Stephen Bosch wrote:
Imagine the following scenario:
You have two VPN endpoints. One is an OpenBSD system running isakmpd and
pf, the other is a VPN concentrator from some vendor.
The OpenBSD already has other VPNs set up, all using the same internal
network. Renumbering isn't going to work.
The VPN concentrator operator has an internal addressing scheme he
insists other endpoints conform to.
The question, then:
Is it even possible to NAT through an encryption interface? For example:
OpenBSD internal network: 192.168.45.0/24
Network other guy would prefer OpenBSD use: 10.110.40.0/24
Network other guy is using: 10.110.10.0/24
The command might look like this:
nat on $enc_if from 192.168.45.0:network to 10.110.10.0:network ->
10.110.40.10
Forgive me if this i) is impossible, ii) is crazy, iii) the syntax of
the command is wrong.
I'd rather run it past the list than tinker on production equipment.
Thanks for any help and advice,
-Stephen-
blind leading the blind here but ....
This was recently discussed, and it was pointed out that
the decision to encrypt happens before the nat-ing.
I deal with this self same issue by the lazy expedient of a firewall
with a vpn server that has one interface in the dmz and one on the
public net. So I do the vendor mandated nat-ing and pass to the vpn
server. This made writing the pf rules for both sets of machines pretty
straight forward.
