> On 04/10/2016, at 18:48, Pavel Korovin <p...@tristero.se> wrote: > > On 10/04, Zé Loff wrote: >>> On 04/10/2016, at 11:58, Pavel Korovin <p...@tristero.se> wrote: >>> >>>> On 10/04, Zé Loff wrote: >>>> On "the wanderer" iked.conf: >>>> >>>> ikev2 home active esp \ >>>> from egress to 192.168.99.0/24 \ >>>> local egress peer vpn.example.com \ >>>> srcid dion.example.com dstid vpn.example.com >>>> >>>> On the "wanderer" pf.conf: >>>> >>>> match out on enc0 from any to 192.168.99.0/22 nat-to 192.168.100.3 >> static-port >>> >>> Zé, do you have an interface with the address 192.168.100.3 on your >>> wanderer? >> >> No > > Then how your pf rewrites the address to 192.168.100.3? I believe there > must be an interface with the address specified in the rewrite rules. > Otherwise, pf rule won't do anything. > Did you check "tcpdump -i enc0" output?
Hey, like I said, it works for me. I don't know enough to give you a proper answer to that, I just know that it works like this. I could speculate, but it would probably amount to noise, so I won't. Also, like I indicated, adding srcnat to the roaming machine's iked.conf breaks the setup for me, as the tunnel is established but nothing goes through. > -- > With best regards, > Pavel Korovin