On 2015/05/08 11:05, Erwin Schliske wrote:
> Hello,
>
> I have one question regarding ipsec with NAT.
>
> With one customer I have to setup a site2site vpn. To avoid address
> conflicts I'd use NAT. Because multiple of our subnets have to use the
> tunnel, I have this config in ipsec.conf:
>
> ike esp from {192.168.10.0/24 (192.168.1.0/24),192.168.10.0/24 (
> 192.168.2.0/24),192.168.10.0/24 (192.168.3.0/24)} to 10.78.1.0/24 \
> peer <dest gateway> \
> local <my gateway> \
> main auth hmac-sha2-256 enc aes-256 group modp1536 lifetime 28800 \
> quick auth hmac-sha2-256 enc aes-256 group modp1536 lifetime 3600 \
> psk XXXXXXXXXX
Can you just use this?
ike esp from {192.168.10.0/24 (192.168.0.0/22)} to 10.78.1.0/24 [...]
This would mean that 192.168.0.0/24 is covered in the flow as well, but
unless you also have a matching NAT rule, packets from 192.168.0.0 won't
make it through.
