Of course, as it is a testing environment it is a lot easier to make it work for me... On the remote side, a configured something like this (I suppose they have something of this kind on the other side) : ike passive esp from 172.25.0.1 to A.B.C.D
And on the local server side, all I have is : ike esp from any to 172.25.0.1 peer W.X.Y.Z Never tried to use the "flow" directives as you did. I suppose that if as you said you have correct encap routes, packets headed to 172.25.0.1 should definitely go through enc0, then if you set nat on enc0, it should work as it does for me. Could you paste and show us the output of netstat -rnf encap and also if possible your pf.conf ? Regards, William 2008/8/15 Toby Burress <[EMAIL PROTECTED]>: > On Fri, Aug 15, 2008 at 01:24:59PM +0900, william dunand wrote: >> Hi, >> >> I tried to reproduce what you want in my testing environment and >> managed to make it work. >> >> What you have to do is : >> - In your ipsec.conf, add an rule from your local network to the >> distant 172.25.0.1 (this rule is needed in order to route the traffic >> to enc0) > > Did you need to configure this on both ends? If I add a flow routing > my network to the remote IP the packets never seem to get to enc0; > it looks like isakmpd is stuck trying to negotiate something with > the remove end. From what I can tell I need an SA for packets to > get routed over enc0. > > In ipsec.conf I have: > > ike active esp from A.B.C.D to 172.25.0.1 peer W.X.Y.Z \ > main auth hmac-md5 enc 3des \ > quick auth hmac-md5 enc 3des group none \ > psk yarg > > which lets me ping 172.25.0.1 from A.B.C.D. To route packets to > 172.25.0.1 I am using > > flow from any to 172.25.0.1 peer W.X.Y.Z > > This does create appropriate encap entries in the routing tables, > but I never see anything hit enc0.
