Stephen Bosch wrote: > Hi, all: > > I am configuring an IPsec tunnel like so: > > local_internal_IP -> alias_IP ->remote_peer_IP -> remote_internal_IP > local host | openBSD | Cisco PIX | remote internal host > > alias_IP is a carp alias. It is one end of an IPsec security > association. netstat -rn gives this (altered) output: > >> Encap: >> Source Port Destination Port Proto >> SA(Address/Proto/Type/Direction) >> remote_internal_subnet/23 0 alias_IP/32 0 0 >> remote_peer_IP/50/use/in >> alias_IP/32 0 remote_internal_subnet/23 0 0 >> remote_peer_IP/50/require/out > > The SA is coming up. > > I am natting over the alias_IP with this line: > > "nat on $enc_if from $local_internal_IP to any -> $alias_IP" > > (to pre-empt misunderstanding, I have also tried > > "nat on $ext_if from $local_internal_IP to any -> $alias_IP") > > From the OpenBSD box, I can ping remote_internal_IP like so: > > "ping -I alias_IP remote_internal_IP" > > When pinging from the local host, however, pings time out.
> > It would appear that there is a problem with natting. The ping works even with all the NAT lines commented out, so it looks like the nat isn't doing anything at all... -Stephen-
