Hello, I have one question regarding ipsec with NAT.
With one customer I have to setup a site2site vpn. To avoid address conflicts I'd use NAT. Because multiple of our subnets have to use the tunnel, I have this config in ipsec.conf: ike esp from {192.168.10.0/24 (192.168.1.0/24),192.168.10.0/24 ( 192.168.2.0/24),192.168.10.0/24 (192.168.3.0/24)} to 10.78.1.0/24 \ peer <dest gateway> \ local <my gateway> \ main auth hmac-sha2-256 enc aes-256 group modp1536 lifetime 28800 \ quick auth hmac-sha2-256 enc aes-256 group modp1536 lifetime 3600 \ psk XXXXXXXXXX In my pf.conf I have the NAT rules match out on $if_ipsec from 192.168.1.0/24 to 10.78.1.0/24 nat-to 192.168.10.1 match out on $if_ipsec from 192.168.2.0/24 to 10.78.1.0/24 nat-to 192.168.10.2 match out on $if_ipsec from 192.168.3.0/24 to 10.78.1.0/24 nat-to 192.168.10.3 But when I test the tunnel, I see only packets for the subnet 192.168.3.0/24 enter the tunnel. The other subnets don't get a connection. In http://marc.info/?l=openbsd-misc&m=130951991404687&w=2 I've found, that only the last definition works, in my case 192.168.3.0/24 . This is what I've found out by testing. Now my question. For me it would be great if this feature could be implemented. Is it possible to put it on the roadmap? Thanks. Regards, Erwin