Tunnel, VPN, NAT

[Mitja]

I've managed to solve a problem that was bodering me for some time now.
I decided to put this solution to the list just in case someday somebody
will be in similar situation.

How to solve the problem described on this picture:

193.x.x.x/27                         193.y.y.y/27
   |  192.168.1.0/24                       | 192.168.2.0/24
   |    |                                  |    |
   |    |                                  |    |
   Host A ------------ tunnel ------------ Host D -----Internet
172.16.16.6                               172.16.15.6
       \                                    /
        +------ Host B ------ Host C ------+
       172.16.16.5                172.16.15.5


In short, I have two distant locations, connected with fiber, only one
has access to internet. The client requested to have on both locations
public addressable IP space and private addressable IP space. Host A and
Host D are connected by a fiber provider, who connected both locations
with a PTP (Host B & Host C are providers routers).

The solution I came to (with the help of Dag Richards) is to build a gre
tunnel from host A to Host D. Firstly I managed to access internet using
ipsec. Dag pointed out that I should be doing NAT before ipsec.

Explanation:
packet enters
routing decision is made <- packet encrypted if matches quickmode route

egress iface chosen
NAT applied

So on the same router that can't be done in OBSD. So I left out
encryption for this part of the project, because I don't need encryption
for traffic going to internet. The task now is to build a gre tunnel
between Host A & Host D.

Building up gre tunnel and setting up routes:

Enable on both routers:
sysctl net.inet.gre.allow=1

Host A
# cat /etc/hostname.gre0
193.x.x.x 193.z.z.z netmask 0xffffffff link1 up
tunnel 172.16.16.6 172.16.15.6
!route -qn delete default
!route -qn add -host default 193.z.z.z


Host D
# cat /etc/hostname.gre0
193.z.z.z 193.x.x.x netmask 0xffffffff link1 up
tunnel 172.16.15.6 172.16.16.6
!route add 192.168.1.0/24 193.x.x.x
!route add 193.x.x.x/27 193.x.x.x

I had to add those routes just to tell the router where to send packets
that have been natted and to route other public addressable IP space
through the tunnel.

Now I have a working tunnel, Host A can access the internet. Let's allow
others to access internet from private addressable IP space on Host A.
As Dag pointed out I should be doing NAT for request coming from
192.168.1.0/24 on the end of gre tunnel, on Host D. This should look
something like this:

nat on bge0 from 192.168.1.0/24 -> 193.x.x.x, where bge0 stands for my
external_if on Host D. Be careful to allow gre proto in both pf.conf.
After that I just had to connect two LANs together with ipsec:

On host D:
ike esp from 192.168.2.0/24 to 192.168.1.0/24 peer 172.16.16.6

On Host A:
ike esp from 192.168.1.0/24 to 192.168.2.0/24 peer 172.16.15.6


Mitja