Hi all, Trying to get my head around mixing NAT and IPSEC on OpenBSD; hoping you folks can tell me whether I'm crazy :-)
I've got IPSEC ala: 10.1.1.1/32 10.1.1.1 -------- 10.2.2.2 10.2.2.2/32 (ie the encryption domain and the vpn endpoints are the same). Now I'd like the OpenBSD machine at 10.1.1.1 to be able to be able to give users on it's local LAN access to 10.2.2.2 through the IPSEC tunnel, NAT'ing the source address to 10.1.1.1 The problem is that because nat is performed after the routing decision is made packets are sent out of sk0 rather than enc0. The IPSEC implementation is presumably deciding that a packet from Local-LAN to 10.2.2.2 doesn't match the IPSEC SA and is therefore routing the packet normally, not via the tunnel. Only once the nat rule has been applied (on a non-encrypted interface) does the packet match the IPSEC SA. Is what I'm trying to do possible? If the VPN endpoint and encryption domain weren't the same at 10.2.2.2 then perhaps it might be possible to force a route to enc0, however since 10.2.2.2 is the VPN endpoint and we've got to be able to route ESP packets... Is there any way to force pf to do source-address-NAT as a packet enters the system rather than as it leaves? Obvious alternative solution is to make the encryption domain at 10.1.1.1 something different, and then done the NAT on another system before we hit the OpenBSD machine; but that's not really ideal. Cheers, Chris -- Chris Wilson <[EMAIL PROTECTED]> http://www.mxtelecom.com
