Sorry... my experimental setup has had a mistake. I've re-read my posting and checked everything. What did get my attention was:
> But incoming traffic still passes: > rule 29/0(match): pass in on enc0: (tos 0x0, ttl 64, id 58618, > offset 0, flags [none], proto: ICMP (1), length: 84) 194.180.156.137 >> > 10.1.1.1: ICMP echo request, id 26909, seq 0, length 64 Which means, rule 29 was letting this packet pass. I've checked rule 29 and found the mistake. This is letting (on one tunnel endpoint) traffic through by a table of IP addresses and mistakenly the internal IP address of the remote tunnel endpoint is in there. Will correct that and do another test. Volker _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
