On Wed, Jul 07, 2004 at 12:38:41PM +0200, Wolfgang Pichler wrote: > on my openbsd firewall i have a vpn tunnel running to the 10.0.43.0 > subnet from an other company. The VPN tunnel works fine when i ping from > the firewall to the other subnet using my external address (ping -I > 81.223.6.246 10.0.43.11). > > Our own internal net is 172.16.0.0/24 - i'd now like my firewall to > redirect packets coming from 172.16.0.0/24 with destination address > 10.0.43.0/24 to go over the vpn tunnel. > > I've already tried to play around with pf, route, ipsecadm flow - but i > don't get the point how to get this working. > > can anyone here give me a hint ?
Your internal network doesn't seem to be part of the ipsec flow. Try nat on lo0 from 172.16.0.0/24 to 10.0.43.0/24 -> 81.223.6.246 and route -q add -src 172.16.0.0/24 -dst 10.0.43.0/24 127.0.0.1 (plus some scrub rule to set max-mss to whatever your tunnel can cope with, e.g. 1396 works for me). Cheers, Marc
