> Synopsis: iked leaves behind pf state entries for NAT-T (UDP 4500) upon > stopping > Category: bin > Description: When stopping iked with `rcctl stop iked`, the service leaves behind pf state entries for NAT-T (UDP 4500) that prevent normal network connectivity until they expire naturally (observed timeout ~1 minute).
Example state entry that persists: all udp <client-lan-ip>:4500 <- <server-wan-ip>:4500 MULTIPLE:MULTIPLE age 00:03:15, expires in 00:00:59, 637:7 pkts, 111222:365 bytes, rule 1 id: 6755c8e800001230 creatorid: 7078d876 IMPACT: After stopping iked, connectivity to VPN endpoints remains broken until these state entries expire naturally. This prevents immediate restoration of normal network routing (ssh, ping, etc.) even after the VPN service is stopped. > How-To-Repeat: 1. Start iked with a configured VPN connection `iked -v -d` 2. Stop iked `ctl-c` 3. Observe persistent pf state entry for UDP 4500 `pfctl -vvv -s states | fgrep -A 2 4500` 4. Connectivity to VPN endpoint remains broken until state expires or killed with `pfctl -k id -k <state-id>`
