Hi all, The lo1 workaround worked.
There are some posts out there that explain this, or parts of it, and here's my contribution. The two threads I found most helpful can be googled: "NAT on IPSEC with OpenBSD/pf/isakmpd" "OT - NAT on IPsec" The issues in question are mentioned earlier in this thread and I won't repeat them. 1 - Create a loopback interface on which NATting will be done: # cat /etc/hostname.lo1 inet 172.16.0.1 255.255.255.0 NONE description "IPsec NAT interface" This should be an ip of a different subnet than your internal network. 2 - Add a static route to the remote network you are trying to reach: route add 192.168.0.0/24 172.16.0.1 3 - Configure lo1 for nat (pf.conf): nat on lo1 from $internal_net to 192.168.0.0/24 -> lo1 4 - Create pf.conf rules: ## ISAKMP VPN pass on lo1 inet from lo1 to 192.168.0.0/24 keep state # In pass in on enc0 keep state (if-bound) # Out pass out on enc0 inet from lo1 to 192.168.0.0/24 pass on enc0 proto ipencap all keep state (if-bound) pass on $ext_if inet proto esp all keep state ----------- NB. Outgoing enc0 traffic rule must not contain "keep state" 5 - The ipsec tunnel/flows must of course be added with 172.16.0.1 as IPV4_ADDR. [My-Net] ID-Type= IPV4_ADDR Address= 172.16.0.1 Best regards, Danial
