----- Original Message -----
From: "Karl Fife" <[email protected]>
To: <[email protected]>
Sent: Wednesday, December 01, 2010 11:46 AM
Subject: Site-to-site IPsec - 1:1 NAT
I'm looking for a bit of help in an IPsec implementation.
Big picture:
We're allowing some of our vendors & fulfillment houses to connect their
agents' workstations to our Oracle database via Site-to-site IPsec:
The Problem:
The IPsec tunnel is already configured, and works great except that it
(naturally) requires that ALL of our vendors (present and future) NOT be
using the 10.0.0.8 address, neither the 10./8 subnet nor the 10.0/16
subnet. We don't want to require future vendors to renumerate their
networks!
The Question:
Is there a way that we can do site-to-site tunneling BUT make OUR end of
the IPsec tunnel (the remote end to our vendors) be a public IP address on
a /32 subnet rather than an address or subnet within our private network?
Naturally our public IP addresses are already globally unique, and routing
to one of our public addresses would eliminate present and future
numeration conflicts. The probem I'm struggling with is routing traffic
from the virtual IPsec interface to the internal database host on a
10.0/16 network
Naturally the normal NAT port forwarding rules do not apply to the virtual
IPsec interface, so it occurred to me to use 1:1 NAT to create the route
using a dedicated Virutal IP (a public IP address), but it appears that
the configurator does not offer the IPsec interface when configuring 1:1
NAT.
It also occurred to me that I might need to FIRST bridge the IPsec
interface to the WAN interface, (thereby enabling 1:1 NAT on the WAN
interface) but that also appears to be impossible, or perhaps just a
really bad idea for some reason that I'm not thinking of :-)
Is it even possible to do what I'm trying to do? Any help would be much
appreciated!
Thanks in advance!
-Karl
For the record, this is only possible using OpenVPN, not IPSec.
Thanks Chris B for your help!
-Karl
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
