In setting up IPSec on some OpenBSD boxes, I have noticed that I can not use a statement to pass traffic on the enc0 in ONLY from a certain network. See my pf rules below: -------------------------------------------------------- SCOTT_OFFICE = "XXX.XXX.XXX.XXX" scrub in on xl0 all scrub in on enc0 all block in log from any to any block out log from any to any block in quick on xl0 from any to 255.255.255.255 block in log quick on xl0 from {10.0.0.0/8, 172.16.0.0/12, \ 192.168.0.0/16, 255.255.255.255/32} to any pass in on enc0 from any to any pass out quick on enc0 from 192.168.3.0/24 to 192.168.2.0/24 #pass in quick on enc0 from 192.168.2.0/24 to 192.168.3.0/24 pass in quick on fxp0 from 192.168.3.0/24 to any keep state pass out quick on fxp0 from 192.168.2.235 to 192.168.3.13 pass out quick on fxp0 from 192.168.2.202 to 192.168.3.2 pass in quick on xl0 proto udp from $SCOTT_OFFICE to xl0 port = 500 pass out quick on xl0 proto udp from xl0 to $SCOTT_OFFICE port = 500 pass in on xl0 proto esp from $SCOTT_OFFICE to xl0 pass out on xl0 proto esp from xl0 to $SCOTT_OFFICE ---------------------------------------------------------------- Notice the commented line for the enc0 interface. I have tried changing the line, but it will not work. These rules function similar on both sides (work & home). It only chokes on the "in" rules, not the "out". Can anyone explain this behavior to me?