Hello,
I have one question regarding ipsec with NAT.
With one customer I have to setup a site2site vpn. To avoid address
conflicts I'd use NAT. Because multiple of our subnets have to use the
tunnel, I have this config in ipsec.conf:
ike esp from {192.168.10.0/24 (192.168.1.0/24),192.168.10.0/24 (
192.168.2.0/24),192.168.10.0/24 (192.168.3.0/24)} to 10.78.1.0/24 \
peer <dest gateway> \
local <my gateway> \
main auth hmac-sha2-256 enc aes-256 group modp1536 lifetime 28800 \
quick auth hmac-sha2-256 enc aes-256 group modp1536 lifetime 3600 \
psk XXXXXXXXXX
In my pf.conf I have the NAT rules
match out on $if_ipsec from 192.168.1.0/24 to 10.78.1.0/24 nat-to
192.168.10.1
match out on $if_ipsec from 192.168.2.0/24 to 10.78.1.0/24 nat-to
192.168.10.2
match out on $if_ipsec from 192.168.3.0/24 to 10.78.1.0/24 nat-to
192.168.10.3
But when I test the tunnel, I see only packets for the subnet 192.168.3.0/24
enter the tunnel. The other subnets don't get a connection.
In http://marc.info/?l=openbsd-misc&m=130951991404687&w=2 I've found, that
only the last definition works, in my case 192.168.3.0/24
. This is what I've found out by testing.
Now my question. For me it would be great if this feature could be
implemented. Is it possible to put it on the roadmap?
Thanks.
Regards,
Erwin
