I have an IPsec conundrum I'm trying to solve. Yes, the scenario is somewhat absurd; it's also the problem I've been taksed with solving, so spare the peanut gallery comments, okay?
NET-P <x> GW-Q <-> internet <-> GW-H <x> GW-V <x> NET-V NET-P is 10.0.2.0/24 NET-V is 10.0.11.0/24 GW-Q is an OpenBSD host with fixed addresses 10.0.2.1 (inside) and 1.2.3.4 (internet). GW-H is some random ISP cable/DSL modem that NATs everything behind it, with a random external address. (I.e., assume DHCP on the "internet" side.) GW-V is an OpenBSD host. It has a variable upstream address obtained from the back end of GW-H (DHCP). On the other side, GW-V presents 10.0.11.1 to NET-V. The goal here is to establish an IPsec tunnel that links NET-P and NET-V together, in the face of all the other nonsense in between. In the schematic above, '<x>' represents a NAT translation point. '<->' is a regular router interconnect. I have tried setting up an IKEv2 passive connection from GW-V to GW-Q (connections in the other direction are impossible), but I'll be damned if I can figure out how to specify the SA associations and ESP flows on GW-V, given the lack of fixed addresses on the upstream sides of GW-V and GW-H. (Or in the other direction, for that matter.) Is there any hope this can possibly work? --lyndon
