Hello,
I have one question regarding ipsec with NAT.
With one customer I have to setup a site2site vpn. To avoid address
conflicts I'd use NAT. Because multiple of our subnets have to use the
tunnel, I have this config in ipsec.conf:
ike esp from {192.168.10.0/24 (192.168.1.0/24),192.168.10.0/24 (
192.168.2.0/24),192.168.10.0/24 (192.168.3.0/24)} to 10.78.1.0/24 \
peer <dest gateway> \
local <my gateway> \
main auth hmac-sha2-256 enc aes-256 group modp1536 lifetime 28800 \
quick auth hmac-sha2-256 enc aes-256 group modp1536 lifetime 3600 \
psk XXXXXXXXXX
In my pf.conf I have the NAT rules
match out on $if_ipsec from 192.168.1.0/24 to 10.78.1.0/24 nat-to
192.168.10.1
match out on $if_ipsec from 192.168.2.0/24 to 10.78.1.0/24 nat-to
192.168.10.2
match out on $if_ipsec from 192.168.3.0/24 to 10.78.1.0/24 nat-to
192.168.10.3
But when I test the tunnel, I see only packets for the subnet 192.168.3.0/24
enter the tunnel. The other subnets don't get a connection.
Is this setup not possible or do I have an error in config?
Thanks.
Regards,
Erwin
