From owner-freebsd-pf@FreeBSD.ORG  Sat Sep 10 16:08:21 2011
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 77A83106566B
	for <freebsd-pf@freebsd.org>; Sat, 10 Sep 2011 16:08:21 +0000 (UTC)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch
	[213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id F006E8FC13
	for <freebsd-pf@freebsd.org>; Sat, 10 Sep 2011 16:08:19 +0000 (UTC)
Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1])
	by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id p8AG8Bso019271
	(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO);
	Sat, 10 Sep 2011 18:08:11 +0200 (MEST)
Received: (from dhartmei@localhost)
	by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id p8AG8Ajl031984;
	Sat, 10 Sep 2011 18:08:10 +0200 (MEST)
Date: Sat, 10 Sep 2011 18:08:10 +0200
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Mario Lobo <lobo@bsd.com.br>
Message-ID: <20110910160810.GB29437@insomnia.benzedrine.cx>
References: <201109101042.53575.lobo@bsd.com.br>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <201109101042.53575.lobo@bsd.com.br>
User-Agent: Mutt/1.5.12-2006-07-14
Cc: freebsd-pf@freebsd.org
Subject: Re: VPN  problem
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Sep 2011 16:08:21 -0000

On Sat, Sep 10, 2011 at 10:42:53AM -0300, Mario Lobo wrote:

> Sep 10 10:27:16 lobos kernel: pf_map_addr: selected address 177.17.68.103 
> Sep 10 10:27:49 lobos last message repeated 83 times
> Sep 10 10:28:59 lobos last message repeated 283 times

This looks as if you're not allowing the packet out after NAT, so
each subsequent packet also causes a pf_map_addr() call, instead
of creating a state entry.

Make sure you have a rule like

  pass out on $ext_if from ($ext_if) ...

Do you see any state entry related to your VPN connection?
Run pfctl -vvss after the connection attempt.

It helps debugging if you add

  block log

as the very first rule, then make sure all other block rules (if any)
also have 'log'. Then reproduce the problem while running

  tcpdump -s 1600 -nvvveeetttpi pflog0

Now you'll see any packet being dropped by pf. Do you see any?

Daniel