Hi, everybody:
Okay -- the good news is that we've got the SA up between these two
sites, the bad news is that traffic isn't passing.
The situation is complicated by some NAT that I need through the
encryption interface.
We have the following:
HostA_private_IP
HostA_private_NAT_IP
<RemoteB_private_subnets>
In the NAT section of my pf.conf, I have the following command:
binat on $enc_if from $HostA_private_IP to <RemoteB_private_subnets> ->
$HostA_private_NAT_IP
In the FILTER section, I have:
pass in on $enc_if from <RemoteB_private_subnets> to \ HostA_private_NAT_IP
pass out on $enc_if from $HostA_private_NAT_IP to \
<RemoteB_private_subnets>
Do I need to add routes to make this work? I thought that setting up SAs
in isakmpd did this automatically, but when I traceroute from
HostA_private_IP, it looks like the traffic is going out the public
interface.
Or is the problem with my NAT statement?
-Stephen-
