On 2015/05/08 11:05, Erwin Schliske wrote: > Hello, > > I have one question regarding ipsec with NAT. > > With one customer I have to setup a site2site vpn. To avoid address > conflicts I'd use NAT. Because multiple of our subnets have to use the > tunnel, I have this config in ipsec.conf: > > ike esp from {192.168.10.0/24 (192.168.1.0/24),192.168.10.0/24 ( > 192.168.2.0/24),192.168.10.0/24 (192.168.3.0/24)} to 10.78.1.0/24 \ > peer <dest gateway> \ > local <my gateway> \ > main auth hmac-sha2-256 enc aes-256 group modp1536 lifetime 28800 \ > quick auth hmac-sha2-256 enc aes-256 group modp1536 lifetime 3600 \ > psk XXXXXXXXXX
Can you just use this? ike esp from {192.168.10.0/24 (192.168.0.0/22)} to 10.78.1.0/24 [...] This would mean that 192.168.0.0/24 is covered in the flow as well, but unless you also have a matching NAT rule, packets from 192.168.0.0 won't make it through.