On Fri, May 27 2011 at 07:16, Oeschger Patrick wrote: > *hmmm* *hmmm*, > i did a test using ipsec vpn colouring aka. tagging > ipsec.conf offers the option to tag the vpn traffic for further PF filtering > using these tags i can instruct PF to use different public NAT addresses > (outgoing to internet) for each VPN > but when you have overlapping subnets behind the VPNs then it it difficult to > get the reply traffic into the right VPN > maybe i am missing something here... Why not using the "local" keyword of ipsec.conf for outgoing address instead of NAT ?
> I expected some feature so tagged traffic will be routed into the VPN carrying > the same tag (...somehow...) > did some tests using 'reply-to' in pf rules but that did not work... - an a > default route will not help because i have many VPN all overlapping in worst > case > any ideas? an important option i missed? Using ipsec tunnels in different rdomains to manage overlapping easily? (Thanks to Reyk to clarify the usage of ipsec+rdomain) Claer
