 2 years ago.

Not a Bug
Rules / NAT
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


I've noticed some issues with the automatic IPsec passthrough rules generated when the outbound NAT is set to automatic rule generation. I have an IKEv2 VPN configured on my laptop, and it will fail to MOBIKE when I switch from WiFi to Ethernet or vice versa. I eventually tracked this down to an issue in the NAT. The first outbound UDP connection to the remote VPN endpoint gets NAT'd properly, but a subsequent connection from a different internal IP to the same remote endpoint will not be NAT'd at all and instead be forwarded directly. This not only means that MOBIKE will fail, but it also means the firewall will leak internal IP addresses. I worked around the issue by switching to manual rule generation and deleting the IPsec passthrough rules as my VPN supports NAT-T without issues.

IMO, there are two things that could be better here. First, it would be nice to have an option to disable IPsec passthrough when the outbound NAT is set to automatic rule generation. Second, packets shouldn't be sent directly in this scenario leaking internal IP addresses. Instead, they could be dropped or fall back to NAT'ing the source port.

Actions #1

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Not a Bug

This is expected behavior when using static port on outbound NAT rules, and is not a bug.

We already have numerous options to control outbound NAT, adding more is both impractical and more likely to confuse users. Anyone is free to switch to manual mode and adjust the rules or use hybrid mode and setup rules which change that NAT behavior.

The other behavior you see is the result of pf failing to make a NAT state since the source port is already in use. That behavior is beyond our control and would need to be changed in pf directly upstream. You can also prevent this kind of packet from escaping with an outbound floating rule to drop traffic with private sources, which is typically a good practice anyhow. It's not default as it can cause problems in some scenarios and some users may rely on the behavior.

Actions #2

Updated by Kev Kitchens over 2 years ago

Understandable that this is a limitation of pf, and I appreciate the info on using a floating rule to prevent the leakage!

In terms of having an option to disable IPsec passthrough, I will say disabling IPsec passthrough is something I've been able to do on every cheap consumer-grade router I've owned that has that feature, even when there are no other options for controlling NAT behavior. It's unfortunate that there's no middle ground between automatic rule generation w/ IPsec passthrough and full manual configuration, especially since there are plenty of knobs in the advanced settings to control the behavior of the NAT and firewall.


Also available in: Atom PDF