I use OSPFd on each OpenSBD firewall I deploy. This way you get access to all machines on the remote LAN, including firewall itself. and you don't have to maintain routing manually.
//mxb On 4 jul 2013, at 16:25, Andy <[email protected]> wrote: > On Thu 04 Jul 2013 15:22:55 BST, Anders Berggren wrote: >>> I'd rather not have to create extra tunnels or define VPN policies with >>> subnets which have prefixes wider than the internal LANs. >>> That leaves mangling, but I cannot see how I would do the mangling in PF to >>> make it work without doing a redirect through the loopback etc.. Just >>> wondering if anyone knows of a cleaner way? >> >> I think widening the flow's source is cleanest (as I mentioned in my first >> reply). However, I think it's possible to use a gif tunnel for the tunnel >> encapsulation, and only use IPsec for the endpoint encryption. It would >> probably work, because unlike IPsec flows, it's not "source routed". > > Ah ha!!! Of course!! Thank you :D > > Andy.
