What about mobile VPN? For PUBKEY auth you can use UFQDN identities http://openbsd.org/papers/asiabsdcon07-ipsec/mgp00065.html
and http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec.conf On Fri, Apr 8, 2011 at 10:41 AM, Ivan Nudzik <ivan.nud...@gmail.com> wrote: > It is not demand of PF... It's about IPSec behavior. IPSec tunnels could > be established between exact 2 IPs, or exact 2 IP networks. You can't > have IP net on one side of tunnel and rest of Internet on other side, > which is case you wrote about. > Solutions: > 1. Build IP-IP IPSec and then build GRE tunnel on those 2 IP. You could > route anything over GRE tunnel. Beware of encapsulation overhead, cause > it is tunnel in tunnel. > 2. Use OpenVPN instead of IPSec. It is far less painful. > > I. > > On Thu, 2011-04-07 at 16:51 -0700, Andrew Klettke wrote: >> We have a working IPSec VPN between two 4.8 endpoints. One of them is at >> a remote location, and the other at the main office. The remote location >> has its own external, routable IP (to establish the VPN), and an >> internal subnet behind it. The main office has its own external IP, >> though which it is NATing its own internal subnet. >> >> Basically, I want to force all internet traffic from the remote, >> internal subnet through the main office's internal gateway so it can NAT >> out from there. >> >> I've been attempting to accomplish this with "route-to" and "reply-to" >> rules on the remote box, but have had no luck. I know IPSec keeps its >> own routing table, is this interfering? Is this possible to do with PF? > > -- -- With regards, Eugene Sudyr
