On 27/10/04 6:58 pm, "Chris Wilson" <[EMAIL PROTECTED]> wrote:
> > Hi all, > > Trying to get my head around mixing NAT and IPSEC on OpenBSD; hoping you > folks can tell me whether I'm crazy :-) > > I've got IPSEC ala: > > 10.1.1.1/32 10.1.1.1 -------- 10.2.2.2 10.2.2.2/32 > > (ie the encryption domain and the vpn endpoints are the same). > > Now I'd like the OpenBSD machine at 10.1.1.1 to be able to be able to give > users on it's local LAN access to 10.2.2.2 through the IPSEC tunnel, > NAT'ing the source address to 10.1.1.1 Why do you need to NAT the source packet? If you alter 10.1.1.1 to shove any packet FROM its network TO 10.2.2.2 over IPSec, then as long as the 10.2.2.2 machine knows that any packet from the network behind 10.1.1.1 is to be routed over the IPSec tunnel, the packets should flow freely. Unless the network behind 10.1.1.1 has the same IP addresses as the one behind 10.2.2.2, in which case do some kind of binat? Or perhaps I missed the point. I usually do :) Oliver. -- Oliver Humpage ICT Co-ordinator, Watershed Media Centre -- +44 (0)117 9276444 E-mails received are assumed to be for my attention, to do with as I wish. No responsibility is accepted if communications are sent to me in error. This disclaimer has as much legal status as yours.
