> I'd rather not have to create extra tunnels or define VPN policies with > subnets which have prefixes wider than the internal LANs. > That leaves mangling, but I cannot see how I would do the mangling in PF to > make it work without doing a redirect through the loopback etc.. Just > wondering if anyone knows of a cleaner way?
I think widening the flow's source is cleanest (as I mentioned in my first reply). However, I think it's possible to use a gif tunnel for the tunnel encapsulation, and only use IPsec for the endpoint encryption. It would probably work, because unlike IPsec flows, it's not "source routed".