-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> nat on enc0 inet from 192.168.A.A/24 to B.B.B.B/8 -> 172.C.C.C Hi <Realname not known> What do you see if you don't use the nat statement? Do packets from 192.168 get sent to B.B over enc0? If not you still have some other problem. How do you and ASP_peer authenticate? Check first if your tunnels get established (ipsecctl -s all after the ping). I'm no pf expert but from my understanding of flows I'd try to nat on the incoming interface before encryption and routing take place. I think that if you nat on enc0 you will be changing the packet's payload and break the hash. (Not sure about that one - is there a description of the packet flow through a pf/ipsec gateway anywhere?) krgds /markus -----BEGIN PGP SIGNATURE----- iD8DBQFDksFE8BX/d8pVi/cRArkvAJsHhi+thVTiWfWXlTXLfCwb9W8VzwCgp7pB IgqfOdMd2CzEaEZ4K1uCXNE= =RDRl -----END PGP SIGNATURE----- -- Markus Wernig Unix/Network Security Engineer - CISSP, CCSA GPG: CA558BF7 http://xfer.ch --------------------------------------------- Linux User Group Bern - http://lugbe.ch ---------------------------------------------
