On Thu 04 Jul 2013 15:22:55 BST, Anders Berggren wrote:
I'd rather not have to create extra tunnels or define VPN policies with subnets
which have prefixes wider than the internal LANs.
That leaves mangling, but I cannot see how I would do the mangling in PF to
make it work without doing a redirect through the loopback etc.. Just wondering
if anyone knows of a cleaner way?
I think widening the flow's source is cleanest (as I mentioned in my first reply).
However, I think it's possible to use a gif tunnel for the tunnel encapsulation, and only
use IPsec for the endpoint encryption. It would probably work, because unlike IPsec
flows, it's not "source routed".
Ah ha!!! Of course!! Thank you :D
Andy.
