From owner-freebsd-pf@FreeBSD.ORG  Sun May 22 10:58:24 2011
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 58233106564A
	for <freebsd-pf@freebsd.org>; Sun, 22 May 2011 10:58:24 +0000 (UTC)
	(envelope-from freebsd-pf@herveybayaustralia.com.au)
Received: from mail.unitedinsong.com.au (mail.unitedinsong.com.au
	[150.101.178.33])
	by mx1.freebsd.org (Postfix) with ESMTP id 01CFC8FC08
	for <freebsd-pf@freebsd.org>; Sun, 22 May 2011 10:58:23 +0000 (UTC)
Received: from laptop1.herveybayaustralia.com.au
	(laptop1.herveybayaustralia.com.au [192.168.0.186])
	by mail.unitedinsong.com.au (Postfix) with ESMTP id 1CF955C22
	for <freebsd-pf@freebsd.org>; Sun, 22 May 2011 20:47:56 +1000 (EST)
Message-ID: <4DD8E815.4090209@herveybayaustralia.com.au>
Date: Sun, 22 May 2011 20:40:21 +1000
From: Da Rock <freebsd-pf@herveybayaustralia.com.au>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US;
	rv:1.9.1.16) Gecko/20110204 Thunderbird/3.0.11 ThunderBrowse/3.3.4
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: pf firewall nat and IPSec
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 22 May 2011 10:58:24 -0000

I have an android mobile I'm trying to connect using the L2TP/IPSec vpn. 
I now have it working well on the lan, but the mobile network fails. I 
also have the L2TP part working alone.

Racoon seems to be working, I have forced nat turned on, but for some 
reason it won't connect- or if it does its only for seconds.

My PF is setup with binat for the VPN system, although there is other 
services to that system and others on the network.

My relevant rules are as follows:

scrub max-mss 1396 no-df
binat on $ext_if from $voip to any -> $ext_ip
pass in $plog on $ext_if proto { udp, ah, esp, ipencap } from any to 
$vpn tag EXT_IPSEC keep state
pass out $plog on $int_if proto { udp, ah, esp, ipencap } from any to 
$vpn tagged EXT_IPSEC keep state

What am I missing? Android logs show that phase1 works, and then phase2 
fails because phase1 ran out of time.

I could really use some advice from those with experience in this setup.

Cheers