Hi, all: I am configuring an IPsec tunnel like so:
local_internal_IP -> alias_IP ->remote_peer_IP -> remote_internal_IP local host | openBSD | Cisco PIX | remote internal host alias_IP is a carp alias. It is one end of an IPsec security association. netstat -rn gives this (altered) output: > Encap: > Source Port Destination Port Proto > SA(Address/Proto/Type/Direction) > remote_internal_subnet/23 0 alias_IP/32 0 0 > remote_peer_IP/50/use/in > alias_IP/32 0 remote_internal_subnet/23 0 0 > remote_peer_IP/50/require/out The SA is coming up. I am natting over the alias_IP with this line: "nat on $enc_if from $local_internal_IP to any -> $alias_IP" (to pre-empt misunderstanding, I have also tried "nat on $ext_if from $local_internal_IP to any -> $alias_IP") >From the OpenBSD box, I can ping remote_internal_IP like so: "ping -I alias_IP remote_internal_IP" When pinging from the local host, however, pings time out. When I ping from the local host to $remote_internal_IP while running tcpdump on the OpenBSD box, I get this (altered) output: > # tcpdump -nvvv -i sis1 host $remote_internal_ip and icmp > tcpdump: listening on sis1, link-type EN10MB > 09:00:27.092289 $local_internal_ip > $remote_internal_ip: icmp: echo request > (id:0200 seq:15369) (ttl 128, id 14737, len 60) > 09:00:32.572227 $local_internal_ip > $remote_internal_ip: icmp: echo request > (id:0200 seq:15625) (ttl 128, id 14763, len 60) > 09:00:38.072243 $local_internal_ip > $remote_internal_ip: icmp: echo request > (id:0200 seq:15881) (ttl 128, id 14767, len 60) > 09:00:43.572226 $local_internal_ip > $remote_internal_ip: icmp: echo request > (id:0200 seq:16137) (ttl 128, id 14773, len 60) It would appear that there is a problem with natting. What do I need to do to make this work? Thanks for your help, -Stephen-
